Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LF2X6lwUMg

Overview

General Information

Sample Name:LF2X6lwUMg (renamed file extension from none to dll)
Analysis ID:670669
MD5:9f754eb9c39e8dff541c226e589f1e84
SHA1:fe83d9cff000c98ef818fccfe5205c868620a267
SHA256:fef7d768aef62a755ab1cba3c4c92598ed7bed6166ae50b1b7d79238066ff6fd
Tags:dllOpenCTIBRSandboxed
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Connects to many IPs within the same subnet mask (likely port scanning)
Connects to many different private IPs (likely to spread or exploit)
Machine Learning detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Connects to many different private IPs via SMB (likely to spread or exploit)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3584 cmdline: loaddll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5224 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4348 cmdline: rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mssecsvr.exe (PID: 3224 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 230C6AB10E662C74C0BF69CC0FEEADFE)
    • rundll32.exe (PID: 1992 cmdline: rundll32.exe C:\Users\user\Desktop\LF2X6lwUMg.dll,PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1800 cmdline: rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mssecsvr.exe (PID: 5572 cmdline: C:\WINDOWS\mssecsvr.exe MD5: 230C6AB10E662C74C0BF69CC0FEEADFE)
  • mssecsvr.exe (PID: 4468 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: 230C6AB10E662C74C0BF69CC0FEEADFE)
  • svchost.exe (PID: 4772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6196 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6328 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6420 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6576 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6712 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 10108 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 9340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6804 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 8148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 8728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1700 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LF2X6lwUMg.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x353d0:$x3: tasksche.exe
  • 0x455e0:$x3: tasksche.exe
  • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x45634:$x5: WNcry@2ol7
  • 0x353a8:$x8: C:\%s\qeriuwjhrf
  • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x3014:$s1: C:\%s\%s
  • 0x12098:$s1: C:\%s\%s
  • 0x1b39c:$s1: C:\%s\%s
  • 0x353bc:$s1: C:\%s\%s
  • 0x45534:$s3: cmd.exe /c "%s"
  • 0x77a88:$s4: msg/m_portuguese.wnry
  • 0x326f0:$s5: \\192.168.56.20\IPC$
  • 0x1fae5:$s6: \\172.16.99.5\IPC$
  • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
  • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
  • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
LF2X6lwUMg.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    LF2X6lwUMg.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0xf4d8:$x3: tasksche.exe
    • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0xf52c:$x5: WNcry@2ol7
    • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xf42c:$s3: cmd.exe /c "%s"
    • 0x41980:$s4: msg/m_portuguese.wnry
    C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    C:\Windows\mssecsvr.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x3136c:$x3: tasksche.exe
    • 0x4157c:$x3: tasksche.exe
    • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x415d0:$x5: WNcry@2ol7
    • 0x31344:$x8: C:\%s\qeriuwjhrf
    • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xe034:$s1: C:\%s\%s
    • 0x17338:$s1: C:\%s\%s
    • 0x31358:$s1: C:\%s\%s
    • 0x414d0:$s3: cmd.exe /c "%s"
    • 0x73a24:$s4: msg/m_portuguese.wnry
    • 0x2e68c:$s5: \\192.168.56.20\IPC$
    • 0x1ba81:$s6: \\172.16.99.5\IPC$
    • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    C:\Windows\mssecsvr.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
    • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
    • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
    • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
    • 0x1d439:$s1: __TREEID__PLACEHOLDER__
    • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
    • 0x1f508:$s1: __TREEID__PLACEHOLDER__
    • 0x20570:$s1: __TREEID__PLACEHOLDER__
    • 0x215d8:$s1: __TREEID__PLACEHOLDER__
    • 0x22640:$s1: __TREEID__PLACEHOLDER__
    • 0x236a8:$s1: __TREEID__PLACEHOLDER__
    • 0x24710:$s1: __TREEID__PLACEHOLDER__
    • 0x25778:$s1: __TREEID__PLACEHOLDER__
    • 0x267e0:$s1: __TREEID__PLACEHOLDER__
    • 0x27848:$s1: __TREEID__PLACEHOLDER__
    • 0x288b0:$s1: __TREEID__PLACEHOLDER__
    • 0x29918:$s1: __TREEID__PLACEHOLDER__
    • 0x2a980:$s1: __TREEID__PLACEHOLDER__
    • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
    • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e340:$s1: __TREEID__PLACEHOLDER__
    C:\Windows\mssecsvr.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.274041731.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000004.00000000.263083833.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000004.00000000.261640912.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            00000006.00000000.271571722.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              00000006.00000000.266684669.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                Click to see the 20 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                6.0.mssecsvr.exe.7100a4.7.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xe8d8:$x3: tasksche.exe
                • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xe92c:$x5: WNcry@2ol7
                • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xe82c:$s3: cmd.exe /c "%s"
                6.0.mssecsvr.exe.7100a4.7.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                4.2.mssecsvr.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xe8d8:$x3: tasksche.exe
                • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xe92c:$x5: WNcry@2ol7
                • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xe82c:$s3: cmd.exe /c "%s"
                4.2.mssecsvr.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                4.0.mssecsvr.exe.7100a4.3.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
                • 0xe8d8:$x3: tasksche.exe
                • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
                • 0xe92c:$x5: WNcry@2ol7
                • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
                • 0xe82c:$s3: cmd.exe /c "%s"
                Click to see the 83 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.48.8.8.860506532830018 07/21/22-03:50:46.058333
                SID:2830018
                Source Port:60506
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.48.8.8.856076532830018 07/21/22-03:50:48.852117
                SID:2830018
                Source Port:56076
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.48.8.8.864277532830018 07/21/22-03:50:48.486644
                SID:2830018
                Source Port:64277
                Destination Port:53
                Protocol:UDP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: LF2X6lwUMg.dllVirustotal: Detection: 91%Perma Link
                Source: LF2X6lwUMg.dllReversingLabs: Detection: 89%
                Antivirus / Scanner detection for submitted sample
                Source: LF2X6lwUMg.dllAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comURL Reputation: Label: malware
                Antivirus detection for dropped file
                Source: C:\Windows\mssecsvr.exeAvira: detection malicious, Label: TR/Ransom.Gen
                Multi AV Scanner detection for dropped file
                Source: C:\Windows\mssecsvr.exeReversingLabs: Detection: 100%
                Source: C:\Windows\tasksche.exeReversingLabs: Detection: 88%
                Machine Learning detection for sample
                Source: LF2X6lwUMg.dllJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Windows\mssecsvr.exeJoe Sandbox ML: detected
                Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
                Source: 6.0.mssecsvr.exe.400000.6.unpackAvira: Label: TR/Ransom.Gen
                Source: 6.2.mssecsvr.exe.400000.0.unpackAvira: Label: TR/Ransom.Gen
                Source: 4.0.mssecsvr.exe.400000.2.unpackAvira: Label: TR/Ransom.Gen
                Source: 6.0.mssecsvr.exe.400000.4.unpackAvira: Label: TR/Ransom.Gen
                Source: 4.2.mssecsvr.exe.400000.0.unpackAvira: Label: TR/Ransom.Gen
                Source: 6.0.mssecsvr.exe.400000.0.unpackAvira: Label: TR/Ransom.Gen
                Source: 7.0.mssecsvr.exe.400000.0.unpackAvira: Label: TR/Ransom.Gen
                Source: 4.0.mssecsvr.exe.400000.0.unpackAvira: Label: TR/Ransom.Gen
                Source: 4.0.mssecsvr.exe.400000.4.unpackAvira: Label: TR/Ransom.Gen
                Source: 4.0.mssecsvr.exe.400000.6.unpackAvira: Label: TR/Ransom.Gen
                Source: 6.0.mssecsvr.exe.400000.2.unpackAvira: Label: TR/Ransom.Gen

                Exploits

                barindex
                Connects to many different private IPs (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.148:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.149:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.146:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.147:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.140:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.141:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.144:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.145:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.142:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.143:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.159:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.157:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.158:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.151:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.152:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.150:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.155:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.156:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.153:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.154:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.126:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.247:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.127:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.248:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.124:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.245:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.125:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.246:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.128:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.249:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.129:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.240:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.122:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.243:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.123:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.244:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.120:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.241:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.121:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.242:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.137:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.138:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.135:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.136:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.139:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.250:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.130:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.251:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.133:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.254:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.134:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.131:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.252:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.132:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.253:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.225:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.226:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.223:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.224:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.229:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.227:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.228:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.221:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.222:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.220:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.115:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.236:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.116:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.237:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.234:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.235:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.119:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.117:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.238:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.118:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.239:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.232:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.233:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.230:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.231:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.203:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.204:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.201:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.202:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.207:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.208:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.205:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.206:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.200:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.209:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.214:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.215:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.212:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.213:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.218:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.219:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.216:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.217:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.210:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.211:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.180:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.181:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.184:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.185:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.182:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.183:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.188:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.189:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.186:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.187:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.191:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.192:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.190:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.195:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.196:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.193:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.194:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.199:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.197:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.198:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.168:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.169:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.162:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.163:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.160:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.161:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.166:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.167:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.164:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.165:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.170:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.179:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.173:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.174:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.171:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.172:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.177:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.178:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.175:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.176:445Jump to behavior
                Connects to many different private IPs via SMB (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.148:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.149:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.146:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.147:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.140:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.141:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.144:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.145:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.142:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.143:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.159:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.157:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.158:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.151:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.152:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.150:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.155:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.156:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.153:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.154:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.126:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.247:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.127:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.248:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.124:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.245:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.125:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.246:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.128:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.249:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.129:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.240:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.122:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.243:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.123:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.244:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.120:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.241:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.121:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.242:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.137:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.138:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.135:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.136:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.139:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.250:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.130:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.251:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.133:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.254:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.134:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.131:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.252:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.132:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.253:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.225:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.226:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.223:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.224:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.229:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.227:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.228:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.221:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.222:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.220:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.115:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.236:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.116:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.237:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.234:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.235:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.119:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.117:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.238:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.118:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.239:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.232:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.233:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.230:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.231:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.203:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.204:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.201:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.202:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.207:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.208:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.205:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.206:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.200:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.209:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.214:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.215:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.212:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.213:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.218:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.219:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.216:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.217:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.210:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.211:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.180:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.181:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.184:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.185:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.182:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.183:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.188:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.189:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.186:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.187:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.191:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.192:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.190:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.195:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.196:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.193:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.194:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.199:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.197:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.198:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.168:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.169:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.162:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.163:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.160:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.161:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.166:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.167:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.164:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.165:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.170:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.179:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.173:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.174:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.171:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.172:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.177:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.178:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.175:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.176:445Jump to behavior
                Source: LF2X6lwUMg.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: unknownHTTPS traffic detected: 20.40.136.238:443 -> 192.168.2.4:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.31.64:443 -> 192.168.2.4:50202 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.4:50224 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.4:50223 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.31.106.135:443 -> 192.168.2.4:50241 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.31.106.135:443 -> 192.168.2.4:50242 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51128 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.4:51192 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51227 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51234 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51305 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51322 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.238.103.94:443 -> 192.168.2.4:51358 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51390 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51429 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.4:51479 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51484 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51538 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51578 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51579 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51577 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51581 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.4:51574 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51617 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.4:51666 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51671 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.4:51720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.4:51758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51809 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51850 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.4:65024 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.4:65023 version: TLS 1.2

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.4:60506 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.4:64277 -> 8.8.8.8:53
                Source: TrafficSnort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.4:56076 -> 8.8.8.8:53
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 55513
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 55748
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 62588
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 62927
                Connects to many IPs within the same subnet mask (likely port scanning)
                Source: global trafficTCP traffic: Count: 216 IPs: 97.78.105.62,97.78.105.61,97.78.105.179,97.78.105.64,97.78.105.178,97.78.105.63,97.78.105.177,97.78.105.66,97.78.105.176,97.78.105.65,97.78.105.175,97.78.105.68,97.78.105.174,97.78.105.67,97.78.105.173,97.78.105.172,97.78.105.69,97.78.105.171,97.78.105.170,97.78.105.60,97.78.105.73,97.78.105.72,97.78.105.75,97.78.105.189,97.78.105.74,97.78.105.188,97.78.105.77,97.78.105.187,97.78.105.76,97.78.105.186,97.78.105.79,97.78.105.185,97.78.105.78,97.78.105.184,97.78.105.183,97.78.105.182,97.78.105.181,97.78.105.180,97.78.105.71,97.78.105.70,97.78.105.84,97.78.105.83,97.78.105.86,97.78.105.85,97.78.105.199,97.78.105.88,97.78.105.198,97.78.105.87,97.78.105.197,97.78.105.196,97.78.105.89,97.78.105.195,97.78.105.194,97.78.105.193,97.78.105.192,97.78.105.191,97.78.105.190,97.78.105.80,97.78.105.82,97.78.105.81,97.78.105.95,97.78.105.94,97.78.105.97,97.78.105.96,97.78.105.99,97.78.105.98,97.78.105.91,97.78.105.90,97.78.105.93,97.78.105.92,97.78.105.136,97.78.105.135,97.78.105.20,97.78.105.134,97.78.105.133,97.78.105.22,97.78.105.132,97.78.105.21,97.78.105.131,97.78.105.24,97.78.105.130,97.78.105.23,97.78.105.26,97.78.105.25,97.78.105.28,97.78.105.27,97.78.105.29,97.78.105.129,97.78.105.128,97.78.105.127,97.78.105.126,97.78.105.147,97.78.105.146,97.78.105.31,97.78.105.145,97.78.105.30,97.78.105.144,97.78.105.33,97.78.105.143,97.78.105.32,97.78.105.142,97.78.105.35,97.78.105.141,97.78.105.34,97.78.105.140,97.78.105.37,97.78.105.36,97.78.105.39,97.78.105.38,97.78.105.139,97.78.105.138,97.78.105.137,97.78.105.40,97.78.105.158,97.78.105.157,97.78.105.42,97.78.105.156,97.78.105.41,97.78.105.155,97.78.105.44,97.78.105.154,97.78.105.43,97.78.105.153,97.78.105.46,97.78.105.152,97.78.105.45,97.78.105.151,97.78.105.48,97.78.105.150,97.78.105.47,97.78.105.49,97.78.105.149,97.78.105.148,97.78.105.51,97.78.105.169,97.78.105.50,97.78.105.168,97.78.105.53,97.78.105.167,97.78.105.52,97.78.105.166,97.78.105.55,97.78.105.165,97.78.105.54,97.78.105.164,97.78.105.57,97.78.105.163,97.78.105.56,97.78.105.162,97.78.105.59,97.78.105.161,97.78.105.58,97.78.105.160,97.78.105.159,97.78.105.213,97.78.105.212,97.78.105.211,97.78.105.210,97.78.105.209,97.78.105.208,97.78.105.207,97.78.105.206,97.78.105.205,97.78.105.204,97.78.105.203,97.78.105.103,97.78.105.102,97.78.105.101,97.78.105.100,97.78.105.215,97.78.105.214,97.78.105.114,97.78.105.113,97.78.105.112,97.78.105.111,97.78.105.110,97.78.105.109,97.78.105.108,97.78.105.107,97.78.105.106,97.78.105.105,97.78.105.104,97.78.105.125,97.78.105.245,97.78.105.124,97.78.105.123,97.78.105.122,97.78.105.11,97.78.105.121,97.78.105.10,97.78.105.120,97.78.105.13,97.78.105.12,97.78.105.15,97.78.105.14,97.78.105.17,97.78.105.16,97.78.105.19,97.78.105.18,97.78.105.119,97.78.105.118,97.78.105.117,97.78.105.116,97.78.105.115,97.78.105.1,97.78.105.2,97.78.105.3,97.78.105.4,97.78.105.9,97.78.105.5,97.78.105.6,97.78.105.7,97.78.105.8,97.78.105.202,97.78.105.201,97.78.105.200
                Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4740Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4796Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4796Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4794Host: login.live.com
                Source: global trafficHTTP traffic detected: GET /client/config?cc=US&setlang=en-US HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: 120X-BM-FirstEnabledTime: 132061327679472806X-DeviceID: 0100748C0900D485X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAc0sEbw4UIulobuiiG0fha5sBDdQpX6SBBoNRXO5M5%2BupGssS%2BSlrbhjrga%2BpFF0wO2IN7Ejr%2BBagzui9/tv0TDl3OK1OxeidxdM3DcOqJnMLDH9V55jP8m4bCrZalgLHbGCTkNTvefI5tK5SnsXBLYqkENzncSU3AlQHy6WRaN1FdoA37fGEKBDziy6jk5V6e1cc8ebWYPherZvWbuMgEo5mrOxslNubm/DQ4eWW/dq5L9MnRfVbxWNyDk1ah3XSM2ihwbOjH0Mib2mwxM1JYWNnRHWxRc18/hjXVIrCP/nP948DNERrtAo3tw3lcQiIbRejvNa%2BOKGGlY4ZnTz/jwDZgAACI5CHkLIhlX%2BqAFmVujgsmV04JXylhJoVj7maVwaMJ8%2BKoaMN%2B3foda%2BRuWMKO/2pmBSNaI6U5e3lUQHFeNyh3H2pf/St66Lyek6q14iVcouXVDmXnrJDj4gTMwiyez0nyBc4iCWJMKp9m8OM/S07Hekgml4RkFc40Y3rM6RXazgCszDJ2upa%2BYjT/u6OLmc5jkDelgFFM8og90Rf84G8arS3IGK/T73bPKZ0cQ%2BG%2B0p6BspcAinte9SFhPF2v9nKw9IrvaqpSJGmg9d4vDvKSZ39cMq3M4UNOJnA3fay%2Bj70pB8/D0prh%2BN8VT1cjtMMAGhIGBJXuh6MWWBj3EuNfxxLhC80DO4Guk90kqCZciVVk6/rgnVLAmbiGrcjYsGJtMrh7uATQxtax7b5UiFjueG/G7wv%2BlbxXRiWQt5SLpeDPnkyryRj0CTaj7jnhsLygqxvE0ExFy6z35zBWCU1yyUrqipvffEPT7oUApLqIadOkMejJ2WYvr5f6Lr2WJWD/PJbhjoWr1JaRhYrhJTg2DQRB45B4buW9pKH7s7GQNjtT7JtTbJJZbz3e2L1G9VqsOu1gE%3D%26p%3DX-Agent-DeviceId: 0100748C0900D485X-BM-CBT: 1658368223User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134X-Device-isOptin: trueAccept-language: en-US, enX-Device-Touch: falseX-Device-ClientSession: 6DF2A13DC8674297A3BF7AE7EB580336X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderHost: www.bing.comConnection: Keep-AliveCookie: MUID=BEEBF15262804E24A8DF6781500AB975
                Source: global trafficHTTP traffic detected: GET /proactive/v2/spark?cc=US&setLang=en-US HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-Device-IsBatteryCertified: falseX-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-Device-IsBatteryEnabled: falseX-Device-NetworkType: ethernetX-BM-DTZ: 120X-BM-FirstEnabledTime: 132061327679472806X-DeviceID: 0100748C0900D485X-VoiceActivationOn: falseX-Device-AudioCapture: Microphone (High Definition Audio Device)X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAc0sEbw4UIulobuiiG0fha5sBDdQpX6SBBoNRXO5M5%2BupGssS%2BSlrbhjrga%2BpFF0wO2IN7Ejr%2BBagzui9/tv0TDl3OK1OxeidxdM3DcOqJnMLDH9V55jP8m4bCrZalgLHbGCTkNTvefI5tK5SnsXBLYqkENzncSU3AlQHy6WRaN1FdoA37fGEKBDziy6jk5V6e1cc8ebWYPherZvWbuMgEo5mrOxslNubm/DQ4eWW/dq5L9MnRfVbxWNyDk1ah3XSM2ihwbOjH0Mib2mwxM1JYWNnRHWxRc18/hjXVIrCP/nP948DNERrtAo3tw3lcQiIbRejvNa%2BOKGGlY4ZnTz/jwDZgAACI5CHkLIhlX%2BqAFmVujgsmV04JXylhJoVj7maVwaMJ8%2BKoaMN%2B3foda%2BRuWMKO/2pmBSNaI6U5e3lUQHFeNyh3H2pf/St66Lyek6q14iVcouXVDmXnrJDj4gTMwiyez0nyBc4iCWJMKp9m8OM/S07Hekgml4RkFc40Y3rM6RXazgCszDJ2upa%2BYjT/u6OLmc5jkDelgFFM8og90Rf84G8arS3IGK/T73bPKZ0cQ%2BG%2B0p6BspcAinte9SFhPF2v9nKw9IrvaqpSJGmg9d4vDvKSZ39cMq3M4UNOJnA3fay%2Bj70pB8/D0prh%2BN8VT1cjtMMAGhIGBJXuh6MWWBj3EuNfxxLhC80DO4Guk90kqCZciVVk6/rgnVLAmbiGrcjYsGJtMrh7uATQxtax7b5UiFjueG/G7wv%2BlbxXRiWQt5SLpeDPnkyryRj0CTaj7jnhsLygqxvE0ExFy6z35zBWCU1yyUrqipvffEPT7oUApLqIadOkMejJ2WYvr5f6Lr2WJWD/PJbhjoWr1JaRhYrhJTg2DQRB45B4buW9pKH7s7GQNjtT7JtTbJJZbz3e2L1G9VqsOu1gE%3D%26p%3DX-Agent-DeviceId: 0100748C0900D485X-BM-CBT: 1658368223User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134X-Device-isOptin: trueAccept-language: en-US, enX-Device-IsEnergyHero: falseX-Device-Touch: falseX-Device-ClientSession: 6DF2A13DC8674297A3BF7AE7EB580336X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderHost: www.bing.comConnection: Keep-AliveCookie: MUID=BEEBF15262804E24A8DF6781500AB975
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RE4Pjc1?ver=a739 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWyRp8?ver=10c7 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RE4PtWe?ver=aadd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWEJoX?ver=c3a5 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWyTNg?ver=ef32 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWEtdH?ver=f6d0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4683Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4683Host: login.live.com
                Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4683Host: login.live.com
                Source: unknownNetwork traffic detected: IP country count 28
                Source: unknownDNS traffic detected: query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com replaycode: Server failure (2)
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51428
                Source: unknownNetwork traffic detected: HTTP traffic on port 51574 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51305
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51429
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51386
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53569
                Source: unknownNetwork traffic detected: HTTP traffic on port 50202 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51666
                Source: unknownNetwork traffic detected: HTTP traffic on port 54221 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51390
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51393
                Source: unknownNetwork traffic detected: HTTP traffic on port 51474 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53569 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65024
                Source: unknownNetwork traffic detected: HTTP traffic on port 51445 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51577 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51571 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53787 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 54044 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51437
                Source: unknownNetwork traffic detected: HTTP traffic on port 51227 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53993 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53576
                Source: unknownNetwork traffic detected: HTTP traffic on port 51565 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50221
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50220
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51396
                Source: unknownNetwork traffic detected: HTTP traffic on port 51636 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51671
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50223
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53855
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50222
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53854
                Source: unknownNetwork traffic detected: HTTP traffic on port 53796 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53853
                Source: unknownNetwork traffic detected: HTTP traffic on port 50205 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50222 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50224
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51433
                Source: unknownNetwork traffic detected: HTTP traffic on port 51322 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51347 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51480 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53853 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51486 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51396 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51445
                Source: unknownNetwork traffic detected: HTTP traffic on port 51671 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53865
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51322
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51565
                Source: unknownNetwork traffic detected: HTTP traffic on port 52174 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51617 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51393 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51623 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54044
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 51579 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 51518 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53922 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51579
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53999
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51618
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51617
                Source: unknownNetwork traffic detected: HTTP traffic on port 53865 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50241
                Source: unknownNetwork traffic detected: HTTP traffic on port 51433 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51574
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53993
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51571
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53992
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50242
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53991
                Source: unknownNetwork traffic detected: HTTP traffic on port 65024 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51577
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51578
                Source: unknownNetwork traffic detected: HTTP traffic on port 50224 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51575
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51850
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54204
                Source: unknownNetwork traffic detected: HTTP traffic on port 50241 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53576 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50948 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51390 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51581
                Source: unknownNetwork traffic detected: HTTP traffic on port 51758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 54066 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51227
                Source: unknownNetwork traffic detected: HTTP traffic on port 51192 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51623
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53923
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53922
                Source: unknownNetwork traffic detected: HTTP traffic on port 53992 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51484 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53926
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51347
                Source: unknownNetwork traffic detected: HTTP traffic on port 50221 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51587
                Source: unknownNetwork traffic detected: HTTP traffic on port 51809 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53934 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51192
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54062
                Source: unknownNetwork traffic detected: HTTP traffic on port 51587 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53854 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54221
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54066
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54186
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51128 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51523 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51636
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53934
                Source: unknownNetwork traffic detected: HTTP traffic on port 51305 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50948
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51518
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51474
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51358
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51479
                Source: unknownNetwork traffic detected: HTTP traffic on port 53662 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51234
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54073
                Source: unknownNetwork traffic detected: HTTP traffic on port 51429 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52174
                Source: unknownNetwork traffic detected: HTTP traffic on port 54114 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51234 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51480
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50949
                Source: unknownNetwork traffic detected: HTTP traffic on port 51538 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51128
                Source: unknownNetwork traffic detected: HTTP traffic on port 51358 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51528
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51486
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54114
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53662
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51484
                Source: unknownNetwork traffic detected: HTTP traffic on port 65023 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 65139 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51523
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53787
                Source: unknownNetwork traffic detected: HTTP traffic on port 51528 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53923 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50242 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51428 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 50949 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51809
                Source: unknownNetwork traffic detected: HTTP traffic on port 53991 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51386 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51575 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51850 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50205
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51538
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 51437 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51536
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65023
                Source: unknownNetwork traffic detected: HTTP traffic on port 53999 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53796
                Source: unknownNetwork traffic detected: HTTP traffic on port 50220 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51581 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 54186 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 54204 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53926 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50202
                Source: unknownNetwork traffic detected: HTTP traffic on port 54073 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51618 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51479 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 53855 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51578 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 54062 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51666 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 51536 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65139
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.40.136.238
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                Source: unknownTCP traffic detected without corresponding DNS query: 201.117.1.173
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                Source: unknownTCP traffic detected without corresponding DNS query: 201.117.1.173
                Source: svchost.exe, 0000001A.00000003.440421079.00000138FBF70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000001A.00000003.440421079.00000138FBF70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000001A.00000003.440421079.00000138FBF70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.440471686.00000138FBF81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-20T13:21:02.8104380Z||.||4998f0a4-af49-449b-82d0-89396bef82ff||1152921505695074449||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                Source: svchost.exe, 0000001A.00000003.440421079.00000138FBF70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.440471686.00000138FBF81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-20T13:21:02.8104380Z||.||4998f0a4-af49-449b-82d0-89396bef82ff||1152921505695074449||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                Source: svchost.exe, 00000014.00000002.683952598.0000021F13A9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.487657134.00000138FBF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: svchost.exe, 00000014.00000002.683952598.0000021F13A9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.487465137.00000138FB6EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: svchost.exe, 0000001A.00000003.459697814.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                Source: svchost.exe, 00000014.00000002.683540030.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.682695032.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
                Source: svchost.exe, 00000014.00000002.683540030.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.682695032.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: svchost.exe, 00000014.00000002.683540030.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.682695032.0000021F0E2AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/e
                Source: svchost.exe, 0000000E.00000002.314031176.00000202CA813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: mssecsvr.exe.2.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: mssecsvr.exe, 00000007.00000002.871448684.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000E.00000002.314095949.00000202CA83D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000E.00000002.314124119.00000202CA84E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313602809.00000202CA848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000E.00000002.314095949.00000202CA83D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000E.00000003.313697166.00000202CA840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000E.00000002.314102033.00000202CA842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313697166.00000202CA840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313697166.00000202CA840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000001A.00000003.459697814.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                Source: svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000E.00000002.314131183.00000202CA85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000E.00000003.313689447.00000202CA845000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.313672753.00000202CA85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000E.00000003.313640910.00000202CA860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000E.00000002.314095949.00000202CA83D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000E.00000003.291611790.00000202CA831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000001A.00000003.454260939.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454217352.00000138FBFA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454114020.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454153547.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                Source: svchost.exe, 0000000E.00000002.314095949.00000202CA83D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000E.00000002.314095949.00000202CA83D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314031176.00000202CA813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000E.00000003.291611790.00000202CA831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000E.00000003.313689447.00000202CA845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000E.00000003.291611790.00000202CA831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000E.00000003.291611790.00000202CA831000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.314076918.00000202CA83A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000E.00000002.314031176.00000202CA813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gene
                Source: svchost.exe, 0000001A.00000003.459697814.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                Source: svchost.exe, 0000001A.00000003.459697814.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                Source: svchost.exe, 0000001A.00000003.454260939.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454217352.00000138FBFA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454114020.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454153547.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                Source: svchost.exe, 0000001A.00000003.454260939.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454217352.00000138FBFA8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454114020.00000138FC402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.454153547.00000138FBF97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                Source: svchost.exe, 0000001A.00000003.463534625.00000138FBF99000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.463637624.00000138FC402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
                Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094327Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ab05962f224743feb2b5567896c7eace&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6Cache-Control: no-cacheMS-CV: JUD1Al8570uUgLW6.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094327Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=559ac71e6e6646de9fd191559a016b8d&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-310091&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6Cache-Control: no-cacheMS-CV: JUD1Al8570uUgLW6.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /client/config?cc=US&setlang=en-US HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: 120X-BM-FirstEnabledTime: 132061327679472806X-DeviceID: 0100748C0900D485X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAc0sEbw4UIulobuiiG0fha5sBDdQpX6SBBoNRXO5M5%2BupGssS%2BSlrbhjrga%2BpFF0wO2IN7Ejr%2BBagzui9/tv0TDl3OK1OxeidxdM3DcOqJnMLDH9V55jP8m4bCrZalgLHbGCTkNTvefI5tK5SnsXBLYqkENzncSU3AlQHy6WRaN1FdoA37fGEKBDziy6jk5V6e1cc8ebWYPherZvWbuMgEo5mrOxslNubm/DQ4eWW/dq5L9MnRfVbxWNyDk1ah3XSM2ihwbOjH0Mib2mwxM1JYWNnRHWxRc18/hjXVIrCP/nP948DNERrtAo3tw3lcQiIbRejvNa%2BOKGGlY4ZnTz/jwDZgAACI5CHkLIhlX%2BqAFmVujgsmV04JXylhJoVj7maVwaMJ8%2BKoaMN%2B3foda%2BRuWMKO/2pmBSNaI6U5e3lUQHFeNyh3H2pf/St66Lyek6q14iVcouXVDmXnrJDj4gTMwiyez0nyBc4iCWJMKp9m8OM/S07Hekgml4RkFc40Y3rM6RXazgCszDJ2upa%2BYjT/u6OLmc5jkDelgFFM8og90Rf84G8arS3IGK/T73bPKZ0cQ%2BG%2B0p6BspcAinte9SFhPF2v9nKw9IrvaqpSJGmg9d4vDvKSZ39cMq3M4UNOJnA3fay%2Bj70pB8/D0prh%2BN8VT1cjtMMAGhIGBJXuh6MWWBj3EuNfxxLhC80DO4Guk90kqCZciVVk6/rgnVLAmbiGrcjYsGJtMrh7uATQxtax7b5UiFjueG/G7wv%2BlbxXRiWQt5SLpeDPnkyryRj0CTaj7jnhsLygqxvE0ExFy6z35zBWCU1yyUrqipvffEPT7oUApLqIadOkMejJ2WYvr5f6Lr2WJWD/PJbhjoWr1JaRhYrhJTg2DQRB45B4buW9pKH7s7GQNjtT7JtTbJJZbz3e2L1G9VqsOu1gE%3D%26p%3DX-Agent-DeviceId: 0100748C0900D485X-BM-CBT: 1658368223User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134X-Device-isOptin: trueAccept-language: en-US, enX-Device-Touch: falseX-Device-ClientSession: 6DF2A13DC8674297A3BF7AE7EB580336X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderHost: www.bing.comConnection: Keep-AliveCookie: MUID=BEEBF15262804E24A8DF6781500AB975
                Source: global trafficHTTP traffic detected: GET /proactive/v2/spark?cc=US&setLang=en-US HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-Device-IsBatteryCertified: falseX-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-Device-IsBatteryEnabled: falseX-Device-NetworkType: ethernetX-BM-DTZ: 120X-BM-FirstEnabledTime: 132061327679472806X-DeviceID: 0100748C0900D485X-VoiceActivationOn: falseX-Device-AudioCapture: Microphone (High Definition Audio Device)X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAc0sEbw4UIulobuiiG0fha5sBDdQpX6SBBoNRXO5M5%2BupGssS%2BSlrbhjrga%2BpFF0wO2IN7Ejr%2BBagzui9/tv0TDl3OK1OxeidxdM3DcOqJnMLDH9V55jP8m4bCrZalgLHbGCTkNTvefI5tK5SnsXBLYqkENzncSU3AlQHy6WRaN1FdoA37fGEKBDziy6jk5V6e1cc8ebWYPherZvWbuMgEo5mrOxslNubm/DQ4eWW/dq5L9MnRfVbxWNyDk1ah3XSM2ihwbOjH0Mib2mwxM1JYWNnRHWxRc18/hjXVIrCP/nP948DNERrtAo3tw3lcQiIbRejvNa%2BOKGGlY4ZnTz/jwDZgAACI5CHkLIhlX%2BqAFmVujgsmV04JXylhJoVj7maVwaMJ8%2BKoaMN%2B3foda%2BRuWMKO/2pmBSNaI6U5e3lUQHFeNyh3H2pf/St66Lyek6q14iVcouXVDmXnrJDj4gTMwiyez0nyBc4iCWJMKp9m8OM/S07Hekgml4RkFc40Y3rM6RXazgCszDJ2upa%2BYjT/u6OLmc5jkDelgFFM8og90Rf84G8arS3IGK/T73bPKZ0cQ%2BG%2B0p6BspcAinte9SFhPF2v9nKw9IrvaqpSJGmg9d4vDvKSZ39cMq3M4UNOJnA3fay%2Bj70pB8/D0prh%2BN8VT1cjtMMAGhIGBJXuh6MWWBj3EuNfxxLhC80DO4Guk90kqCZciVVk6/rgnVLAmbiGrcjYsGJtMrh7uATQxtax7b5UiFjueG/G7wv%2BlbxXRiWQt5SLpeDPnkyryRj0CTaj7jnhsLygqxvE0ExFy6z35zBWCU1yyUrqipvffEPT7oUApLqIadOkMejJ2WYvr5f6Lr2WJWD/PJbhjoWr1JaRhYrhJTg2DQRB45B4buW9pKH7s7GQNjtT7JtTbJJZbz3e2L1G9VqsOu1gE%3D%26p%3DX-Agent-DeviceId: 0100748C0900D485X-BM-CBT: 1658368223User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134X-Device-isOptin: trueAccept-language: en-US, enX-Device-IsEnergyHero: falseX-Device-Touch: falseX-Device-ClientSession: 6DF2A13DC8674297A3BF7AE7EB580336X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderHost: www.bing.comConnection: Keep-AliveCookie: MUID=BEEBF15262804E24A8DF6781500AB975
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220721T015108Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=25eb4cc9555e4c119c8474e304fe537d&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1611818&metered=false&nettype=ethernet&npid=sc-280815&oemName=vejxdr%2C%20Inc.&oemid=vejxdr%2C%20Inc.&ossku=Professional&smBiosDm=vejxdr7%2C1&tl=2&tsu=1611818&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAATHP+RyjZxZyFsyV/EZUE826Plje3s7gpBl8MSGoFKxK1/BrJrfO3NJ4no7H/1/JjdgLQE5B4TN07ueGB1sohlql4o2S79v8AJIiBgAfwdjlXKV+GLExA9Fcv+UsVd0tt6r7SHcEgEVLLRVvSM7qZD3F6RkBwpZtYe95YyEDhlUU+oZ8Ls4vwkWu5M592+Ui1ifAglAxsgbSLOqAcg/DWB3TCBBnWiM9dZPs1vP/LEYiXvgSxM4vxIW38YUG/7iOGaXlHYIn4Q81vL8t/cNuUJGpLg9ZFu80ivAtOoWhxcBUuR0xLmeYLPk3XIbJZI34a2QV1sg1oZc5un0IbdkZNJIDZgAACA6hngZkwvHuqAFhlo7Mo02Z0gytJ9FMRH+Ad1FcBbocDNkr1L3UftgfyC4bynEEun6APAQOXZrXLi1VUNzQrYU6pQJM0llQG1E0CEV+irU/mr6Sv5Jd/HKOk0NlX62FAfhbcxjWQXaHvM/0Z5LF7I/KE972pch3+40sgmKnDpvKDzoBgw+hiCY74kJgPlK6yO11ffY6v0ydPEOhS9hSvRH0clkSVIkJqRDs+zI+Zls5DDhm4sftgzBbJIxLa/lD1t3SsgNy339HlWbKUTWFqTPoFiz4N7SaM1brXtKokH/6Y7/O6EcDDYzoDPHiMLSJ/THOVzkFsMl3ugW75E5xTbn/TsbdS+kyC72uBiwLLrxndWgBWN0N35yhTYTlKzXBkSMN6S/Xnampvh1z35Wb0Lokn1qXryKJ8irq0/7NI3AMW0M18oGNv/HD1HYwJOBQgxsROIXgOHFmVb4fFMtX40FrVj+inZ7Dm46TldCQgnl38cuW3koIkr/Z3VJQvmECiicnQr91uWPO3qyyQvzaPqZRQaif9+A5tztCMvu7XeTapiRhOUo0TNclSegINMGLdFbx1gE=&p=Cache-Control: no-cacheMS-CV: U8mDD7rqyECkNYMq.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338389&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220721T015108Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=bfc7c89fbd244b96ba0f5d9665f5e253&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1611818&metered=false&nettype=ethernet&npid=sc-338389&oemName=vejxdr%2C%20Inc.&oemid=vejxdr%2C%20Inc.&ossku=Professional&smBiosDm=vejxdr7%2C1&tl=2&tsu=1611818&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAATe+yptwr7oCC2i94oDB3fz9gnS8YR4Ybfxq4ocDtaocFTCk/ADJH0CVpd9sIi6NNgPlaMWQIqq9+rTg3VUQOEwCcq5J9aQtOqkDBYcqjnL6rUJvXwMneqsuIScziGF7wZG46LC2T/DyRspwv/tE4DNibM8V/7SUQBVRuM/X8cF3WpJ2Xu3HyitfGAq2BANlR+4vYIpgyWfVR8CibMF3p1nDghEuyU//tMwNRGTQHYuuYmOBzF8qA/c2rjK/SbKDeOGsjMKxFiWEA85IqFu3GHqJkt54zAb456UyNtddGqN3DssYH6VWqodMVOfvl1vRAm2ZYj44s9AEDx2PBNwx7DkDZgAACKBBwx81jQCzqAGi6Owf9Q++nKf0+XbgcIt+jzboM/astdVmIiHZ2AzexrWc9EzDc+dtZC5ePE7C/HOXoDZCmP/f4WZU9L6X33lW8zO7uJFhyDl4w78GLyLcw/wXVJKkHz3kK+dJSgNkrwOy2+xy5qXZQaobECRXCyO516jC+z8RoBvUKA4zn9TsBJNiBR4OpvJuOW0rQrZ7mqTRHcm3qpXD/NWXBAWB5RwYQhH9uclEP7gb+Zvg/0i9Ab68EpngkHxGAuM0MblQJ3b0vRY5Nzb/qI/Mwqk1AIs48wEs2QHwUppOIP8PhCs7qNpfeDV4Gk2cKuv3Wkg1d1C6rNFhkkI3Mnh57ANqwzxZd6K/ejn16bsvR7NrV/p7dh1PGIupb7Z8Y6UeaK/EDcwKy5MxEeRrpZomDmq/fyQBzzG43rtUgSdltmk0liwL/bQ2/iv4aZ49I3XwL1FUQ9xt3asp4J0D6klX3w9yhRKZgFZq6JtPMcvVoY9BFVwmZqvMa1LD50ibU7i1lBUv1Df2yfhILI6+/CIAKIvukpaJQEPwbFbSI16W8u7bwqwhJcwwJoepP4bb1gE=&p=Cache-Control: no-cacheMS-CV: U8mDD7rqyECkNYMq.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338387&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220721T015155Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=d73c31277e9c426c85bb194d7f69f6cc&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1611818&metered=false&nettype=ethernet&npid=sc-338387&oemName=vejxdr%2C%20Inc.&oemid=vejxdr%2C%20Inc.&ossku=Professional&rver=2&sc-mode=0&smBiosDm=vejxdr7%2C1&tl=2&tsu=1611818&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAATe+yptwr7oCC2i94oDB3fz9gnS8YR4Ybfxq4ocDtaocFTCk/ADJH0CVpd9sIi6NNgPlaMWQIqq9+rTg3VUQOEwCcq5J9aQtOqkDBYcqjnL6rUJvXwMneqsuIScziGF7wZG46LC2T/DyRspwv/tE4DNibM8V/7SUQBVRuM/X8cF3WpJ2Xu3HyitfGAq2BANlR+4vYIpgyWfVR8CibMF3p1nDghEuyU//tMwNRGTQHYuuYmOBzF8qA/c2rjK/SbKDeOGsjMKxFiWEA85IqFu3GHqJkt54zAb456UyNtddGqN3DssYH6VWqodMVOfvl1vRAm2ZYj44s9AEDx2PBNwx7DkDZgAACKBBwx81jQCzqAGi6Owf9Q++nKf0+XbgcIt+jzboM/astdVmIiHZ2AzexrWc9EzDc+dtZC5ePE7C/HOXoDZCmP/f4WZU9L6X33lW8zO7uJFhyDl4w78GLyLcw/wXVJKkHz3kK+dJSgNkrwOy2+xy5qXZQaobECRXCyO516jC+z8RoBvUKA4zn9TsBJNiBR4OpvJuOW0rQrZ7mqTRHcm3qpXD/NWXBAWB5RwYQhH9uclEP7gb+Zvg/0i9Ab68EpngkHxGAuM0MblQJ3b0vRY5Nzb/qI/Mwqk1AIs48wEs2QHwUppOIP8PhCs7qNpfeDV4Gk2cKuv3Wkg1d1C6rNFhkkI3Mnh57ANqwzxZd6K/ejn16bsvR7NrV/p7dh1PGIupb7Z8Y6UeaK/EDcwKy5MxEeRrpZomDmq/fyQBzzG43rtUgSdltmk0liwL/bQ2/iv4aZ49I3XwL1FUQ9xt3asp4J0D6klX3w9yhRKZgFZq6JtPMcvVoY9BFVwmZqvMa1LD50ibU7i1lBUv1Df2yfhILI6+/CIAKIvukpaJQEPwbFbSI16W8u7bwqwhJcwwJoepP4bb1gE=&p=Cache-Control: no-cacheMS-CV: U8mDD7rqyECkNYMq.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338388&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220721T015155Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=af30330e3b464695887ad6530fcede84&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1611818&metered=false&nettype=ethernet&npid=sc-338388&oemName=vejxdr%2C%20Inc.&oemid=vejxdr%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=vejxdr7%2C1&tl=2&tsu=1611818&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAATe+yptwr7oCC2i94oDB3fz9gnS8YR4Ybfxq4ocDtaocFTCk/ADJH0CVpd9sIi6NNgPlaMWQIqq9+rTg3VUQOEwCcq5J9aQtOqkDBYcqjnL6rUJvXwMneqsuIScziGF7wZG46LC2T/DyRspwv/tE4DNibM8V/7SUQBVRuM/X8cF3WpJ2Xu3HyitfGAq2BANlR+4vYIpgyWfVR8CibMF3p1nDghEuyU//tMwNRGTQHYuuYmOBzF8qA/c2rjK/SbKDeOGsjMKxFiWEA85IqFu3GHqJkt54zAb456UyNtddGqN3DssYH6VWqodMVOfvl1vRAm2ZYj44s9AEDx2PBNwx7DkDZgAACKBBwx81jQCzqAGi6Owf9Q++nKf0+XbgcIt+jzboM/astdVmIiHZ2AzexrWc9EzDc+dtZC5ePE7C/HOXoDZCmP/f4WZU9L6X33lW8zO7uJFhyDl4w78GLyLcw/wXVJKkHz3kK+dJSgNkrwOy2+xy5qXZQaobECRXCyO516jC+z8RoBvUKA4zn9TsBJNiBR4OpvJuOW0rQrZ7mqTRHcm3qpXD/NWXBAWB5RwYQhH9uclEP7gb+Zvg/0i9Ab68EpngkHxGAuM0MblQJ3b0vRY5Nzb/qI/Mwqk1AIs48wEs2QHwUppOIP8PhCs7qNpfeDV4Gk2cKuv3Wkg1d1C6rNFhkkI3Mnh57ANqwzxZd6K/ejn16bsvR7NrV/p7dh1PGIupb7Z8Y6UeaK/EDcwKy5MxEeRrpZomDmq/fyQBzzG43rtUgSdltmk0liwL/bQ2/iv4aZ49I3XwL1FUQ9xt3asp4J0D6klX3w9yhRKZgFZq6JtPMcvVoY9BFVwmZqvMa1LD50ibU7i1lBUv1Df2yfhILI6+/CIAKIvukpaJQEPwbFbSI16W8u7bwqwhJcwwJoepP4bb1gE=&p=Cache-Control: no-cacheMS-CV: U8mDD7rqyECkNYMq.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015116Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGGZM6WM&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015119Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015120Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NH2GPH4JZS4&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015122Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH6J6VK&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015123Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9P6RC76MSMMJ&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015124Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ27N&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015125Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9N0866FS04W8&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015126Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ10M&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015127Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ140&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015128Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NC2FBTHCJV8&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015134Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH1CQ7L&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015135Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time=20220721T015136Z&asid=f8cf40bb2571448bb615cb63f0e91aab&eid= HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ3P2&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015141Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/installComplete?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015142Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NXQXXLFST89&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015143Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHVFW&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015144Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NCBCSZSJRSB&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015145Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015145Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015146Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RE4Pjc1?ver=a739 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWyRp8?ver=10c7 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RE4PtWe?ver=aadd HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWEJoX?ver=c3a5 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWyTNg?ver=ef32 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/opportunity?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRDFNG7&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015147Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&bSrc=i.t&time=20220721T015149Z&asid=300c040ae66044819bdbde51f7ebac47&eid= HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=xRo1fanlpo1NY4w&MD=aCF+era2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.81Host: sls.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /cms/api/am/imageFileData/RWEtdH?ver=f6d0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: img-prod-cms-rt-microsoft-com.akamaized.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220721T015241Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9884480454e94a48b1ac919b6cda2fb6&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1611818&metered=false&nettype=ethernet&npid=sc-310091&oemName=vejxdr%2C%20Inc.&oemid=vejxdr%2C%20Inc.&ossku=Professional&rver=2&smBiosDm=vejxdr7%2C1&tl=2&tsu=1611818&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing= HTTP/1.1Accept-Encoding: gzip, deflateX-SDK-CACHE: chs=0&imp=0&chf=0&ds=50583&fs=32089&sc=6X-SDK-HW-TOKEN: t=EwDYAppeBAAUlAKXDAofTQM+n+MaRVFKzH/ehWgAATe+yptwr7oCC2i94oDB3fz9gnS8YR4Ybfxq4ocDtaocFTCk/ADJH0CVpd9sIi6NNgPlaMWQIqq9+rTg3VUQOEwCcq5J9aQtOqkDBYcqjnL6rUJvXwMneqsuIScziGF7wZG46LC2T/DyRspwv/tE4DNibM8V/7SUQBVRuM/X8cF3WpJ2Xu3HyitfGAq2BANlR+4vYIpgyWfVR8CibMF3p1nDghEuyU//tMwNRGTQHYuuYmOBzF8qA/c2rjK/SbKDeOGsjMKxFiWEA85IqFu3GHqJkt54zAb456UyNtddGqN3DssYH6VWqodMVOfvl1vRAm2ZYj44s9AEDx2PBNwx7DkDZgAACKBBwx81jQCzqAGi6Owf9Q++nKf0+XbgcIt+jzboM/astdVmIiHZ2AzexrWc9EzDc+dtZC5ePE7C/HOXoDZCmP/f4WZU9L6X33lW8zO7uJFhyDl4w78GLyLcw/wXVJKkHz3kK+dJSgNkrwOy2+xy5qXZQaobECRXCyO516jC+z8RoBvUKA4zn9TsBJNiBR4OpvJuOW0rQrZ7mqTRHcm3qpXD/NWXBAWB5RwYQhH9uclEP7gb+Zvg/0i9Ab68EpngkHxGAuM0MblQJ3b0vRY5Nzb/qI/Mwqk1AIs48wEs2QHwUppOIP8PhCs7qNpfeDV4Gk2cKuv3Wkg1d1C6rNFhkkI3Mnh57ANqwzxZd6K/ejn16bsvR7NrV/p7dh1PGIupb7Z8Y6UeaK/EDcwKy5MxEeRrpZomDmq/fyQBzzG43rtUgSdltmk0liwL/bQ2/iv4aZ49I3XwL1FUQ9xt3asp4J0D6klX3w9yhRKZgFZq6JtPMcvVoY9BFVwmZqvMa1LD50ibU7i1lBUv1Df2yfhILI6+/CIAKIvukpaJQEPwbFbSI16W8u7bwqwhJcwwJoepP4bb1gE=&p=Cache-Control: no-cacheMS-CV: U8mDD7rqyECkNYMq.0User-Agent: WindowsShellClient/9.0.40929.0 (Windows)X-SDK-HWF: tch0,m301,m751,mA01,mT01Host: arc.msn.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015219Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NMPJ99VJBWV&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015220Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NXQXXLFST89&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015221Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NXQXXLFST89&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015223Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHVFW&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015229Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHVFW&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015230Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015231Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH5FV99&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015232Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRDFNG7&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015234Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRDFNG7&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015235Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NCBCSZSJRSB&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015237Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106554&cid=128000000001392709&tid=700342084&reqasid=7b36a81a803b47f2b25875b3af0e2f41&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NCBCSZSJRSB&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=300c040ae66044819bdbde51f7ebac47&time=20220721T015238Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGGZM6WM&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015241Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ27N&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015242Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFJ27N&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015245Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9P6RC76MSMMJ&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015246Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9P6RC76MSMMJ&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015248Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NBLGGH6J6VK&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015250Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NH2GPH4JZS4&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015251Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9NH2GPH4JZS4&skuId=0010&installKind=Install&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015252Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/pin?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015254Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?pg=PC000P0FR5.0000000IQ8&unid=&placementType=PostOOBE&app=&pid=425106558&cid=128000000001392729&tid=700342085&reqasid=2a5e287844ca41fcb4ce4677c2fd30d0&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&auid=&anid=&muid=&persid=&itemId=9WZDNCRFHWD2&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid=f8cf40bb2571448bb615cb63f0e91aab&time=20220721T015256Z HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1801595413&PG=PC000P0FR5.0000000IRT&REQASID=AF30330E3B464695887AD6530FCEDE84&UNID=338388&ASID=85f1f4661ba544dfbea124578a797dbe&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=6ee3881071d14b89b6c7c06d5c9b59a2&DEVOSVER=10.0.17134.1&REQT=20220721T015156&TIME=20220721T015244Z&ARCRAS=&CLR=CDM HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /v1/a/impression?CID=128000000000402926&region=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.17134.1&mo=&cap=&EID=&&PID=400091688&UIT=P-&TargetID=700129702&AN=1801595413&PG=PC000P0FR5.0000000IRT&REQASID=AF30330E3B464695887AD6530FCEDE84&UNID=338388&ASID=85f1f4661ba544dfbea124578a797dbe&PERSID=1A4A490328ED3BBECC8505EAE64E45F5&GLOBALDEVICEID=6966530473343700&LOCALID=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&DS_EVTID=6ee3881071d14b89b6c7c06d5c9b59a2&DEVOSVER=10.0.17134.1&REQT=20220721T015156&TIME=20220721T015246Z&ARCRAS=&CLR=CDM HTTP/1.1Accept-Encoding: gzip, deflateUser-Agent: WindowsShellClient/9.0.40929.0 (Windows)Host: ris.api.iris.microsoft.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 20.40.136.238:443 -> 192.168.2.4:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.31.64:443 -> 192.168.2.4:50202 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.4:50224 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.4:50223 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.31.106.135:443 -> 192.168.2.4:50241 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.31.106.135:443 -> 192.168.2.4:50242 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51128 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.4:51192 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51227 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51234 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51305 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51322 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.238.103.94:443 -> 192.168.2.4:51358 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51390 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51429 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.4:51479 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51484 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51538 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51578 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51579 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51577 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51581 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.4:51574 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.4:51617 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 20.54.89.106:443 -> 192.168.2.4:51666 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51671 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.242.101.226:443 -> 192.168.2.4:51720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.125.122.176:443 -> 192.168.2.4:51758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51809 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.152.110.14:443 -> 192.168.2.4:51850 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.4:65024 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 40.126.32.138:443 -> 192.168.2.4:65023 version: TLS 1.2

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Yara detected Wannacry ransomware
                Source: Yara matchFile source: LF2X6lwUMg.dll, type: SAMPLE
                Source: Yara matchFile source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.274041731.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.263083833.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.261640912.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.271571722.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.266684669.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.270396224.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.274345207.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.265403946.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.264121178.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.268982016.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.268990596.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 3224, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 5572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 4468, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\mssecsvr.exe, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: LF2X6lwUMg.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: LF2X6lwUMg.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.265554407.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000002.274123898.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000007.00000000.269048022.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.263137161.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000002.274445366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.269150263.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.270650258.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.261817411.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.271665392.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000004.00000000.264192815.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: 00000006.00000000.266754694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                Source: LF2X6lwUMg.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: LF2X6lwUMg.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: LF2X6lwUMg.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.0.mssecsvr.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 4.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 7.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.265554407.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000002.274123898.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000007.00000000.269048022.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.263137161.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000002.274445366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.269150263.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.270650258.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.261817411.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.271665392.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000004.00000000.264192815.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: 00000006.00000000.266754694.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: mssecsvr.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
                Source: tasksche.exe.4.drStatic PE information: No import functions for PE file found
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: tasksche.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: tasksche.exe.4.drStatic PE information: Section: .rdata ZLIB complexity 1.0007621951219512
                Source: tasksche.exe.4.drStatic PE information: Section: .data ZLIB complexity 1.001953125
                Source: tasksche.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 1.0007408405172413
                Source: LF2X6lwUMg.dllVirustotal: Detection: 91%
                Source: LF2X6lwUMg.dllReversingLabs: Detection: 89%
                Source: LF2X6lwUMg.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll"
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LF2X6lwUMg.dll,PlayGame
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",PlayGame
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LF2X6lwUMg.dll,PlayGameJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",PlayGameJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                Source: classification engineClassification label: mal100.rans.troj.expl.evad.winDLL@31/8@4/100
                Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,4_2_00408090
                Source: C:\Windows\mssecsvr.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LF2X6lwUMg.dll,PlayGame
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:9340:120:WilError_01
                Source: C:\Windows\mssecsvr.exeCode function: 4_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,4_2_00407CE0
                Source: LF2X6lwUMg.dll, mssecsvr.exe.2.dr, tasksche.exe.4.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\mssecsvr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: LF2X6lwUMg.dllStatic file information: File size 5267459 > 1048576
                Source: LF2X6lwUMg.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                Source: initial sampleStatic PE information: section name: .text entropy: 7.663042758896975

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeCode function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 55513
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 55748
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 62588
                Source: unknownNetwork traffic detected: HTTP traffic on port 445 -> 62927
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 5624Thread sleep count: 1029 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 5624Thread sleep time: -102900s >= -30000sJump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 8072Thread sleep count: 74 > 30Jump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 7856Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 7856Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 2988Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\mssecsvr.exeDropped PE file which has not been started: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeWindow / User API: threadDelayed 1029Jump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                Source: svchost.exe, 00000014.00000002.683855659.0000021F13A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -6c117f"@Hyper-V RAW
                Source: svchost.exe, 00000014.00000002.683298736.0000021F0E229000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.683833792.0000021F13A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.487465137.00000138FB6EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.487054420.00000138FB681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.486973502.00000138FB62E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LF2X6lwUMg.dll",#1Jump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation                		4
                Windows Service                		4
                Windows Service                		121
                Masquerading                		OS Credential Dumping1
                Network Share Discovery                		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Service Execution                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory121
                Security Software Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                DLL Side-Loading                		21
                Virtualization/Sandbox Evasion                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Ingress Tool Transfer                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size Limits14
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Rundll32                		Cached Domain Credentials21
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items4
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 670669 Sample: LF2X6lwUMg Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 8 other signatures 2->60 8 loaddll32.exe 1 2->8         started        10 mssecsvr.exe 2->10         started        14 svchost.exe 2->14         started        16 11 other processes 2->16 process3 dnsIp4 18 cmd.exe 1 8->18         started        20 rundll32.exe 8->20         started        23 rundll32.exe 1 8->23         started        46 192.168.2.120 unknown unknown 10->46 48 192.168.2.121 unknown unknown 10->48 50 99 other IPs or domains 10->50 70 Connects to many different private IPs via SMB (likely to spread or exploit) 10->70 72 Connects to many different private IPs (likely to spread or exploit) 10->72 74 Changes security center settings (notifications, updates, antivirus, firewall) 14->74 26 MpCmdRun.exe 1 14->26         started        signatures5 process6 file7 28 rundll32.exe 18->28         started        62 Drops executables to the windows directory (C:\Windows) and starts them 20->62 30 mssecsvr.exe 6 20->30         started        42 C:\Windows\mssecsvr.exe, PE32 23->42 dropped 33 conhost.exe 26->33         started        signatures8 process9 dnsIp10 35 mssecsvr.exe 7 28->35         started        52 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 30->52 process11 dnsIp12 44 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 35->44 40 C:\Windows\tasksche.exe, PE32 35->40 dropped 64 Antivirus detection for dropped file 35->64 66 Multi AV Scanner detection for dropped file 35->66 68 Machine Learning detection for dropped file 35->68 file13 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.