Analysis Overview
SHA256
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09
Threat Level: Known bad
The file b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe was found to be: Known bad.
Malicious Activity Summary
BlackNET Payload
Blacknet family
Contains code to disable Windows Defender
BlackNET
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-08 13:18
Signatures
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-08 13:18
Reported
2022-04-08 13:37
Platform
win7-20220331-en
Max time kernel
34s
Max time network
46s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe |
| PID 1340 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe |
| PID 1340 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finalb.xyz | udp |
Files
memory/1340-54-0x000007FEF3760000-0x000007FEF47F6000-memory.dmp
memory/1340-55-0x0000000000A70000-0x0000000000A72000-memory.dmp
memory/1340-56-0x0000000000A76000-0x0000000000A95000-memory.dmp
memory/1340-57-0x0000000000AAC000-0x0000000000AAE000-memory.dmp
memory/1340-59-0x0000000000AB1000-0x0000000000AB3000-memory.dmp
memory/1340-58-0x0000000000AAE000-0x0000000000AB0000-memory.dmp
memory/1340-60-0x0000000000AB3000-0x0000000000AB5000-memory.dmp
memory/1340-61-0x0000000000AB5000-0x0000000000AB7000-memory.dmp
memory/1340-63-0x0000000000AB9000-0x0000000000ABB000-memory.dmp
memory/1340-62-0x0000000000AB7000-0x0000000000AB9000-memory.dmp
memory/1340-64-0x0000000000ABB000-0x0000000000ABD000-memory.dmp
memory/1340-65-0x0000000000ABD000-0x0000000000AC1000-memory.dmp
memory/1340-66-0x0000000000AC1000-0x0000000000AC5000-memory.dmp
memory/1340-68-0x0000000000AD5000-0x0000000000AD9000-memory.dmp
memory/1340-69-0x0000000000AD9000-0x0000000000ADD000-memory.dmp
memory/1340-67-0x0000000000AD1000-0x0000000000AD5000-memory.dmp
memory/1340-70-0x0000000000ADD000-0x0000000000AE5000-memory.dmp
memory/1340-71-0x0000000000AE5000-0x0000000000AF0000-memory.dmp
memory/1340-72-0x000000001EB80000-0x000000001EB89000-memory.dmp
memory/1340-73-0x0000000000AAC000-0x0000000000AAF000-memory.dmp
memory/1340-75-0x0000000000AB1000-0x0000000000AB4000-memory.dmp
memory/1340-74-0x0000000000AD5000-0x0000000000AD8000-memory.dmp
memory/1280-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1280-79-0x0000000002040000-0x0000000002042000-memory.dmp
memory/1280-80-0x000007FEF3760000-0x000007FEF47F6000-memory.dmp
memory/1280-81-0x0000000002046000-0x0000000002065000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-08 13:18
Reported
2022-04-08 13:39
Platform
win10v2004-20220310-en
Max time kernel
119s
Max time network
147s
Command Line
Signatures
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C0050AC0C444" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C0050AC0C444 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000460329b580f26328a96bcd52efbdfe14bed7a92cefb54929d1fcdcbc1e510fd8000000000e800000000200002000000075443e412d8d767ca89c805f8d308874dbd7b7464dd8d0ddb107b2d00553807e8000000096a2f17d00276f0303c75dd6c265a0727c37fd7bd4ac14b87f34959dd3cdea8daefe91301664bc4625171e9f67ba154621897de71eb1df6c277b93583e9f649e1002dfdf8b982eee9681f0f1bad77183adb4ca4bb7e84aef310527b448fe8e90d1a28ebcc2a4e48d492748814c1010a1649036b4d342962460b77cf0733e78ea40000000bd499d509828945b76eaac2016cec8e6c07b465ac45d71ebbe906e2d9c69359a17ee652f3156fb99c20c7a4e9c3f1d97ee7ce81f1c6acc9cd949231a068113dd | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e8db99e9183712524a3fb106a7986d50bd84108d4f2efb2b46faefc6ff81095c000000000e80000000020000200000003caaac0025435df9e9202f9d583b0ac2c725067dd9ee69d09d2fe3b8e5a1b2a9100d0000f2208e631a4258caf15a0e67d15a2e0b322e013fd349a0fba854a4e11cfd2c9aa5c344cff0167564c985a08a72e8926cbdee3dc6b66af554b699b7056ae4d42d0b577d7813ac127993b53c73671ced91fc117533d126624d218d46601f736cc3c833c22f1d61dd2a0931a8c0ae401a674f1c4facd823e5c728e257af7fde4b3f7e7a45a18afa9ff9a039329ea74327088a61d6c6c51a4116470e83c10a7f0b96187fa44dc91ffb0744be503526784ab90f911aa62f327c6fac6875e005717736974c2083eb0c23dc74d0bb5fed36a90aa2510e861d321bb77adf44e4b88845dc8284e60b357b86e3cd8d28335ef27137faf5145f1246134549d9354f84187904f7e146b4731dba9fab84d84d0aa592d50af71281c7b94aeff705585620f9c7b9d11b3dcbfdfe8f423c327ed2d87633bca1b6f58fbc95a6bac551326b593c91bedfffb97bd80aa276a41294b2e677e932686f2714947be6d9cf7eb38387c7c9ad570d91f1d2b9765c15e2c3534401a773e79fa3b8a313db53fbb0427006c0484d29b9273ad3b2e7b0fff02505a3054debee30ca18f1417ef6e4718e9a376558fa19f564c76169e4da7e97b958c0a7932702ae459d5bb0a2f50bca6c22029e186bcdc0d89d59f5fb9ce0f94d412f786d7c99350f85e87938d1c214044b491fb5ec66da34145422fbb5a3de3faed2c0bb63d36f1b306cb9bd6b0137f1eb1e7b8cdc3ff67ae6a5a55580658d6108eaefde087ce7a3c1b44d301be5e0180ba7c02f583f78b9077b402976ddc8b050fe655bf009aaaca9f6e54ec50316bacb33c3ba0316b967307b018fec3efb6d4d491afc4ab69974f6a98ed8a59d88ce02a85a0e5a8d71f3b0fccf155ba48040c63d769b83281efb2bc373726490e1adaa4e1269c2260d96f7462fef7b047ac0b67bc8ca88dfb64d4b936d57fcff846d586c3ee8028d8ab3f63345f5a9fb5cfeed72315424fe593466a04fedf8fc2aa26ba1c2fe230e613dd2cc6cb672277779e3bb1d4b2235e0179fb2b6fcec339c4676a331d657c437be08a0887b1adc19bb6f1080cad8d21fecaf26796da037d385057e0adbcfcb03e8e9acc4ffaa08b937e1271e377e8315abdb6d56b5ecdde09ea6768b9c805a87cdabf97cbfbb268506d848f6f3ba203af6eaccb364c7152590140e45be4d919d16120c702ded5d9a1d493f01a67f38d120b5796f1a236e5ab3647ad73599ec0d3a5714f1992f011594034994a5a02718ac125eb2dc87557b614732c123f9863ca2250fdb663d20fc4c3aa0dd6c36c679c333f1cefa5e7a70fc34fe5346e46b083b2484d26fb236acc7f82c120329b84d368f5c64d50f0b989905b84fdf24e59eaba5cff337145755fc8be321f76cbb6041a93c2817908efbbc43e06e70e023e30a33ea2eccd91495662f1c86df3adb955c53b73c98da1bb3edf151ff92b27eacff8aaf37126c5131b7378ef3aee9ad7f909aed6c21ec4e250cf3ebcc32214a52d284f7908652488be55b1eb1850af49f00226d87a4f345c1c10cb028772a7f4d9b19e4a8fd47659be5cfc54311230998c68fa9f670c34e55989502152cb56e811c861704a521ba8b4df85e8f878928242fbe378ada8686976c7f1a85b670d911ba6f21eed3c4d25cd8ef75b23363c371aa67edf7f78bffd67f6599c432e01ebc3878abce21435a1f402f9eb308ac517b0f18473c3856d28d93d228b0181b3c9806bd00dde93adf52e72083499c53f020ca552d49e42c45eee0bd3aa0369533e28db9e902ce717fd6170c5494b9f3251e8ed6684266c7b66eca621d625701ecd02f82ccac71906099a561e96579a332448a511cc9f8c7780cd4b414a4ab26c0439c0dd19d5dc41bdc5c3c37d5287acf7cf9de52af61fc3aeec25767646fbf4608c275dd72707432adc00084f9d3f1972b0d53397ad505974bc6ff4e1f2dc3ce940d3ee1d683085400d343caff9495ca25cbe46bb99c43fef39f314d92a403ee02303290bb8ec289a28c6bf3ac18a19a5b282a46ccc941d2306fe77774826632151429673291e8915c97cb1d1290d36a09620be19c89a0d0d0beee3e9c11f83bd94fd4d3e2aeffd4303b367d66c7f2a9e0e59bfa086906bba5804db95b750753fb44dcaf9d056cbfef0527ccb0827bff8ba8fa2012e39cca1a71c6bed6705e1f6c801f5c260cec54dd53095799fe93a686238de41fa8e791e1e932bc0b2046a67ce1e9bfe7f157fb48aa41ad0175f50eac2d024aaa8e0224fad311fd0a8a702fba9476daee6159bd29c0d69c26532403de7d39eaf59f22f908555ceceb0cc4ae4e182578cc68879b7deea0c90eedd9d461ead8415dfc4b6ff957788db893ce9f93c8dabc52621325c52fdb48ad85cc5b1af99ddb6fcf9aa3e6fb96dd82a92ac7142e6ee13d8e75441f853baa42641686bc860dacf9534725736bcfd6949714e878b0461c52f59793521068f5be95141ab8aeb8984aa55fb0221baef7f5f0bb32fab163a3240b37e80e80d64f3b700000bb91f43439be53a8bd8f3487a6986add28005c025378c25d7c210169acd760b901d3a1a138adef8938d7fbda1b4f46091dc57a2b0d0f76b6795f62f00227874567cadb16240cc790399e0fdd43e7b3a1ce0f0fd3d99ec6213c64aa3068f3f8f32e343903186fdf80ef8265fe11e5bbcac9d27f9bf8330961520ee37fb69d0a7880b55f0247de64551275513311b40278433bd86337538ddb45cd69bd578ad5597f72a033b88c5dafb25297918d89a96d1b164e5a4126491af638423fef1197e5cb81f3b4cbd3b9617115a8329e69a84d7b85324225f875d76e5241644f84d993991a42a63dd70a5b8fdace5b02503872e350c813c00da8a47703ebf889859780eb65d5e48707334b39e65212c4065db94d25e2af0fb81b02b8c0a2aeacce141578f80f8b43e3d922a4ed8e01d783672d416477f2c8ebabd378273fdc249452311b65c62a345946d0079606b444005fcb66150cd27f651bc6b93a2afbb30070f29bd8230e019b69528661b604794448202ee062c42a421b1896e8d77f9855c05de4d10a5079ec10ad9db366ac894afcaffed20dc7dd8f5faef29a17a3f71e39c5d641bac885bc2b5dd9bf23d2cbba3612439d83c8626042cffb80dcce900cb6a052ebc6551094cf33f1505ca0df88ef38ad38c8aab1242f817595271fb4818d04c73f34f008c007f3b96863c4f25df8a65cd736079beb93fe4d20c244b526b31e447e9ffd6be7e3c4c2a5d7805a070c952f2a6c1cea03b5d1e18a297c5a9f847e4aa3a1cf20f955442bbb93eeed04d9c37073351e57982cb8137139d556ad1432abd80e1b61ae6b12fe18bb7beaf6470e00a1b591320d1ad74e2c1e2dece70df333ff3fcf9c1a142909618ba30bda30d4e2ba2b6965b86382b965a1004d75044ddcbc5444140f985dd55e1d97bdf53ae3126f50dd43b74081271c59066095dac6605c7fa4370feaa5cc0a2fdf3641990e364697efaa620b064194309bb04f47487f27282fd842bd6f1f4a9a31141f81a4e482c64651d4f9ac6207a2d3707be20e1dfb07fca065503903bae22082ce697b1e9e7eb83788a090e4750c11bad2df9536e3078b0b09c154a3c273dd19a424ae20cfa344524ab8c9fcf478e56faa9dd4a861107c7cde33f1bccc17ccec8e5c6153498c6cbaa7bcc6ac4860d705af01fd9c960101b4ab969ab2f0e88c5f42a70888b762448beaada1693cfce7e0320ccebbc9c1cdf836a3ca6f9ed03ea83364a9167564e8e8e777365c5a8632b3ffc53c343a3fa5613f374e63e9e7d2a161b37c375f4fbbbadee6d067e73210f04993a8cda2216140c836066b5e21fc3c3139ece7a11259e947cc423066c3f6ab27164030e7bb022e6d74394a95118e20e9f428509e1d34e782d6951389c926c96145a5481c79ff57f9dbb4b9e556a2d72debbf9c1a1ace64a1d17f3d47f792ef3ac1c34321d35718dd4d6ee27837303cdd7feec61c5c4f8d663a938b8de38c132e0fca65284436715d5570d3897038f1282bde89204ea91e2489896f516bedf76c9eeadd87d3bd21ca17c10f2539b6ea6968ce12dfa04847ebcccee89fa92484de9a9f41a34a0a37aad91858053debe07be30577a4dd0322214dd96e70728cb828c411be019f0ab2d4ee8517222aaab6466074b8b6ab4d8282a125e2b33c5d41bbed6a4e91ab3094d8e5001f35e2a1921c1eb21a42519d3d7c3eb6336d6500081e94d66b754e4e0b3d600918045bc47b069620f511d8af90651ecaa8ea85e16ef4f9131d5fc20d0c745c246940a2300230dee522dd3b79969535f74886d1e5edb533ff79291a3438d2b2d671b87b04c6ac975ae96085cc14b42ee25c83bc028af4f86644250828b0cabaf009fc5ad6aebdf6b9518450757fe2436cd8892f0655c93e2d7fdc5b93cc882de3be98f241240186f99f4ea81c6e43fa3336f16719d324f9a8e65592d3759383d8c65c5d0e6f2587cc9880b17206f5f1a050dd3e05b455ba156c45dc2eac6d324175ff56df9c135f113dd1a54097db4d787393a131e6535db2bfb16614bddba2c950ebe0d85a65a93646d7998dc6001a9039c215db7194c038951ccf10cf990464956f403eddee73fffc5b76006a1df5c607cbd11c9653dca7c1564afd62f860749818463843da35e1341ea9879a029ce08e55408939a3f47e9b4e70614a7f763be46ed8e3c8702295c87f6de741a6b81a6f8afca885789140000000aba2b05e51cfa92f91dd27a95b50039d4da8065582acf7874ef1b532659cb44bd5de4f06376a19d4959ff3607d57d017122894215e615450177424341da0256b | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3636 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Windows\system32\fondue.exe |
| PID 3636 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Windows\system32\fondue.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.203:443 | tcp | |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.21.200:443 | tcp |
Files
memory/3296-134-0x0000000000000000-mapping.dmp