Malware Analysis Report

2024-11-30 21:14

Sample ID 231230-faxy8sehen
Target 0ecd6fbf320e70c4a34a5c3ec82a418c
SHA256 cdb5e75841cdd400ef88879799480357211372e7ea884fcb228efc941cec8b58
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb5e75841cdd400ef88879799480357211372e7ea884fcb228efc941cec8b58

Threat Level: Known bad

The file 0ecd6fbf320e70c4a34a5c3ec82a418c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:40

Reported

2023-12-30 22:45

Platform

win7-20231215-en

Max time kernel

153s

Max time network

129s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\w5bi\mspaint.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\h0gSl\\rdpclip.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\w5bi\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\mspaint.exe
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\mspaint.exe
PID 1272 wrote to memory of 2464 N/A N/A C:\Windows\system32\mspaint.exe
PID 1272 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\w5bi\mspaint.exe
PID 1272 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\w5bi\mspaint.exe
PID 1272 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\w5bi\mspaint.exe
PID 1272 wrote to memory of 2848 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1272 wrote to memory of 2848 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1272 wrote to memory of 2848 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1272 wrote to memory of 596 N/A N/A C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe
PID 1272 wrote to memory of 596 N/A N/A C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe
PID 1272 wrote to memory of 596 N/A N/A C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe
PID 1272 wrote to memory of 1144 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 1144 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 1144 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe
PID 1272 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe
PID 1272 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\w5bi\mspaint.exe

C:\Users\Admin\AppData\Local\w5bi\mspaint.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe

C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe

Network

N/A

Files

memory/2516-0-0x0000000000140000-0x0000000000147000-memory.dmp

memory/2516-1-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-4-0x00000000779F6000-0x00000000779F7000-memory.dmp

memory/1272-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/1272-7-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-12-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-14-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-13-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-11-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-15-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-16-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-18-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-17-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-10-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-9-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-8-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-22-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-24-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-29-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-31-0x0000000002A40000-0x0000000002A47000-memory.dmp

memory/1272-30-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-28-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-27-0x0000000140000000-0x0000000140124000-memory.dmp

memory/2516-37-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-25-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-39-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-41-0x0000000077D60000-0x0000000077D62000-memory.dmp

memory/1272-40-0x0000000077C01000-0x0000000077C02000-memory.dmp

memory/1272-26-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-23-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-21-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-20-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-19-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-50-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1272-55-0x0000000140000000-0x0000000140124000-memory.dmp

C:\Users\Admin\AppData\Local\w5bi\mspaint.exe

MD5 fd9461dac1b13fdb38ddefbd7eb32aaf
SHA1 028d0d539d0605ff8e7deb24001d91e726c68174
SHA256 4112d08b13e6bdce110573fa7beee2a1cb6149fe4330a185af2f5e0bf3bf4927
SHA512 bfba94920ea731d9d9132b43345277b823bc8e520bf1e51be39029ea2d9ab63e99cb566197368cb7d4594ab4ab95c14bc3699650c4506cd0894d0b9e3c51bfb2

\Users\Admin\AppData\Local\w5bi\MFC42u.dll

MD5 70331ef7f02313cb57c2e267a8f9c441
SHA1 2cfc396b3b1d87037d721a2b7429b6bf39ed2dd0
SHA256 21ac50513afe17da675d49c6debf55dce14afa6314666a9eb73914e7049a3ba7
SHA512 ab6bc03bd0bd489f91592528a824b91dc2e98ad93b4cb7374a8fa5b59dad6763773454bb840fb34c4dcb403d872795c1e845ba7c9b2ccec7c3574a276b3f3aa1

C:\Users\Admin\AppData\Local\w5bi\MFC42u.dll

MD5 a3b022394854b776724eaa5b509e0232
SHA1 e4c634af398171750a72949d73e742bc74320f5b
SHA256 08db04225b72c1400048166f03074ca88d836a7d1de7dfec4e03d41a4dc5b57c
SHA512 fb7ccd35804e9d65ecfe0ca70e338e839d8921350dbb3072470552c5147f79ef570d04c961962ca402dcb1cefeb0857f38117b02b6d96cc2ede86a914ca81b90

\Users\Admin\AppData\Local\w5bi\mspaint.exe

MD5 afbec1062be994e54616a3ca0a7388d7
SHA1 78b218787abce0ed3d03c9f49ace3d225d3229f1
SHA256 90f94db09a4bb7a99ddbfb5bdebfd3528864f595f09edf39ecd680cfe7385542
SHA512 3b1b083989100ce8dc6ade6697c5b02cb232c8066b54259064bdd02c0579d56e1ee7c477b666eadcb2d327ab576afe6dffb4219cc79c3ccb7a9570722036590f

memory/2576-69-0x0000000140000000-0x000000014012B000-memory.dmp

memory/1272-68-0x00000000779F6000-0x00000000779F7000-memory.dmp

memory/2576-70-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2576-74-0x0000000140000000-0x000000014012B000-memory.dmp

C:\Users\Admin\AppData\Local\w5bi\mspaint.exe

MD5 2022e058d05a1d3d12570558947c22b0
SHA1 2faee53d22f9f52adb10fb9e4a266d4e586fbf87
SHA256 18ace2ac2f0f6bb2a0c2ea6de3643b5a7ef8baa613b349d14ca80b532201fbf9
SHA512 847e97ad2a6803e1997133cf892e136eeadc192f0918c5740f9aa4b10f577f2d15391db5d64c29c47959a9f0ed544acb810b691ce7a2fe3703d5de9a6680004d

\Users\Admin\AppData\Local\47eoHDH\WINSTA.dll

MD5 05a2114da7c3333910079ecf140b7a2e
SHA1 b393b484bb7ad88629c3cb9ecee2653668ddb691
SHA256 6abd508bb78facd124fddc510a42966bf323d06dd0162be1c03e9251e08ba781
SHA512 ec57c70fd69b1cff2dbca4df9914e2201ca91e250939b556f32cd72c4d669062f45f0174c5f09f298b131b62d96e19c805b08d9a48c39da68c2fbfab38dd1201

C:\Users\Admin\AppData\Local\47eoHDH\WINSTA.dll

MD5 742c6c0c23ea2ea3df5a9da669d2caae
SHA1 9b81fddc5d804fe86b46d252cece4c983ff0841e
SHA256 2fd1fd4ad03e4048e45f316b00e927c2f2251cc4c70b35fd3e8ab33811f12247
SHA512 2e6d279547a32f695d5d32a08e37e02995bc5102762d71d441c4cda243e84687179a926a4c4528faeca011214a1fa9104052faa85a104506e0eb0db713e60865

memory/596-93-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe

MD5 eb64a72f40f2b119d2edd92d52373263
SHA1 74721f53dbfd0a67b40c21f0cfad26aaca3185e9
SHA256 06ab469d91d5dde9bf62b560d06a266e4c8f050a622cdb34047636b79f69b9db
SHA512 c8ca91df869696c64ffd2f1a78cf22b2d8052f9d1b0700e692465986431410095d65bafd63c2c9cd5ec47eba9c8b27c87a82767c72f0950c198be9a61fee98e9

\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe

MD5 25d284eb2f12254c001afe9a82575a81
SHA1 cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256 837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA512 7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

memory/596-98-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Local\47eoHDH\rdpclip.exe

MD5 d950b7bd0c0e8624627352720a720ca2
SHA1 bf285f62d669f9ab68cdba909a09a0be8ce1ec1a
SHA256 8758b8d8080aa7b21527d2401d16ed7bfba94cae81f4cb14038e302a0607e088
SHA512 ee17742103b1bfde7d5ae2d820b1a2f577624ee41fe4e0bca381d02a5fe3e1ff9ace94d027b72afa36d99eca8413d8d724d1ae59e45801c454d7f9195195d6aa

\Users\Admin\AppData\Local\lzwCY6\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

\Users\Admin\AppData\Local\lzwCY6\UxTheme.dll

MD5 f49cd20d474a70865283778629221826
SHA1 a27e0ba13583b72adf90e011dc43db43a2488ece
SHA256 a24d9e9d5ba0a7aa588b1070a57b391fabe5ade6821b307858d7f965a7884345
SHA512 6201170bc4f50df56bc59ae82019504f719b9b7a0ace58ef3b6d39a9588e15128d7a1ff962fe16eebecd8a5a0d58a8741555f447551d88b6c7a3e84d1f79daf1

memory/564-110-0x0000000140000000-0x0000000140125000-memory.dmp

memory/564-116-0x0000000140000000-0x0000000140125000-memory.dmp

memory/564-111-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Local\lzwCY6\UxTheme.dll

MD5 c7f909fd82145d69c92d445255053b54
SHA1 220c2a9e3fef51d837319129825fe0b4ccbd552e
SHA256 5792a3018bbd1bfad2c0ce9877a78b8104c1f618eeb4ca1ef23c71af2b80b75c
SHA512 878a1e925224cfab02835e01bc9a12d646c29aba03a4e4bc4039eea9013e4685a78325fe13d6717d835a5c4e25863199e297c09c02d772e7b87b32f782b4835d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 77792f5736b912f0b200462f7110a15d
SHA1 ec8bb5dc4624b59749b3f94fcaab99b7334d647f
SHA256 5d56fdde119d55d2ca66a1fc61b224e77d8703a715bbf204067526557a2deb0c
SHA512 d07d13ad430678340578ebc8562ee5413e0628438aab1ce4809793bd73a607be9901ddb117812821714edc91995673d381810549b07ea1baa0f96588bd6e784c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\BH1eZZO2n\MFC42u.dll

MD5 4ab751ecbac7f730e5234fb66fecbc93
SHA1 e136390d228f81db2724e39b82854ba1018659eb
SHA256 4fc38eef02ddf5698a1ad5b603dcd7a83e3de02a1186dfef478696bcb7bb2da1
SHA512 c19ee700755b2b60e7313d84fda3c786006a30a2eeeeafbd6e3daadfafb243e0b0e1f14fda2cc01e36e051bcfb295833deabfe06badddf48e7460e9a822c6c96

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\h0gSl\WINSTA.dll

MD5 589d2b7adcc5dcff21fa28b5cea2d694
SHA1 c453a9a7c7bbb938a41212293311d2843a7bd7ed
SHA256 753581197f298c7c8a1262992ffb17e3e1966ecf1580dcc8d4b44bb84a561985
SHA512 69d89608752cc930419ac89de09f6fde7360f80b1bebd6ca19f53c24aa1d165de14062514ad87fbf5fc77acc10318b009918f8e53d80759c6111b8e68e380c53

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\65wSdeiWL\UxTheme.dll

MD5 09bf36a552805e2b864a8ac9eb969018
SHA1 67c4e769db0f97bee9c9c87586561e91a1b5335b
SHA256 d394830ad309269c80322df2779070cb7d97a25d857e86550dd628079b3ed2e7
SHA512 8b1a7ed5db5d5536893682a864b058302c9ee3ee118a62487d7232bf158e395892d19f4f86f1dca01aa2cbcde9bbbe2164d95bd3a5aa88ce949a00c5eaa9d33b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:40

Reported

2023-12-30 22:45

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

116s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\QmQ\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\QmQ\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\i1lzfQJS\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\i1lzfQJS\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\gePR8Akp\mspaint.exe

C:\Users\Admin\AppData\Local\gePR8Akp\mspaint.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4500-0-0x00000000013F0000-0x00000000013F7000-memory.dmp

memory/4500-1-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-17-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-25-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-35-0x00000000076E0000-0x00000000076E7000-memory.dmp

memory/3524-39-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-31-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-49-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-51-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-40-0x00007FFA94CC0000-0x00007FFA94CD0000-memory.dmp

memory/3524-30-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-29-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-28-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-27-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-26-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-24-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-23-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-22-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-21-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1492-62-0x00000269C68D0000-0x00000269C68D7000-memory.dmp

memory/1492-65-0x0000000140000000-0x000000014012B000-memory.dmp

memory/4976-80-0x0000000140000000-0x0000000140125000-memory.dmp

memory/2988-91-0x000001EDC7F90000-0x000001EDC7F97000-memory.dmp

memory/2988-97-0x0000000140000000-0x0000000140125000-memory.dmp

memory/4976-75-0x00000196EE110000-0x00000196EE117000-memory.dmp

memory/4976-74-0x0000000140000000-0x0000000140125000-memory.dmp

memory/1492-61-0x0000000140000000-0x000000014012B000-memory.dmp

memory/3524-20-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-19-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-18-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-16-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-15-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-14-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-13-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-12-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-11-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-10-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-9-0x00007FFA92D7A000-0x00007FFA92D7B000-memory.dmp

memory/4500-7-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-6-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-8-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3524-4-0x0000000007700000-0x0000000007701000-memory.dmp