Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-ryvdssbgb8
Target 4679898201806dc6de8e98d5fe539ed2
SHA256 b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde

Threat Level: Known bad

The file 4679898201806dc6de8e98d5fe539ed2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 14:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 14:36

Reported

2024-01-06 14:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\1Wsr\\SOUNDR~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\iTS47T\perfmon.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\iTS47T\perfmon.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2764 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1220 wrote to memory of 2764 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1220 wrote to memory of 2764 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2536 N/A N/A C:\Windows\system32\perfmon.exe
PID 1220 wrote to memory of 2536 N/A N/A C:\Windows\system32\perfmon.exe
PID 1220 wrote to memory of 2536 N/A N/A C:\Windows\system32\perfmon.exe
PID 1220 wrote to memory of 1516 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 1516 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 1516 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2504 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2504 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2504 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1260 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1260 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1260 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2308 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2308 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2308 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 640 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 640 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 640 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1532 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1532 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1532 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\tdxgck8.cmd

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\zzGJha0.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Xvwegxb" /TR "C:\Windows\system32\iTS47T\perfmon.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

Network

N/A

Files

memory/2252-0-0x000007FEF6AB0000-0x000007FEF6B51000-memory.dmp

memory/2252-1-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1220-3-0x00000000771B6000-0x00000000771B7000-memory.dmp

memory/1220-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1220-8-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/2252-7-0x000007FEF6AB0000-0x000007FEF6B51000-memory.dmp

memory/1220-6-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-22-0x0000000002640000-0x0000000002647000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-30-0x00000000773C1000-0x00000000773C2000-memory.dmp

memory/1220-31-0x0000000077520000-0x0000000077522000-memory.dmp

memory/1220-40-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-45-0x0000000140000000-0x00000001400A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tdxgck8.cmd

MD5 5df19ec67e31f4cf125f125f620d1183
SHA1 68eea940236a70ef083db38d87355aa3952431e5
SHA256 d06a4201febb77546412bbc1bc4ea2239e8373f05d5a2450437e2361419e5bc5
SHA512 387742881531275a87d509c33ca813d151e66780cf884b2e1a08cbbdb228d28ff3cf9a00d6c2d8308d7cc177a6045c73fed0bde01871b0f4687b72f271251f48

C:\Users\Admin\AppData\Local\Temp\JD134.tmp

MD5 add63527ebc8c17b51de897f9f9b642f
SHA1 5fe3288231c4c9b241d5fdc6dc0df8797546f81d
SHA256 862c32a6d3333449efc9eb1cc62548676db45db1773be259bbddb6724bf5a17c
SHA512 1a7b87a8cc4ea1727aedd65e739064125a537bd16cecdf333f91342f1b14d081ace86a0c75afcb0b27c77b83701c27171e713e594ec29fc56ddfb45c1e7e3ead

memory/1220-57-0x00000000771B6000-0x00000000771B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zzGJha0.cmd

MD5 d4ce837ad6ebbbadc137cf300124d91a
SHA1 be7a19c25a5a917afe1ecbac4c486c28dbf7ad1a
SHA256 6b9ff0af5ba080ec0d087b0de21f17f947cdb74cd83e96738d5c10815ef3c505
SHA512 bad61c2ca93a18f6cd159dcf9771f43bc074bc3ebc93188ac0a45716b511f7b126b516168c2d4e12227e90cf88ab44bc34ae94704809ad8d31256f2f63688ecf

C:\Users\Admin\AppData\Local\Temp\lrsFA38.tmp

MD5 4bfa1b6aefff78f48746abb929bf27b5
SHA1 3773fecb2ae71f95a119a3a2de69881884bab559
SHA256 9d2d745f0ffd1c6019e40c7b4e3f093483848d08e3b5fe6555713e7e110ddc68
SHA512 802fa888266dae28f8e305eb49d33ca37f8f00f326adcf810b86e782d8e2dc3bf36870433544a7a8de70c3ec817e0b5945ed2d81943a4690a661d5cddb7e2770

C:\Users\Admin\AppData\Roaming\1Wsr\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zqonzshwxyr.lnk

MD5 374fac5609655f1924bb7554b39e45c1
SHA1 227b05dfb7c9c3e68aa095ba460f07e810cf5a65
SHA256 d7e1d34424fc50eab0d1521cfb0d99fa03fb7e607df56a9ff1cec33e17dde04b
SHA512 7c3f0e1974a4b5d4d69bb031abd4cb05a41f9fb748c98380443b3d2e18cf7de04f560b666336f4f4875a1877bda33373b8a5725dd4b97aa6e81933b822123d79

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 14:36

Reported

2024-01-06 14:39

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lef3Af.cmd

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\zwqrRc\Netplwiz.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\D7h.cmd

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.184:80 tcp
GB 96.17.178.184:80 tcp
GB 96.17.178.184:80 tcp

Files

memory/1148-2-0x0000028550380000-0x0000028550387000-memory.dmp

memory/1148-0-0x00007FF94C570000-0x00007FF94C611000-memory.dmp

memory/3528-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-28-0x0000000001200000-0x0000000001207000-memory.dmp

memory/3528-30-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

memory/3528-39-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-41-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-22-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-21-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-8-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

memory/3528-7-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1148-6-0x00007FF94C570000-0x00007FF94C611000-memory.dmp

memory/3528-5-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-3-0x0000000003140000-0x0000000003141000-memory.dmp

memory/3528-61-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3528-62-0x0000000001210000-0x0000000001211000-memory.dmp

memory/4932-79-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

memory/3196-85-0x0000013A889E0000-0x0000013A88A00000-memory.dmp

memory/3196-89-0x0000013A88FB0000-0x0000013A88FD0000-memory.dmp

memory/3196-87-0x0000013A889A0000-0x0000013A889C0000-memory.dmp

memory/2728-100-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/3596-108-0x000001AD7AFF0000-0x000001AD7B010000-memory.dmp

memory/3596-110-0x000001AD7AFB0000-0x000001AD7AFD0000-memory.dmp

memory/3596-112-0x000001AD7B3C0000-0x000001AD7B3E0000-memory.dmp

memory/2732-124-0x0000000004930000-0x0000000004931000-memory.dmp

memory/636-132-0x0000020576090000-0x00000205760B0000-memory.dmp

memory/636-136-0x0000020576660000-0x0000020576680000-memory.dmp

memory/636-134-0x0000020576050000-0x0000020576070000-memory.dmp

memory/2624-148-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/4164-155-0x000001B362D70000-0x000001B362D90000-memory.dmp

memory/4164-159-0x000001B363140000-0x000001B363160000-memory.dmp

memory/4164-157-0x000001B362D30000-0x000001B362D50000-memory.dmp

memory/1160-170-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/2744-180-0x0000025C08EC0000-0x0000025C08EE0000-memory.dmp

memory/2744-182-0x0000025C094E0000-0x0000025C09500000-memory.dmp

memory/2744-178-0x0000025C08F00000-0x0000025C08F20000-memory.dmp