| File name: | 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe |
| Full analysis: | https://app.any.run/tasks/35e52346-c722-457d-860d-7842eb722fef |
| Verdict: | Malicious activity |
| Analysis date: | April 13, 2025, 17:55:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 7019E12889A7356EECCC4B8D8B485F21 |
| SHA1: | CE22F9A0E1911F63B73C163ED51DF25C931CE552 |
| SHA256: | 256A30BE8A3081BCB330FE591086A4AED7D48B44E73D2A9692F94BCCCD935B33 |
| SSDEEP: | 98304:/hUhnNs2OL9yYl+wm7lU/HR8uRgX8PUiZplYR4A/R/48mDKBuxCETHSW1yxe3iv8:WfRxQlWy0NPcfxVYeW/rC |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 6740)
- powershell.exe (PID: 2096)
Uses WMIC.EXE to add exclusions to the Windows Defender
- powershell.exe (PID: 2096)
Uses Task Scheduler to run other applications
- Install.exe (PID: 1676)
XORed URL has been found (YARA)
- Install.exe (PID: 1676)
SUSPICIOUS
Starts itself from another location
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
Executable content was dropped or overwritten
- Install.exe (PID: 2320)
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
Starts CMD.EXE for commands execution
- Install.exe (PID: 1676)
- forfiles.exe (PID: 6272)
- forfiles.exe (PID: 1184)
- forfiles.exe (PID: 920)
- forfiles.exe (PID: 4488)
- forfiles.exe (PID: 1164)
- forfiles.exe (PID: 4688)
Reads security settings of Internet Explorer
- Install.exe (PID: 1676)
Searches and executes a command on selected files
- forfiles.exe (PID: 1184)
- forfiles.exe (PID: 6272)
- forfiles.exe (PID: 920)
- forfiles.exe (PID: 1164)
- forfiles.exe (PID: 4688)
- forfiles.exe (PID: 4488)
Found strings related to reading or modifying Windows Defender settings
- forfiles.exe (PID: 6272)
- Install.exe (PID: 1676)
- forfiles.exe (PID: 1184)
- forfiles.exe (PID: 920)
- forfiles.exe (PID: 4488)
- forfiles.exe (PID: 4688)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 1228)
- cmd.exe (PID: 4620)
- cmd.exe (PID: 6744)
- cmd.exe (PID: 3240)
Drops 7-zip archiver for unpacking
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
Starts process via Powershell
- powershell.exe (PID: 6740)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5064)
- cmd.exe (PID: 4696)
There is functionality for taking screenshot (YARA)
- Install.exe (PID: 1676)
Reads the BIOS version
- Install.exe (PID: 1676)
INFO
Create files in a temporary directory
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
- Install.exe (PID: 2320)
Reads the computer name
- Install.exe (PID: 1676)
Checks supported languages
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
- Install.exe (PID: 1676)
- Install.exe (PID: 2320)
The sample compiled with english language support
- 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe (PID: 4880)
Process checks computer location settings
- Install.exe (PID: 1676)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
xor-url
(PID) Process(1676) Install.exe
Decrypted-URLs (29)http://api.check-data.xyz
http://api2.check-data.xyz
http://api3.check-data.xyz
http://api4.check-data.xyz
http://api5.check-data.xyz
http://helsinki-dtc.com/clrls/cl_rls.json
http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg
http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/version.txt
http://skrptfiles.tracemonitors.com/clrls/cl_rls.json
http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg3
http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/version.txt
http://www.rapidfilestorage.com/clrls/cl_rls.json
http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg
http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt
https://api.fetch-api.comL
https://api.fetch-api.comM
https://rmtexts.fetch-api.com/google_ifi_ico.png
https://service-domain.xyz/google_ifi_ico.pngO
https://www.google.com/?h=15gfigoky0yidmgsfz0cpzkop82pv1d1kzup.prvyl0ii0
https://www.google.com/?h=42f6od641m7cwdq4el5np41md1zngfir9863.02nfw3obl
https://www.google.com/?h=4py6y4f63yomtkzthf0vliiw5g06q3fhp9h1.0uf38fx1b
https://www.google.com/?h=52x06k33mh5cdi7ed0pyobzborkaow6nxksq.5d15mfc0i
https://www.google.com/?h=5qc5etyut00x6df5nv8scd9ahvq4532s99t4.r1prjhqaj#
https://www.google.com/?h=6p0jxxs43obizbc14pxs8ve46mfh1fgyfomh.nhh4pjxu8
https://www.google.com/?h=deq16e06s1blnmuorvzzwr035pdx0vgooxkb.1xvwvg4ju
https://www.google.com/?h=jn87cg3z0mxll39u6m2q14cpn3hyrwgfklei.1qt1kyvk5
https://www.google.com/?h=jsdiq8xf7ic5mw4o3u4js81nub9a52b7im0k.bg7lsc44a
https://www.google.com/?h=md8vgx0vjeebrt7ncv.3510wvesh25r9mbx8d
https://www.google.com/?h=zhmbuwqv0cjs9i36d3gkutlvv2w22yuxgs29.qz6n4q80z?
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:11:18 16:27:35+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 104960 |
| InitializedDataSize: | 45056 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14b04 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.20.0.0 |
| ProductVersionNumber: | 9.20.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Igor Pavlov |
| FileDescription: | 7z Setup SFX |
| FileVersion: | 9.2 |
| InternalName: | 7zS.sfx |
| LegalCopyright: | Copyright (c) 1999-2010 Igor Pavlov |
| OriginalFileName: | 7zS.sfx.exe |
| ProductName: | 7-Zip |
| ProductVersion: | 9.2 |
Total processes
167
Monitored processes
32
Malicious processes
4
Suspicious processes
6
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 900 | "C:\WINDOWS\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True | C:\Windows\SysWOW64\wbem\WMIC.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 2147749889 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 920 | forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" | C:\Windows\SysWOW64\forfiles.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" | C:\Windows\SysWOW64\forfiles.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" | C:\Windows\SysWOW64\forfiles.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1228 | /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 | C:\Windows\SysWOW64\cmd.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1532 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6 | C:\Windows\SysWOW64\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1676 | .\Install.exe /lodidMUqD "385121" /S | C:\Users\admin\AppData\Local\Temp\7zSBA3A.tmp\Install.exe | Install.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
xor-url(PID) Process(1676) Install.exe Decrypted-URLs (29)http://api.check-data.xyz http://api2.check-data.xyz http://api3.check-data.xyz http://api4.check-data.xyz http://api5.check-data.xyz http://helsinki-dtc.com/clrls/cl_rls.json http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg http://helsinki-dtc.com/updates/yd/wrtzr_yt_a_1/win/version.txt http://skrptfiles.tracemonitors.com/clrls/cl_rls.json http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg3 http://skrptfiles.tracemonitors.com/updates/yd/wrtzr_yt_a_1/win/version.txt http://www.rapidfilestorage.com/clrls/cl_rls.json http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/update_e.jpg http://www.rapidfilestorage.com/updates/yd/wrtzr_yt_a_1/win/version.txt https://api.fetch-api.comL https://api.fetch-api.comM https://rmtexts.fetch-api.com/google_ifi_ico.png https://service-domain.xyz/google_ifi_ico.pngO https://www.google.com/?h=15gfigoky0yidmgsfz0cpzkop82pv1d1kzup.prvyl0ii0 https://www.google.com/?h=42f6od641m7cwdq4el5np41md1zngfir9863.02nfw3obl https://www.google.com/?h=4py6y4f63yomtkzthf0vliiw5g06q3fhp9h1.0uf38fx1b https://www.google.com/?h=52x06k33mh5cdi7ed0pyobzborkaow6nxksq.5d15mfc0i https://www.google.com/?h=5qc5etyut00x6df5nv8scd9ahvq4532s99t4.r1prjhqaj# https://www.google.com/?h=6p0jxxs43obizbc14pxs8ve46mfh1fgyfomh.nhh4pjxu8 https://www.google.com/?h=deq16e06s1blnmuorvzzwr035pdx0vgooxkb.1xvwvg4ju https://www.google.com/?h=jn87cg3z0mxll39u6m2q14cpn3hyrwgfklei.1qt1kyvk5 https://www.google.com/?h=jsdiq8xf7ic5mw4o3u4js81nub9a52b7im0k.bg7lsc44a https://www.google.com/?h=md8vgx0vjeebrt7ncv.3510wvesh25r9mbx8d https://www.google.com/?h=zhmbuwqv0cjs9i36d3gkutlvv2w22yuxgs29.qz6n4q80z? | |||||||||||||||
| 2096 | powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2320 | .\Install.exe | C:\Users\admin\AppData\Local\Temp\7zSB76B.tmp\Install.exe | 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Setup SFX Version: 9.20 Modules
| |||||||||||||||
| 3240 | /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6 | C:\Windows\SysWOW64\cmd.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 228
Read events
9 223
Write events
5
Delete events
0
Modification events
| (PID) Process: | (6800) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction |
| Operation: | write | Name: | 2147735503 |
Value: 6 | |||
| (PID) Process: | (6800) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction |
| Operation: | write | Name: | 2147812831 |
Value: 6 | |||
| (PID) Process: | (1676) Install.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (5640) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction |
| Operation: | write | Name: | 2147814524 |
Value: 6 | |||
| (PID) Process: | (1532) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction |
| Operation: | write | Name: | 2147780199 |
Value: 6 | |||
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6740 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:2FE2620668C5F0D6470D5816E2047427 | SHA256:C9F426BBB4070F6DEB038FC7942B6C7E14400F68D2449BD388630065590B5AD3 | |||
| 6740 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_es42d1tj.ukw.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2096 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y1sx1ayj.xyd.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7696 | schtasks.exe | C:\Windows\Tasks\bHuqaEPbhrVtHIaGbF.job | binary | |
MD5:A5B052D850B11CB76093F73074739822 | SHA256:16F1D31E2612263EA277B36257A742BD94E6BA38110B07D194AF564C148D88EB | |||
| 4880 | 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe | C:\Users\admin\AppData\Local\Temp\7zSB76B.tmp\Install.exe | executable | |
MD5:7663EC2EF812BE34463678FF25C23D1F | SHA256:D2E76FE1F360F12C24E676520808AC39C4E1CE929C3F39A8C35063E93D9EE1B7 | |||
| 4880 | 256a30be8a3081bcb330fe591086a4aed7d48b44e73d2a9692f94bcccd935b33.exe | C:\Users\admin\AppData\Local\Temp\7zSB76B.tmp\__data__\config.txt | binary | |
MD5:9782EAAA1AB72B69E1806A0D809B2443 | SHA256:B0740C82852EA35072C1D4D98ED8F99FAD8C40A61CF94180AD6ABE815EF145AF | |||
| 6740 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tjfk1sig.3kq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2320 | Install.exe | C:\Users\admin\AppData\Local\Temp\7zSBA3A.tmp\Install.exe | executable | |
MD5:75FB5F8595A2C77B6616A5DBBDFA5696 | SHA256:804534351D0EA162EECC1CEB26F7918026595EF1AFF3C6B00BEC38E1541CA6E2 | |||
| 2096 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uc54unsl.1lp.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7904 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.180:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7904 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.48.23.180:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2112 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 20.190.160.4:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2196 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
2196 | svchost.exe | 224.0.0.251:5353 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |