| File name: | Detection.exe |
| Full analysis: | https://app.any.run/tasks/74e607d8-1eb1-4835-9656-1cc066db9c7b |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | April 11, 2025, 13:33:22 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | E14306E1A9A544866F0090CD5C6A76B1 |
| SHA1: | 4C7A39BC4EE6404BD0E8A768E7DA8D226C944BE1 |
| SHA256: | E96752B363C76FB56A4CB6E4A3611ACAD4A3FC8B08724E6A906F08AC696EFBDC |
| SSDEEP: | 98304:8TusDhJyxOy/FkBfsSUai9RvXH6vUn+g3k8sqHLCx2:zH9RvL |
MALICIOUS
Changes the autorun value in the registry
- reg.exe (PID: 7636)
Steals credentials from Web Browsers
- cmd.exe (PID: 3884)
SUSPICIOUS
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 7464)
- Detection.exe (PID: 5332)
- Detection.exe (PID: 6740)
- Skype.exe (PID: 6108)
Uses REG/REGEDIT.EXE to modify registry
- Skype.exe (PID: 6108)
Application launched itself
- Skype.exe (PID: 6108)
Detected use of alternative data streams (AltDS)
- Skype.exe (PID: 6108)
INFO
Checks proxy server information
- Detection.exe (PID: 5332)
- Skype.exe (PID: 6108)
- Detection.exe (PID: 6740)
- slui.exe (PID: 8112)
Checks supported languages
- Detection.exe (PID: 5332)
- ShellExperienceHost.exe (PID: 7464)
- Skype.exe (PID: 6108)
- Skype.exe (PID: 1012)
- Skype.exe (PID: 7656)
- Skype.exe (PID: 7640)
- Detection.exe (PID: 6740)
- Skype.exe (PID: 7796)
- Skype.exe (PID: 1072)
- Skype.exe (PID: 8112)
The sample compiled with english language support
- Detection.exe (PID: 5332)
Reads the computer name
- ShellExperienceHost.exe (PID: 7464)
- Detection.exe (PID: 5332)
- Skype.exe (PID: 6108)
- Skype.exe (PID: 7656)
- Skype.exe (PID: 7640)
- Skype.exe (PID: 7796)
- Detection.exe (PID: 6740)
- Skype.exe (PID: 8112)
Reads the software policy settings
- slui.exe (PID: 6032)
- slui.exe (PID: 8112)
- Skype.exe (PID: 6108)
Manual execution by a user
- Skype.exe (PID: 6108)
- WINWORD.EXE (PID: 1128)
- cmd.exe (PID: 3884)
- Detection.exe (PID: 6740)
Reads CPU info
- Skype.exe (PID: 6108)
Process checks computer location settings
- Skype.exe (PID: 6108)
- Skype.exe (PID: 7796)
- Skype.exe (PID: 1072)
Create files in a temporary directory
- Skype.exe (PID: 6108)
Node.js compiler has been detected
- Skype.exe (PID: 6108)
- Skype.exe (PID: 1012)
- Skype.exe (PID: 7656)
Creates files or folders in the user directory
- Skype.exe (PID: 7796)
- Skype.exe (PID: 6108)
- Skype.exe (PID: 7640)
Reads the machine GUID from the registry
- Skype.exe (PID: 8112)
- Skype.exe (PID: 6108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2022:06:22 15:57:44+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.31 |
| CodeSize: | 2488832 |
| InitializedDataSize: | 2392576 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x212f68 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.5.4.0 |
| ProductVersionNumber: | 6.5.4.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Husdawg, LLC |
| FileDescription: | System Requirements Lab Detection |
| FileVersion: | 6,5,4 |
| InternalName: | SRL Detection |
| LegalCopyright: | (c) Husdawg, LLC. All rights reserved. |
| OriginalFileName: | detection.exe |
| ProductName: | System Requirements Lab Detection |
| ProductVersion: | 6,5,4 |
Total processes
172
Monitored processes
32
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 444 | C:\WINDOWS\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve | C:\Windows\SysWOW64\reg.exe | — | Skype.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1012 | "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=868d4f0b-b29b-4967-461d-2a3581a09553&uid=868d4f0b-b29b-4967-461d-2a3581a09553 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.104.0.207 "--annotation=exe=C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x58c,0x590,0x594,0x588,0x598,0x7653398,0x76533a8,0x76533b4 | C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.104.0.207 Modules
| |||||||||||||||
| 1072 | "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3964 --field-trial-handle=2188,i,2698211440993300132,495914860670579711,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 | C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.104.0.207 Modules
| |||||||||||||||
| 1128 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\manageritem.rtf" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 1188 | C:\WINDOWS\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve | C:\Windows\SysWOW64\reg.exe | — | Skype.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1852 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | reg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2104 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | reg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2776 | C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId | C:\Windows\SysWOW64\reg.exe | — | Skype.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3620 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | reg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3884 | "C:\WINDOWS\system32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
17 296
Read events
16 995
Write events
259
Delete events
42
Modification events
| (PID) Process: | (5332) Detection.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5332) Detection.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5332) Detection.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7636) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Skype for Desktop |
Value: C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1128 |
| Operation: | write | Name: | 0 |
Value: 0B0E106DDD54F40E20044693032E1151465C82230046BDD3C99FE9DCEAED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511E808D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (1128) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
Executable files
1
Suspicious files
92
Text files
14
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.dat | binary | |
MD5:9D0439A794AA96ABD6AFF504C86C7F31 | SHA256:5DBC3A5DAF431973E245D83AB51B128E9C4CC2F3ECD61C45C88DB161ACC25B7B | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old | text | |
MD5:46EED8B7CAAD25F7F453617DA0FB0857 | SHA256:5BC1DE0E32F2969386351B2BE088F13B6CC3DF7693EE9E92FEEF59DB6AF1FB92 | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXDYMMJ5RAL7OTK5LSYB.temp | binary | |
MD5:650715BCEAB46DA0B17655EC629D01DF | SHA256:21C5A2B179C493B6BB9BA9170640624311D3EA0BA6F36AD73C72C770EDA042F6 | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms | binary | |
MD5:650715BCEAB46DA0B17655EC629D01DF | SHA256:21C5A2B179C493B6BB9BA9170640624311D3EA0BA6F36AD73C72C770EDA042F6 | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acl | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
| 6108 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json | binary | |
MD5:B6DDF3A7D3421679971F966C108732F8 | SHA256:AAF9B37FC5DE395C4F865463129047908BFF9B44D17C55AC5BA9DB0EDCF20E96 | |||
| 1128 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | binary | |
MD5:58A2CBE7D93E94D201ECEDD010C046CD | SHA256:9A0F1D71124468B1695EF575C75A3FBA1F3DD2272CAA17F2D1CB337A18002B2A | |||
| 1128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FCECE139-7F5A-497E-8379-F521E91793EC | xml | |
MD5:BE19350972BB8AFCDD48E8692CDC9AFB | SHA256:11F31E46D456BC4121539881CD2E4D3066631AC6D0B73B2A8718671AE982E2FD | |||
| 1128 | WINWORD.EXE | C:\Users\admin\Desktop\~$nageritem.rtf | binary | |
MD5:F1C36A6E28AA74CC8339834AF91025B3 | SHA256:99A5CFB0E1BDC74608DAEE8015FAECC1517B5AC2FE86D87012503CD6226CE11D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
73
DNS requests
56
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.41:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5332 | Detection.exe | GET | 200 | 3.228.150.188:80 | http://www.systemrequirementslab.com/api/session/3302A80B-680A-9EA5-D9EF-54ED61A95B50/?apikey=9972FAF8-F36D-4FAA-9EF1-4301C3D354C0 | unknown | — | — | unknown |
5332 | Detection.exe | POST | 201 | 3.228.150.188:80 | http://www.systemrequirementslab.com/api/session/3302A80B-680A-9EA5-D9EF-54ED61A95B50/?apikey=9972FAF8-F36D-4FAA-9EF1-4301C3D354C0 | unknown | — | — | unknown |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7936 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7936 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
1128 | WINWORD.EXE | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | whitelisted |
2924 | SearchApp.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
2924 | SearchApp.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
6740 | Detection.exe | GET | 200 | 3.228.150.188:80 | http://www.systemrequirementslab.com/api/session/3302A80B-680A-9EA5-D9EF-54ED61A95B50/?apikey=9972FAF8-F36D-4FAA-9EF1-4301C3D354C0 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.41:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5332 | Detection.exe | 3.228.150.188:80 | www.systemrequirementslab.com | AMAZON-AES | US | suspicious |
6544 | svchost.exe | 40.126.32.136:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2112 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
www.systemrequirementslab.com |
| unknown |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |