Analysis Overview
SHA256
32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482
Threat Level: Known bad
The file shipping documents_pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-25 12:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-25 12:31
Reported
2024-03-25 12:33
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2236 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2236 wrote to memory of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
C:\Program Files (x86)\svbenes.lnk
| MD5 | e46bab0f6f023d2a3fa6606b7f150b7c |
| SHA1 | f2b4dd7317c8f08976b06e58ea95cde705b22a99 |
| SHA256 | ddb449bc2845a618168cabd8690e030f57bf3221b4d8f46d55abd28ac02f55d0 |
| SHA512 | b9651256a2b3572587cd7892338720b16740b3ab05ac71eea81eae14ba6cdad1d58c6331cba5eeb4fe109350fc63f9fa5a4b8a5fa768d107ddc49a408a2d2cc9 |
\Users\Admin\AppData\Local\Temp\nso9DB8.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 779b80f06dc17e0308cd0a7c5098b4a8 |
| SHA1 | c951e91e8d44f20219c1888107b084c1ea7e82a0 |
| SHA256 | 169b4ba95045bdca9d7e95eb057ad0efb0549fac78959a05a27af5640470d3ac |
| SHA512 | ae1fe68c0188be4da7055b3c452a3aef26fdfeddecd7b745f97779da2d31ae8d94c6f98c0bfef11e2ca40ea02f414e7c6394a2e7077137481358041f9ae16031 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 98d7d71899b69bd6c8e6a37c9b00eb66 |
| SHA1 | cfb50ec65212d957e1dada3e1f4ef412e4140322 |
| SHA256 | 21b3c141417f1b236a826ac3484fead173f3de9393971636d816089740fe6261 |
| SHA512 | 4c5815ed873b647eae7e06914d34c6fddaaff6ccab448969c0e4bf53d05a93391d6ecba0a72c21bf77da5b0387d7cd5b0cb02eef4afd397eb0e1da94cdaf364b |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 31c6763348290b55937c299798397fc4 |
| SHA1 | e3fb904fb7d0c4783d6eadd27cbb6490d9dbdb62 |
| SHA256 | 54f670713e05b4255779429774d8449e432390becf3059efa49b2d48e34ead37 |
| SHA512 | f79cdbada225aa94c959d4be3a448194da1b209b47adb693a94c78b50cd9cd2cefb13028525f10a46ffc0fab6fa0e85245ce3a0e3c01d1b657c5557dcd16e383 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | c214d3d493e42611d47a33fafb39bc06 |
| SHA1 | ab6d2d1e65bd5a5842350a0098c3f36627a4b59d |
| SHA256 | 1ef2f84d2867769f0c9754089267b1b5cb8c372aef14de4a6f41da07966fd3d2 |
| SHA512 | 218cdb58f9d3e7e85f6e19cf9981255b374b9f641c02cc392976e7a0120ae4d2c8f9762f4d2711350b8c3612be69e8512cc091d37d33deb8cb265974f7ac4b1b |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 7c9994efba81832c70af271c1579e0a6 |
| SHA1 | 3a1cce125bc46a691317257b23f134bc18720621 |
| SHA256 | 6a6e175a7ca2f7a483b70f797aab60749f9a8f911511a4cc2fb669cb04ed7530 |
| SHA512 | 5021ef22848dd750ce8f866d2f9ea8154dba5bab373578de9aaf26189898d89f32355de396e4e444621d78e1284690304c3d459e9721a246ce795f11b10f1c56 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | fe75d42e640aa75505ec138c70140276 |
| SHA1 | 06e551b4c6ebcae0123c906c29acf97fc81c8f41 |
| SHA256 | e82158dea2e25b8f6dd0ba3b714f35af07645243565bb340c34fd63288281f24 |
| SHA512 | 6589636c8ee71c6fceae8cf3f26ba20448dfb0a25f28e8f52493dc18ac18e5fb55a0c977c5ed7db9d0ce00e7709d5a7c06d92e89aa3ed8044a61052daae02394 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 9c847f1ad21f08842521a173b9d00432 |
| SHA1 | d987cb50a957666f4089f604d34a7be0ee2a17f7 |
| SHA256 | 63c28f692fcc1bc08347f6b1cdc814602a08967fe3a64b967cea3ada69af2a44 |
| SHA512 | c90ba042249970d2d85f40cc60f765d46d55127bb398839f2d2a126e47762e1c75a646ae414b33e20d5b46c63be2962539d6b42027d05ffc8d0fe2830fd8d359 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 614ecfc851e7e863309121f8137f266f |
| SHA1 | c6f0fe87be453ef9ccc55c724a9a0a8f73fdeffd |
| SHA256 | 757c044693441357d1e3efe2be7385f888ee33f80bb8d57b01f49ffbc420fd63 |
| SHA512 | 9581acdafa8b36610845552ea6c24954efa585dff300f56d72e26d9536e73872b05fc1d7e53a66d3e663702554eff2c3683fae2589f1c7eb2650584b43a1b781 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | ea9cb56bf8b284444ac0d5f604e323c6 |
| SHA1 | c2fe4d26b795e26615d7597df3ba1cbd83547248 |
| SHA256 | 16607c7901e408b5e4367e8da3b8dfc51d0b47e110e3dc291a9d0951595443a6 |
| SHA512 | 359141fd551a91bf8c306e655f8efcfd98f3c1f1058a62f2575e420731ceb175dc7cafe25ffca64e963517aaf756f1cd062f0aa2e20f01af1427a0ecd9d5a95b |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 38c6f7822cd89991db6fccc5b04b96c9 |
| SHA1 | cec31a690a8d9395d59946690f7528ce5f5e0114 |
| SHA256 | 2eba686a57cb8d9b9633c14fdb01b45f88dda41e4c1b5ad9e04c76342d028146 |
| SHA512 | a6cb93d984fe69f4f4a2bda9001dac25897e6127ccb848762999a9eb8d18d69fbda7308eb1e8d32f9b9e94678b874dcede10066980a56333d8a2d19a5a7a0db8 |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | 2036172597e1b4963fd3b7e13d40673a |
| SHA1 | 7e0bf45ec820a491bba227bf40ffd241f7c64dd0 |
| SHA256 | 884a935a2c03c220dfeb62bea02d289069c5f84e3dc6cabe4c606e884362790a |
| SHA512 | e5c74658515b7b9a976b1d70d133ff1faad87336e28827b91f07fa33a9edee9d9dc235b8625f066340030a541fe329d4ba85ec8c8c1991ff78284d638fc4279b |
C:\Users\Admin\AppData\Local\Temp\Setup.ini
| MD5 | a5abbcb8df7be9fb106cf4b866de5789 |
| SHA1 | 3ade531f3aee7c2ed0d3a99eeb9ddf81b37e1f64 |
| SHA256 | f3e010af71ac7ee31d4e97940983e9d7b4860f35daae17da8aac46f17b3ec13f |
| SHA512 | 18d4860fd132e0bdecae35743d2c065c7e17bf1c38ed0199a59738100eec4fe820832b4a99e88a212e57b05d85bbca5a3a642a94d840674438c1f70b766f835f |
memory/2236-11785-0x0000000003970000-0x0000000004853000-memory.dmp
memory/2236-11787-0x0000000077080000-0x0000000077156000-memory.dmp
memory/2236-11786-0x0000000076E90000-0x0000000077039000-memory.dmp
memory/2236-11788-0x0000000010000000-0x0000000010006000-memory.dmp
memory/1944-11789-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2236-11790-0x0000000003970000-0x0000000004853000-memory.dmp
memory/1944-11791-0x0000000001470000-0x0000000002353000-memory.dmp
memory/1944-11792-0x0000000076E90000-0x0000000077039000-memory.dmp
memory/1944-11793-0x00000000770B6000-0x00000000770B7000-memory.dmp
memory/1944-11794-0x0000000000400000-0x0000000001462000-memory.dmp
memory/1944-11820-0x0000000001470000-0x0000000002353000-memory.dmp
memory/1944-11821-0x0000000077080000-0x0000000077156000-memory.dmp
memory/2236-11830-0x0000000003970000-0x0000000004853000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-25 12:31
Reported
2024-03-25 12:33
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4976 set thread context of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4976 wrote to memory of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 4976 wrote to memory of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 4976 wrote to memory of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 4976 wrote to memory of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 4976 wrote to memory of 4276 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.230.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Program Files (x86)\svbenes.lnk
| MD5 | 8094999d00f84d2225ad7cb9b96f69ff |
| SHA1 | 8099edfd44483f38ec8d2b37693d6b2723ad6234 |
| SHA256 | cedc18ac6e659d826067aec61509af5ae2f6cecb806f56db25cc31660ae302f9 |
| SHA512 | 4c25639f28dc8505e799691bf7fe823f1666ba7a618da123d25382a3f79998f60ee988cd7e57d2b4b0a6a33c8aebc04cf2466a02adeafc6a5644ac90d4950897 |
C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/4976-11784-0x00000000049C0000-0x00000000058A3000-memory.dmp
memory/4976-11785-0x0000000077831000-0x0000000077951000-memory.dmp
memory/4976-11786-0x0000000010000000-0x0000000010006000-memory.dmp
memory/4276-11787-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4276-11788-0x0000000001660000-0x0000000002543000-memory.dmp
memory/4976-11789-0x00000000049C0000-0x00000000058A3000-memory.dmp
memory/4276-11790-0x00000000778B8000-0x00000000778B9000-memory.dmp
memory/4276-11791-0x00000000778D5000-0x00000000778D6000-memory.dmp
memory/4276-11804-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4276-11806-0x0000000001660000-0x0000000002543000-memory.dmp
memory/4276-11807-0x0000000077831000-0x0000000077951000-memory.dmp
memory/4976-11812-0x00000000049C0000-0x00000000058A3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-25 12:31
Reported
2024-03-25 12:33
Platform
win7-20240221-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-25 12:31
Reported
2024-03-25 12:33
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3888 wrote to memory of 3684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3888 wrote to memory of 3684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3888 wrote to memory of 3684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |