Analysis Overview
SHA256
a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a
Threat Level: Known bad
The file 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip was found to be: Known bad.
Malicious Activity Summary
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
Reads user/profile data of web browsers
Drops startup file
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-25 13:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-25 13:36
Reported
2022-05-25 13:46
Platform
win7-20220414-en
Max time kernel
493s
Max time network
455s
Command Line
Signatures
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.YXqFR0 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartInstall.crw => C:\Users\Admin\Pictures\StartInstall.crw.YXqFR0 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.cSuYETk | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.uzDo1 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\ExitRename.xps | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\FormatReset.m1v | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\HideConvertFrom.ttc | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ResolveComplete.php | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SearchResolve.wmv | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PingProtect.docx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\TestUnprotect.aiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnprotectExport.vdw | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\LockExit.dib | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnlockDeny.raw | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\AssertUnlock.cmd | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConvertFromReset.midi | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DenyPublish.mpeg3 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\InvokePop.htm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\JoinRemove.vdx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ReceiveEnable.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ResolveOpen.3gp2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\StepSet.vbe | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SwitchLimit.vssx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\TestWatch.dwfx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UndoInstall.sql | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConfirmShow.css | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\EnterConfirm.mp3 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\RestartConnect.rmi | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SuspendDisconnect.vsdm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\8870099cba3b4973.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConvertToHide.jfif | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\OutSelect.WTV | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SubmitMeasure.vst | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\TestRestore.mpeg2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ApproveDisable.dot | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\CompleteBlock.sql | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1464 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1464 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1464 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1464 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wordupd.exe
"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\xsao\ec\..\..\Windows\lqq\ug\sjwm\..\..\..\system32\teg\cyc\kfd\..\..\..\wbem\jh\tbwth\w\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d0
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp |
Files
memory/1464-54-0x0000000000230000-0x00000000002D1000-memory.dmp
memory/1464-55-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/1464-56-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/1196-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-25 13:36
Reported
2022-05-25 13:46
Platform
win10v2004-20220414-en
Max time kernel
600s
Max time network
603s
Command Line
Signatures
Maze
suricata: ET MALWARE Maze/ID Ransomware Activity
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UndoUpdate.tiff => C:\Users\Admin\Pictures\UndoUpdate.tiff.d8zv | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UseUnblock.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchPing.crw => C:\Users\Admin\Pictures\WatchPing.crw.d8zv | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockResume.crw => C:\Users\Admin\Pictures\BlockResume.crw.BYm2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UndoUpdate.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveInvoke.tif => C:\Users\Admin\Pictures\ReceiveInvoke.tif.q9Di | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendCompare.crw => C:\Users\Admin\Pictures\SuspendCompare.crw.q9Di | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseUnblock.tiff => C:\Users\Admin\Pictures\UseUnblock.tiff.d8zv | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AssertJoin.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConfirmTest.raw => C:\Users\Admin\Pictures\ConfirmTest.raw.BYm2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertJoin.tiff => C:\Users\Admin\Pictures\AssertJoin.tiff.BYm2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.d8zv | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CloseBackup.tif => C:\Users\Admin\Pictures\CloseBackup.tif.BYm2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteUnprotect.png => C:\Users\Admin\Pictures\CompleteUnprotect.png.BYm2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\89ba09ba7e010201.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\89ba09ba7e010201.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0AF88682-368F-4686-83A6-D5E92A110729}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4EF9EFD2-CDEA-4408-B175-7D92A668238A}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5BA42EB9-661B-4478-B321-70599C7E94AD}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E88895AA-D8DF-46BF-AF14-1A1D68B05FC2}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15B1774C-A2B8-499F-A26E-3683BC483FE9}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61AC62B4-4B02-4CEE-BB32-CE661F25AB35}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\AddPop.AAC | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\BackupSubmit.ppt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UninstallSync.jpeg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UpdateMeasure.dib | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\WriteClose.iso | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConnectPop.xla | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\GrantConvertTo.mpp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\GrantEnable.ogg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\MeasureMove.wma | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ResetDisable.rm | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\StepPush.mpv2 | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\89ba09ba7e010201.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ConvertImport.wdp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\DismountOut.tiff | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\FindUnlock.jpeg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\OptimizeSearch.xml | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PublishReceive.potx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\CompressCompare.ppt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\GetExport.svg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\InitializeConvertTo.ex_ | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\PublishResume.png | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\RequestRedo.mpg | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\UnpublishStep.vbs | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\89ba09ba7e010201.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ResizeSubmit.3gpp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\SendReceive.tmp | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ShowEnter.pub | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\ExportUnblock.tif | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\StepMount.xlsx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| File opened for modification | C:\Program Files\TraceFormat.eprtx | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4200 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\wordupd.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wordupd.exe
"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\inc\bhv\vtu\..\..\..\Windows\vqnpk\su\f\..\..\..\system32\ubt\r\f\..\..\..\wbem\fa\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 11.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | 11.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.136:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| SG | 168.63.250.82:80 | tcp | |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.33:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.91:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| CH | 23.10.249.33:80 | tcp |
Files
memory/4200-130-0x0000000000970000-0x0000000000A11000-memory.dmp
memory/4200-131-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/2516-132-0x0000000000000000-mapping.dmp