Analysis Overview
SHA256
137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86
Threat Level: Known bad
The file 643c1b8444da8c89fa83aed917307b6c.bat was found to be: Known bad.
Malicious Activity Summary
Guloader family
Guloader,Cloudeye
Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 08:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe
"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 524
Network
Files
\Users\Admin\AppData\Local\Temp\nso9B95.tmp\System.dll
| MD5 | 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3 |
| SHA1 | 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4 |
| SHA256 | d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57 |
| SHA512 | cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8 |
\Users\Admin\AppData\Local\Temp\nso9B95.tmp\LangDLL.dll
| MD5 | 61f69388ae89d61a3d838cbcf81b4f82 |
| SHA1 | e595c0236a373a6ac79c334dc183ee03ca8f8ecd |
| SHA256 | d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61 |
| SHA512 | 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469 |
memory/2452-35-0x0000000003F70000-0x000000000500E000-memory.dmp
memory/2452-36-0x0000000003F70000-0x000000000500E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2848 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
| PID 2848 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
| PID 2848 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
| PID 2848 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
| PID 2848 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe | C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe
"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"
C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe
"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 2680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1052
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iw.achulapo.ru.com | udp |
| DE | 100.42.180.70:80 | iw.achulapo.ru.com | tcp |
| US | 8.8.8.8:53 | 70.180.42.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsaB9DB.tmp\System.dll
| MD5 | 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3 |
| SHA1 | 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4 |
| SHA256 | d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57 |
| SHA512 | cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8 |
C:\Users\Admin\AppData\Local\Temp\nsaB9DB.tmp\LangDLL.dll
| MD5 | 61f69388ae89d61a3d838cbcf81b4f82 |
| SHA1 | e595c0236a373a6ac79c334dc183ee03ca8f8ecd |
| SHA256 | d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61 |
| SHA512 | 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469 |
memory/2848-29-0x0000000004A20000-0x0000000005ABE000-memory.dmp
memory/2848-30-0x0000000077241000-0x0000000077361000-memory.dmp
memory/2848-32-0x0000000004A20000-0x0000000005ABE000-memory.dmp
memory/2848-31-0x00000000740A4000-0x00000000740A5000-memory.dmp
memory/2848-33-0x0000000004A20000-0x0000000005ABE000-memory.dmp
memory/2680-34-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-35-0x0000000001660000-0x00000000026FE000-memory.dmp
memory/2680-36-0x00000000772C8000-0x00000000772C9000-memory.dmp
memory/2680-37-0x00000000772E5000-0x00000000772E6000-memory.dmp
memory/2680-39-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2680-38-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-40-0x0000000001660000-0x00000000026FE000-memory.dmp
memory/2680-41-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-42-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-43-0x0000000077241000-0x0000000077361000-memory.dmp
memory/2680-44-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2680-45-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-46-0x0000000000400000-0x0000000001654000-memory.dmp
memory/2680-47-0x0000000000400000-0x0000000001654000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win10v2004-20241007-en
Max time kernel
130s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2288 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-06 08:33
Reported
2024-11-06 08:36
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 3300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4284 wrote to memory of 3300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4284 wrote to memory of 3300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |