Windows Analysis Report
ll.exe

Overview

General Information

Sample Name: ll.exe
Analysis ID: 605429
MD5: f746ea39c0c5ff9d0a1f2d250170ad80
SHA1: dac28369f5a4436b2556f9b4f875e78d5c233edb
SHA256: 7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Writes many files with high entropy
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ll.exe Virustotal: Detection: 56% Perma Link
Source: ll.exe ReversingLabs: Detection: 73%
Antivirus / Scanner detection for submitted sample
Source: ll.exe Avira: detected
Machine Learning detection for sample
Source: ll.exe Joe Sandbox ML: detected

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.148:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.149:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.146:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.147:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.140:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.141:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.144:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.145:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.142:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.143:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.159:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.157:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.158:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.151:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.152:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.150:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.155:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.156:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.153:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.154:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.126:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.247:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.127:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.248:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.124:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.245:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.125:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.246:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.128:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.249:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.129:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.240:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.122:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.243:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.123:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.244:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.120:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.241:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.121:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.242:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.137:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.138:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.135:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.136:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.139:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.250:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.130:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.251:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.133:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.254:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.134:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.131:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.252:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.132:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.253:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.225:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.226:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.223:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.224:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.229:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.227:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.228:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.221:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.222:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.220:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.115:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.236:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.116:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.237:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.234:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.235:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.119:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.117:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.238:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.118:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.239:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.232:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.233:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.230:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.231:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.203:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.204:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.201:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.202:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.207:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.208:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.205:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.206:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.200:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.209:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.214:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.215:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.212:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.213:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.218:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.219:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.216:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.217:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.210:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.211:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.0:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.180:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.181:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.184:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.185:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.182:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.183:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.188:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.189:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.186:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.187:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.191:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.192:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.190:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.195:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.196:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.193:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.194:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.199:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.197:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.198:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.168:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.169:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.162:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.163:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.160:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.161:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.166:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.167:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.164:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.165:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.170:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.179:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.173:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.174:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.171:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.172:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.177:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.178:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.175:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.176:445 Jump to behavior
Connects to many different private IPs via SMB (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.148:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.149:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.146:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.147:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.140:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.141:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.144:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.145:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.142:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.143:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.159:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.157:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.158:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.151:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.152:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.150:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.155:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.156:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.153:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.154:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.126:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.247:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.127:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.248:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.124:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.245:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.125:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.246:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.128:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.249:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.129:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.240:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.122:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.243:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.123:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.244:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.120:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.241:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.121:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.242:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.137:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.138:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.135:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.136:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.139:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.250:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.130:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.251:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.133:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.254:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.134:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.131:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.252:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.132:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.253:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.225:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.226:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.223:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.224:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.229:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.227:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.228:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.221:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.222:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.220:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.115:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.236:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.116:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.237:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.234:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.235:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.119:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.117:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.238:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.118:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.239:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.232:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.233:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.230:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.231:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.203:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.204:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.201:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.202:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.207:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.208:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.205:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.206:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.200:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.209:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.214:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.215:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.212:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.213:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.218:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.219:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.216:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.217:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.210:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.211:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.0:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.180:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.181:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.184:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.185:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.182:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.183:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.188:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.189:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.186:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.187:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.191:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.192:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.190:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.195:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.196:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.193:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.194:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.199:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.197:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.198:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.168:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.169:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.162:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.163:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.160:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.161:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.166:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.167:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.164:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.165:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.170:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.179:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.173:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.174:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.171:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.172:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.177:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.178:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.175:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.176:445 Jump to behavior
Uses 32bit PE files
Source: ll.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 20.190.160.67:443 -> 192.168.2.3:49975 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.35.236.56:443 -> 192.168.2.3:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49992 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.112.88.60:443 -> 192.168.2.3:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.3:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.3:50039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.3:50055 version: TLS 1.2
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Google\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Microsoft Office\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\MSBuild\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Reference Assemblies\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Uninstall Information\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\microsoft shared\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\Services\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\system\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Google\Chrome\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\en-US\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\images\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\SIGNUP\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Microsoft Office\Office16\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\MSBuild\Microsoft\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\Logs\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\UpdateNotificationMgr\R3ADM3.txt Jump to behavior
Source: ll.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\ll.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F35950 new,FindFirstFileW,new,FindNextFileW,FindClose, 1_2_00F35950
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3B6BD FindFirstFileExA, 1_2_00F3B6BD
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3B7C3 FindFirstFileExA,FindClose, 1_2_00F3B7C3
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F23480 GetLogicalDriveStringsW,GetLogicalDriveStringsW,new, 1_2_00F23480
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4796Host: login.live.com
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RE4CJ3o?ver=76ff HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWMW3O?ver=5b92 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWP0UC?ver=2f44 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWP8kk?ver=8c62 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWNck1?ver=d266 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RE4CSNq?ver=e631 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -480X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; StandardBias=0; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAVSBzJQ7SndUQxOscvEa3/5SXDkPufL/GU0E9StMSHM%2BBv9BrCWOBuPACB/HvUBkHG7KqfXcp/OlCf0lNBepJeoZa/GhInRKT2FV03IZcos5CD4i7bvSYXXyOXXV1aW2K6HZoPv6/fuJEL9ByKw8yy5thHZadWohgCAyM8AddCJzw7SYR3ef8oUGrfcIdQPbBgSsdjq1CgKG9qBcdhnJtbRLxzzqdWfsOiachqglOI30fXHosrPc6JWkyg/0sefV2HxnxO48CiVNvyxZCKbAdRckucw9OWft228cz9xjjqxI6ae9VAbs34gwpj%2BmRdyRWE%2B4NoTo3%2BSYTkZHwqp5xwYDZgAACDyXdYmos%2BHwqAEGhsAMzqUuSZn8aKnKgfsfzMIfZc9tCWVFSWusnQfpFI7m9uFOD2scDPcldl%2BT3%2BORhjJSS0hBMof9q%2Bn9njmJoRz08p0ZNg7nqHZHk2h9FKr600KqWUY65b2ylFh0itZo8VUANAPfFe25fdCAGKopLHGWyi49hwhaoptCWeF37t8l3U9m1A1WqiUYrLjIsrq1fEMaM1viW2w744bAFfECcDqstLM6n%2BljSJRwamgBTds654u/UHQTU7Gm3ZPa680vBOI%2BFPVCDhte1NbaKSeDqJOHuxnLf8baSUe%2BF/jRQJAxVgrym9Q9Ui9tUVy%2B/rEUubo6sZu4YCv55BMRTdFINRsmAI0z7%2BuBcTZHvgOM61YMIprvdkgeuMviej3UUXkGkhjO8YDaaZQvWpokXPXRyzyQDMoySC9XL3PP0FKRw528uwLo6KQ65awOvWkNtEgi8SbEjjn5D29jFNwGDTz9DHlRtImrrCq72pZP/Kz4gWxgiTqsJX0dIQkJdGhrX%2BjmYBa62uHPuh5aaCjX/mS7umGCAB4Yv9KMn/9EoRr8xhPT7oaMFJ5E1AE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1646757043X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: A8428518F8734E219844F3AB426417E3X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 76344Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1649437283858&AC=1&CPH=4ef661f2; SRCHUID=V=2&GUID=C051922770D44EDAB6B540D172E9CCE7&dmnchg=1; BM-Identity-Error=3002; SRCHD=AF=NOFORM; SUID=M; SRCHUSR=DOB=20220408; SRCHHPGUSR=SRCHLANG=en; ANON=A=E6EAEF30D7E9C145923C068AFFFFFFFF; MUIDB=1E17B9B70E9B4C6E957D159ED3646FFF
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.113.53
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4796Host: login.live.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 20 Apr 2017 16:10:39 GMTUser-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170212Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=492dae31b56c4c9eaec7feff7513297e&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-280815&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338389&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170212Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=3382b3df4d44412c80bfa0684fe70791&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-338389&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338387&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170226Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=619c052a6e5140c4b5cee07576f42985&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-338387&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&rver=2&sc-mode=0&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338388&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170226Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=5f4b6c89b2c846609f3e1f553bb48a37&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-338388&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338389&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170227Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=19c443aabf954506a4b84500aa0b4498&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-338389&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: cid=128000000001627409&chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170231Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=18d6cf97b83f4ce195194e5e6aa953a0&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-280815&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: cid=128000000001627409&chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RE4CJ3o?ver=76ff HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWMW3O?ver=5b92 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWP0UC?ver=2f44 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWP8kk?ver=8c62 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RWNck1?ver=d266 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cms/api/am/imageFileData/RE4CSNq?ver=e631 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220408T170305Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=d45161c0491847028507c79db5d70c07&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1463022&metered=false&nettype=ethernet&npid=sc-310091&oemName=hsehht%2C%20Inc.&oemid=hsehht%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=hsehht7%2C1&tl=2&tsu=1463022&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32319&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAAdVW0iu23GIxjRyUBGA+V5LMoU/lMaTjobBnQosoTe6w30OZEf3HulBKeYXog3CqxSfjOHeF/J4iLS/gKyhq/ZV/xtrYHZ35PhcBmS2qzlwNBiXp0+l4efq5nsDEEESQ06VT9dPxHYgWIFLG65LRysydA1lM9dDPzftFvDLM/ickJDFevqkA3hG2mKV46IqHL4CT7eP4Hk0/MOrRp8JB5tew/jI7o25TIEcXI9Ohbx1KIwUuqQcpj0nfDAUZEjkQqVS2z/wQaH+/fdlFO/AoxQI3CbcoTeaCp3XIesBJX0bxVNzc22qQqCPfGWQ/Sb52rGvkgBRvdW8DFg8ToMjfQpYDZgAACE3mODPOPAwVqAFPV53gZZc0aOkGu+jJWnw46hEU9aCKlpEDkH6SywZSQj+Z6IyumM/ZCz1/Exb6MZih9PGVRFV0dS4rZOfTTsEXw5x6gJoWeqkJZJqul+/LQNZpdaM/TGNQWhUnnbhyzuL3J52vfTsZzAtC6HDHUtfCP567IuQfNJw1zOBQG/Pho8+d+FiHWtcPKMXaDH+rX7PpflRpHTm7bd+l+rsPvLvdstjafDcGAADV0pkaM4oU0n35rzdzjoAWTcazcHXkrs0Gr34gDLPkE96nUwLpeDlXN3LOntP44gHngfTJAvz4io7zKxVkmOUwHoTarQK7POiXKiwa8x1QRMWrj0xK5k34eIR6SWW4uOhaTkCvnkjxlUVc2iz/sxwQS6ZoJuzJ60lcBcq6ptimZGdy/yuIx2kCNYcUG/nBNXbdKtF3Kz0nMb3Ry9n0QIm/ncP9d68+s4WiRIc+RuW5MPI3aHMGGt2snchu87pA34+QQKDxQpJZVZnC+RaoA8mYS8BGPqZ//PidcqGGmzw2vccoT1N6pSAD7mXPyM9QONX68BD34uYAk1VCPhRpsKh41QE=&p=Cache-Control: no-cacheMS-CV: BYqskdYKuUKf7ZeJ.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170223Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGGZM6WM&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170227Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=SpotifyAB.SpotifyMusic_zpdnekdrzrea0&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: kkb781LL8EaQlxCb.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170230Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NH2GPH4JZS4&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170232Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH6J6VK&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170234Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9P6RC76MSMMJ&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170235Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ27N&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170237Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=Microsoft.YourPhone_8wekyb3d8bbwe&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: 6bD/MunolEWqHDEG.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9N0866FS04W8&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170238Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ10M&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170240Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ140&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170241Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NC2FBTHCJV8&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170243Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH1CQ7L&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=e4896368b6a64edb9547962c054e1d7c&time=20220408T170245Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=8d771849a7234e0ab71c2ac9a71f46b4&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time=20220408T170247Z&asid=e4896368b6a64edb9547962c054e1d7c&eid= HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ3P2&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170253Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170257Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=Microsoft.BingNews_8wekyb3d8bbwe&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: t1Ts41I1nkyKVrtC.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NXQXXLFST89&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170259Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHVFW&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170302Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NCBCSZSJRSB&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170304Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170306Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170308Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRDFNG7&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=ac8063a32da047dabe6fd5f6a689fb6c&time=20220408T170310Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=cbed9efce7f24d8b9b00c27d1eebe749&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time=20220408T170315Z&asid=ac8063a32da047dabe6fd5f6a689fb6c&eid= HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=6F71D7A7.HotspotShieldFreeVPN_nsbqstbb9qxb6&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: ADE0AIiAz0+Cj5BW.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=Disney.37853FC22B2CE_6rarf9sa4v8jt&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: RETjtPaEwECyiDEt.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=BytedancePte.Ltd.TikTok_6yccndn6064se&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: ZSKdUuY0ZkeYnvBI.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=AdobeSystemsIncorporated.AdobePhotoshopExpress_ynb6jyjzte8ga&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: n1sA5W1j10WVDp3K.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=4MtpozR6MODPlGb&MD=EefvrDUR HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /v7.0/products/lookup?alternateId=PackageFamilyName&value=AmazonVideo.PrimeVideo_pwbj9vvecjh7j&market=US&languages=en-US%2Cen%2Cneutral&fieldsTemplate=InstallAgent&moId=Public&oemId=Public&scmId=Public HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Install ServiceMS-CV: +jUkz8/7C0maDbv2.0.2.4Host: displaycatalog.mp.microsoft.com
Source: global traffic HTTP traffic detected: GET /v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1667244644&PG=PC000P0FR5.0000000IRT&REQASID=5F4B6C89B2C846609F3E1F553BB48A37&UNID=338388&ASID=5d776faa406f4e0ebaecf4b6a37c3d62&PERSID=DBDE13DC697F71846A990CDFDC016FBD&GLOBALDEVICEID=6755432004667435&LOCALID=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&DS_EVTID=8450aad1a30f443d9720b7c7f2f80cff&DEVOSVER=10.0.17134.1&REQT=20220408T080227&TIME=20220408T170303Z&ARCRAS=&CLR=CDM HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1667244644&PG=PC000P0FR5.0000000IRT&REQASID=5F4B6C89B2C846609F3E1F553BB48A37&UNID=338388&ASID=5d776faa406f4e0ebaecf4b6a37c3d62&PERSID=DBDE13DC697F71846A990CDFDC016FBD&GLOBALDEVICEID=6755432004667435&LOCALID=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&DS_EVTID=8450aad1a30f443d9720b7c7f2f80cff&DEVOSVER=10.0.17134.1&REQT=20220408T080227&TIME=20220408T170307Z&ARCRAS=&CLR=CDM HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 20.190.160.67:443 -> 192.168.2.3:49975 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.82.210.154:443 -> 192.168.2.3:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.35.236.56:443 -> 192.168.2.3:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49992 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.10.249.43:443 -> 192.168.2.3:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.3:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.112.88.60:443 -> 192.168.2.3:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.3:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.3:50039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.85:443 -> 192.168.2.3:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.3:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.3:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.3:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.3:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.3:50055 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: ll.exe, 00000001.00000002.517884875.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISys.au3 entropy: 7.99762967554 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISysInternals.au3 entropy: 7.99245285333 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISysWin.au3 entropy: 7.99672176103 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPITheme.au3 entropy: 7.99561724269 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WindowsConstants.au3 entropy: 7.99414286944 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinNet.au3 entropy: 7.99543409819 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Word.au3 entropy: 7.99375701572 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties entropy: 7.99785920059 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\Google\Update\GoogleUpdate.bk entropy: 7.99877442432 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\THIRDPARTYLICENSEREADME-JAVAFX.txt entropy: 7.99827591606 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\THIRDPARTYLICENSEREADME.txt entropy: 7.99879412396 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\ListViewConstants.au3 entropy: 7.99201763759 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\Microsoft Office\Document Themes 16\Facet.thmx entropy: 7.99975875111 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Misc.au3 entropy: 7.99411250742 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Array.au3 entropy: 7.99771272835 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\ArrayDisplayInternals.au3 entropy: 7.99448820501 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\NetShare.au3 entropy: 7.99627168127 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\NTSTATUSConstants.au3 entropy: 7.99917004096 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\PowerPoint.au3 entropy: 7.99699148598 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Clipboard.au3 entropy: 7.99103502001 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Security.au3 entropy: 7.99009907239 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab entropy: 7.99959754981 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Sound.au3 entropy: 7.99150605102 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\SQLite.au3 entropy: 7.99674797362 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab entropy: 7.99984475006 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Crypt.au3 entropy: 7.99291193634 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\CUIAutomation2.au3 entropy: 7.99618977763 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Date.au3 entropy: 7.99781998688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\StructureConstants.au3 entropy: 7.99732779305 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Debug.au3 entropy: 7.9929284196 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\EventLog.au3 entropy: 7.99378156136 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Excel.au3 entropy: 7.9969847688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\UIAWrappers.au3 entropy: 7.99798937327 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl entropy: 7.99841011415 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl entropy: 7.99861927846 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\File.au3 entropy: 7.99617650604 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\Visa.au3 entropy: 7.99539702968 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml entropy: 7.99439032713 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl entropy: 7.99856770846 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab entropy: 7.99995951616 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab entropy: 7.99997585741 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab entropy: 7.99978066407 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\FTPEx.au3 entropy: 7.99637803382 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.chm entropy: 7.99919334688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GDIPlus.au3 entropy: 7.9993734253 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.psd1 entropy: 7.99335494753 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIConv.au3 entropy: 7.99272536198 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.xml entropy: 7.99659939175 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIDiag.au3 entropy: 7.99546605176 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GDIPlusConstants.au3 entropy: 7.99413675061 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIDlg.au3 entropy: 7.99543714157 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiButton.au3 entropy: 7.9928332995 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiComboBox.au3 entropy: 7.99599863196 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.lib entropy: 7.99345519154 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiComboBoxEx.au3 entropy: 7.99616895329 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIFiles.au3 entropy: 7.99830996263 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab entropy: 7.99993624249 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_x64_DLL.lib entropy: 7.9924113694 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdi.au3 entropy: 7.99916767548 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiDC.au3 entropy: 7.99169193129 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiInternals.au3 entropy: 7.99434542376 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab entropy: 7.99937847838 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiEdit.au3 entropy: 7.99671076404 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiHeader.au3 entropy: 7.99564854602 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIIcons.au3 entropy: 7.99309101625 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiImageList.au3 entropy: 7.99384187426 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab entropy: 7.99980068253 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99917602277 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPILocale.au3 entropy: 7.9910691208 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIMem.au3 entropy: 7.99296262818 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiListBox.au3 entropy: 7.99650587067 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3 entropy: 7.99918349185 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab entropy: 7.99938710556 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiMenu.au3 entropy: 7.99730263345 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIProc.au3 entropy: 7.99737162881 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiMonthCal.au3 entropy: 7.9956283054 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIReg.au3 entropy: 7.9948535372 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIRes.au3 entropy: 7.99552558293 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIShellEx.au3 entropy: 7.99559892724 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiReBar.au3 entropy: 7.99736221586 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiRichEdit.au3 entropy: 7.99903774726 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIShPath.au3 entropy: 7.99575142581 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiScrollBars.au3 entropy: 7.99377688416 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Icons\au3.ico entropy: 7.99377784101 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiSlider.au3 entropy: 7.99276374325 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Icons\au3script_v10.ico entropy: 7.99745296458 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab entropy: 7.99983674754 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Icons\au3script_v11.ico entropy: 7.99630690229 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiStatusBar.au3 entropy: 7.99478730678 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Icons\au3script_v9.ico entropy: 7.99286414327 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Icons\filetype-blank.ico entropy: 7.99497952304 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiTab.au3 entropy: 7.99549729659 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiToolbar.au3 entropy: 7.99787317884 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiToolTip.au3 entropy: 7.99613887082 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab entropy: 7.99965867144 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3 entropy: 7.99850378413 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\helper.au3 entropy: 7.99021460724 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\ie.au3 entropy: 7.99885604109 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab entropy: 7.99992481441 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\APIErrorsConstants.au3 entropy: 7.99944581938 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab entropy: 7.99979490292 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\APIFilesConstants.au3 entropy: 7.99357291121 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\APIGdiConstants.au3 entropy: 7.99084074656 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\AutoIt3\Include\APIShellExConstants.au3 entropy: 7.99436302096 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab entropy: 7.99982675455 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml entropy: 7.99946534748 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT entropy: 7.99928476686 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT.LOG1 entropy: 7.99689270358 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf entropy: 7.99710443525 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms entropy: 7.99964082649 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab entropy: 7.99995252557 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms entropy: 7.99970621958 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm entropy: 7.99797443744 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms entropy: 7.99972891104 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab entropy: 7.99996894597 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoIt.chm.NB65 (copy) entropy: 7.99917602277 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT.NB65 (copy) entropy: 7.99928476686 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT.LOG1.NB65 (copy) entropy: 7.99689270358 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf.NB65 (copy) entropy: 7.99710443525 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms.NB65 (copy) entropy: 7.99964082649 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms.NB65 (copy) entropy: 7.99970621958 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.NB65 (copy) entropy: 7.99972891104 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.NB65 (copy) entropy: 7.99439032713 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.NB65 (copy) entropy: 7.99978066407 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.NB65 (copy) entropy: 7.99996894597 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.NB65 (copy) entropy: 7.99993624249 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.NB65 (copy) entropy: 7.99937847838 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.NB65 (copy) entropy: 7.99980068253 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.NB65 (copy) entropy: 7.99938710556 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.NB65 (copy) entropy: 7.99983674754 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab.NB65 (copy) entropy: 7.99965867144 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.NB65 (copy) entropy: 7.99979490292 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.NB65 (copy) entropy: 7.99992481441 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab.NB65 (copy) entropy: 7.99982675455 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml.NB65 (copy) entropy: 7.99946534748 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.NB65 (copy) entropy: 7.99995252557 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.NB65 (copy) entropy: 7.99997585741 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm.NB65 (copy) entropy: 7.99797443744 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.NB65 (copy) entropy: 7.99959754981 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab.NB65 (copy) entropy: 7.99984475006 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.NB65 (copy) entropy: 7.99995951616 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl.NB65 (copy) entropy: 7.99841011415 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl.NB65 (copy) entropy: 7.99861927846 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl.NB65 (copy) entropy: 7.99856770846 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoItX\AutoItX.chm.NB65 (copy) entropy: 7.99919334688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoItX\AutoItX.psd1.NB65 (copy) entropy: 7.99335494753 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoItX\AutoItX3.Assembly.xml.NB65 (copy) entropy: 7.99659939175 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_DLL.lib.NB65 (copy) entropy: 7.99345519154 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_x64_DLL.lib.NB65 (copy) entropy: 7.9924113694 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Icons\au3.ico.NB65 (copy) entropy: 7.99377784101 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Icons\au3script_v10.ico.NB65 (copy) entropy: 7.99745296458 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Icons\au3script_v11.ico.NB65 (copy) entropy: 7.99630690229 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Icons\au3script_v9.ico.NB65 (copy) entropy: 7.99286414327 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Icons\filetype-blank.ico.NB65 (copy) entropy: 7.99497952304 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\APIErrorsConstants.au3.NB65 (copy) entropy: 7.99944581938 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\APIFilesConstants.au3.NB65 (copy) entropy: 7.99357291121 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\APIGdiConstants.au3.NB65 (copy) entropy: 7.99084074656 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\APIShellExConstants.au3.NB65 (copy) entropy: 7.99436302096 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Array.au3.NB65 (copy) entropy: 7.99771272835 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\ArrayDisplayInternals.au3.NB65 (copy) entropy: 7.99448820501 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Clipboard.au3.NB65 (copy) entropy: 7.99103502001 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Crypt.au3.NB65 (copy) entropy: 7.99291193634 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\CUIAutomation2.au3.NB65 (copy) entropy: 7.99618977763 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Date.au3.NB65 (copy) entropy: 7.99781998688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Debug.au3.NB65 (copy) entropy: 7.9929284196 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\EventLog.au3.NB65 (copy) entropy: 7.99378156136 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Excel.au3.NB65 (copy) entropy: 7.9969847688 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\File.au3.NB65 (copy) entropy: 7.99617650604 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\FTPEx.au3.NB65 (copy) entropy: 7.99637803382 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GDIPlus.au3.NB65 (copy) entropy: 7.9993734253 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GDIPlusConstants.au3.NB65 (copy) entropy: 7.99413675061 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiButton.au3.NB65 (copy) entropy: 7.9928332995 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiComboBox.au3.NB65 (copy) entropy: 7.99599863196 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiComboBoxEx.au3.NB65 (copy) entropy: 7.99616895329 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiEdit.au3.NB65 (copy) entropy: 7.99671076404 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiHeader.au3.NB65 (copy) entropy: 7.99564854602 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiImageList.au3.NB65 (copy) entropy: 7.99384187426 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiListBox.au3.NB65 (copy) entropy: 7.99650587067 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiListView.au3.NB65 (copy) entropy: 7.99918349185 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiMenu.au3.NB65 (copy) entropy: 7.99730263345 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiMonthCal.au3.NB65 (copy) entropy: 7.9956283054 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiReBar.au3.NB65 (copy) entropy: 7.99736221586 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiRichEdit.au3.NB65 (copy) entropy: 7.99903774726 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiScrollBars.au3.NB65 (copy) entropy: 7.99377688416 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiSlider.au3.NB65 (copy) entropy: 7.99276374325 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiStatusBar.au3.NB65 (copy) entropy: 7.99478730678 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiTab.au3.NB65 (copy) entropy: 7.99549729659 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiToolbar.au3.NB65 (copy) entropy: 7.99787317884 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiToolTip.au3.NB65 (copy) entropy: 7.99613887082 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\GuiTreeView.au3.NB65 (copy) entropy: 7.99850378413 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\helper.au3.NB65 (copy) entropy: 7.99021460724 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\ie.au3.NB65 (copy) entropy: 7.99885604109 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\ListViewConstants.au3.NB65 (copy) entropy: 7.99201763759 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Misc.au3.NB65 (copy) entropy: 7.99411250742 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\NetShare.au3.NB65 (copy) entropy: 7.99627168127 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\NTSTATUSConstants.au3.NB65 (copy) entropy: 7.99917004096 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\PowerPoint.au3.NB65 (copy) entropy: 7.99699148598 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Security.au3.NB65 (copy) entropy: 7.99009907239 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Sound.au3.NB65 (copy) entropy: 7.99150605102 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\SQLite.au3.NB65 (copy) entropy: 7.99674797362 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\StructureConstants.au3.NB65 (copy) entropy: 7.99732779305 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\UIAWrappers.au3.NB65 (copy) entropy: 7.99798937327 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Visa.au3.NB65 (copy) entropy: 7.99539702968 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIConv.au3.NB65 (copy) entropy: 7.99272536198 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIDiag.au3.NB65 (copy) entropy: 7.99546605176 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIDlg.au3.NB65 (copy) entropy: 7.99543714157 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIFiles.au3.NB65 (copy) entropy: 7.99830996263 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIGdi.au3.NB65 (copy) entropy: 7.99916767548 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIGdiDC.au3.NB65 (copy) entropy: 7.99169193129 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIGdiInternals.au3.NB65 (copy) entropy: 7.99434542376 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIIcons.au3.NB65 (copy) entropy: 7.99309101625 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPILocale.au3.NB65 (copy) entropy: 7.9910691208 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIMem.au3.NB65 (copy) entropy: 7.99296262818 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIProc.au3.NB65 (copy) entropy: 7.99737162881 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIReg.au3.NB65 (copy) entropy: 7.9948535372 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIRes.au3.NB65 (copy) entropy: 7.99552558293 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIShellEx.au3.NB65 (copy) entropy: 7.99559892724 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPIShPath.au3.NB65 (copy) entropy: 7.99575142581 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPISys.au3.NB65 (copy) entropy: 7.99762967554 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPISysInternals.au3.NB65 (copy) entropy: 7.99245285333 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPISysWin.au3.NB65 (copy) entropy: 7.99672176103 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinAPITheme.au3.NB65 (copy) entropy: 7.99561724269 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WindowsConstants.au3.NB65 (copy) entropy: 7.99414286944 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\WinNet.au3.NB65 (copy) entropy: 7.99543409819 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\Include\Word.au3.NB65 (copy) entropy: 7.99375701572 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\autoit3\SciTE\au3.keywords.properties.NB65 (copy) entropy: 7.99785920059 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\google\Update\GoogleUpdate.bk.NB65 (copy) entropy: 7.99877442432 Jump to dropped file
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files (x86)\java\jre1.8.0_211\THIRDPARTYLICENSEREADME-JAVAFX.txt.NB65 (copy) entropy: 7.99827591606 Jump to dropped file
Uses 32bit PE files
Source: ll.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2C8F0 1_2_00F2C8F0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2E8F0 1_2_00F2E8F0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F338B0 1_2_00F338B0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2C0A0 1_2_00F2C0A0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F370A0 1_2_00F370A0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2C5F0 1_2_00F2C5F0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F31D80 1_2_00F31D80
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F30960 1_2_00F30960
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F35950 1_2_00F35950
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2D670 1_2_00F2D670
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F32A30 1_2_00F32A30
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F24200 1_2_00F24200
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F32600 1_2_00F32600
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F333A0 1_2_00F333A0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F35750 1_2_00F35750
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F32F10 1_2_00F32F10
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F34C90 1_2_00F34C90
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F24070 1_2_00F24070
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2FDD0 1_2_00F2FDD0
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F23D50 1_2_00F23D50
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2B530 1_2_00F2B530
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F28ABE 1_2_00F28ABE
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F30210 1_2_00F30210
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F40F75 1_2_00F40F75
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F22F50 1_2_00F22F50
Sample file is different than original file name gathered from version info
Source: ll.exe, 00000001.00000002.545098567.000000000842F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs ll.exe
Source: ll.exe Virustotal: Detection: 56%
Source: ll.exe ReversingLabs: Detection: 73%
Source: ll.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ll.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ll.exe File created: C:\Users\R3ADM3.txt Jump to behavior
Source: classification engine Classification label: mal76.rans.spre.expl.winEXE@1/746@0/100
Source: C:\Users\user\Desktop\ll.exe File read: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F34630 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,lstrcmpiW,Process32NextW,FindCloseChangeNotification, 1_2_00F34630
Source: C:\Users\user\Desktop\ll.exe Mutant created: \Sessions\1\BaseNamedObjects\kjsidugidf99439
Source: C:\Users\user\Desktop\ll.exe File created: C:\Program Files\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Command line argument: stopmarker 1_2_00F30960
Source: ll.exe, 00000001.00000002.543135069.00000000081C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files (x86)\autoit3\AutoItX\Examples\C++\AutoItX.slnL
Source: ll.exe, 00000001.00000002.519218232.0000000000E29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files (x86)\autoit3\AutoItX\Examples\C++\AutoItX.sln
Source: C:\Users\user\Desktop\ll.exe File written: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Google\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Microsoft Office\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\MSBuild\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Reference Assemblies\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Uninstall Information\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\microsoft shared\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\Services\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Common Files\system\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Google\Chrome\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\en-US\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\images\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\internet explorer\SIGNUP\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Microsoft Office\Office16\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\MSBuild\Microsoft\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\Logs\R3ADM3.txt Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Directory created: C:\Program Files\UNP\UpdateNotificationMgr\R3ADM3.txt Jump to behavior
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ll.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ll.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ll.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ll.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ll.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ll.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ll.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F38596 push ecx; ret 1_2_00F385A9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F210D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileW,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileMappingW,GetProcAddress,MapViewOfFile,GetProcAddress,GetProcAddress, 1_2_00F210D0

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\ll.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ll.exe TID: 472 Thread sleep count: 673 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ll.exe TID: 472 Thread sleep time: -336500s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\ll.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ll.exe Window / User API: threadDelayed 673 Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F35950 new,FindFirstFileW,new,FindNextFileW,FindClose, 1_2_00F35950
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3B6BD FindFirstFileExA, 1_2_00F3B6BD
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3B7C3 FindFirstFileExA,FindClose, 1_2_00F3B7C3
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F23480 GetLogicalDriveStringsW,GetLogicalDriveStringsW,new, 1_2_00F23480
Source: OfficeLR.cab.1.dr Binary or memory string: QeMu,
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F398A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00F398A8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F210D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileW,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileMappingW,GetProcAddress,MapViewOfFile,GetProcAddress,GetProcAddress, 1_2_00F210D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3D417 GetProcessHeap, 1_2_00F3D417
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F3A4D2 mov eax, dword ptr fs:[00000030h] 1_2_00F3A4D2
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F38492 SetUnhandledExceptionFilter, 1_2_00F38492
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F398A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00F398A8
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F37A93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00F37A93
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F38344 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00F38344
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\NTUSER.DAT VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Queries volume information: C:\Users\user\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F385AB cpuid 1_2_00F385AB
Source: C:\Users\user\Desktop\ll.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F2FDD0 GetLocalTime,wsprintfW, 1_2_00F2FDD0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\ll.exe Code function: 1_2_00F32F10 WSASocketW,bind,CreateIoCompletionPort, 1_2_00F32F10
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605429 Sample: ll.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 76 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Machine Learning detection for sample 2->28 5 ll.exe 26 148 2->5         started        process3 dnsIp4 18 192.168.2.100 unknown unknown 5->18 20 192.168.2.101 unknown unknown 5->20 22 98 other IPs or domains 5->22 10 NTUSER.DAT{8ebe95f....TM.blf.NB65 (copy), WE32000 5->10 dropped 12 NTUSER.DAT{8ebe95f...cfe90913f50}.TM.blf, WE32000 5->12 dropped 14 C:\...\helper.au3.NB65 (copy), DOS 5->14 dropped 16 232 other files (226 malicious) 5->16 dropped 30 Connects to many different private IPs via SMB (likely to spread or exploit) 5->30 32 Connects to many different private IPs (likely to spread or exploit) 5->32 34 Writes many files with high entropy 5->34 36 Infects executable files (exe, dll, sys, html) 5->36 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222
192.168.2.220
192.168.2.115
192.168.2.236
192.168.2.116
192.168.2.237
192.168.2.113
192.168.2.234
192.168.2.114
192.168.2.235
192.168.2.119
192.168.2.117
192.168.2.238
192.168.2.118
192.168.2.239
192.168.2.111
192.168.2.232