Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-t1kngsbee6
Target 497c03dfdb726f1817a6484b5f4e7dc8
SHA256 187a497b5e884cd4fd70718901f8e6b12c6a198ec41979c7b529e903f573a588
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

187a497b5e884cd4fd70718901f8e6b12c6a198ec41979c7b529e903f573a588

Threat Level: Known bad

The file 497c03dfdb726f1817a6484b5f4e7dc8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 16:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 16:31

Reported

2024-01-07 16:34

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xzuC\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8K3\cttune.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\7FDArv\\cttune.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xzuC\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8K3\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\psr.exe
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\psr.exe
PID 1220 wrote to memory of 2880 N/A N/A C:\Windows\system32\psr.exe
PID 1220 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\xzuC\psr.exe
PID 1220 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\xzuC\psr.exe
PID 1220 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\xzuC\psr.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Windows\system32\cttune.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Windows\system32\cttune.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Windows\system32\cttune.exe
PID 1220 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\8K3\cttune.exe
PID 1220 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\8K3\cttune.exe
PID 1220 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\8K3\cttune.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1220 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1220 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe
PID 1220 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe
PID 1220 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\xzuC\psr.exe

C:\Users\Admin\AppData\Local\xzuC\psr.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\8K3\cttune.exe

C:\Users\Admin\AppData\Local\8K3\cttune.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe

Network

N/A

Files

memory/2164-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2164-1-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-4-0x00000000771B6000-0x00000000771B7000-memory.dmp

memory/1220-5-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1220-7-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2164-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-25-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-27-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-32-0x0000000002630000-0x0000000002637000-memory.dmp

memory/1220-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-39-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-40-0x00000000773C1000-0x00000000773C2000-memory.dmp

memory/1220-41-0x0000000077520000-0x0000000077522000-memory.dmp

memory/1220-50-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1220-56-0x0000000140000000-0x00000001401AA000-memory.dmp

\Users\Admin\AppData\Local\xzuC\psr.exe

MD5 a80527109d75cba125d940b007eea151
SHA1 facf32a9ede6abfaa09368bfdfcfec8554107272
SHA256 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA512 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

C:\Users\Admin\AppData\Local\xzuC\WTSAPI32.dll

MD5 cd64414d4db62ba7a4dc1e69f4295010
SHA1 bc670fb731817d50976d618867c51011a66bfd42
SHA256 20550e7df65de85bd7c6e70bc7998c8dbeb0d5f8e3bd6555c792d06e302c1965
SHA512 f8d62bf676922ad3a4fea576b0b6937440be415634105491fc9d9fc426765de80dad4b952b88b26686a71c04dc54ed17c2581da86887f77d8d00a810be894d38

memory/2792-69-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/2792-68-0x0000000000510000-0x0000000000517000-memory.dmp

memory/2792-74-0x0000000140000000-0x00000001401AB000-memory.dmp

\Users\Admin\AppData\Local\8K3\cttune.exe

MD5 7116848fd23e6195fcbbccdf83ce9af4
SHA1 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA256 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512 e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

C:\Users\Admin\AppData\Local\8K3\OLEACC.dll

MD5 a0a78e2ad475c91bd211cc1f577c5c76
SHA1 a000c63a8ba9c5a17ec506a1ef077f09abe7e98b
SHA256 2767f68f16843feeac649b667b0c201995d2a1f5195841d704b7989d47afbef4
SHA512 70713416cdc00522de11e9636dfd9746024f54ab37b3726c9327225ca11ce176079733e869b9f381197787c5c51d857bb0015025d4b3320c611cafabcc14909c

memory/2608-89-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2608-94-0x0000000140000000-0x00000001401AB000-memory.dmp

\Users\Admin\AppData\Local\lTlM7U\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

C:\Users\Admin\AppData\Local\lTlM7U\SYSDM.CPL

MD5 c8de4786f06c61c1417e5bd3b2b6d38e
SHA1 5a0887be8e2a633a6b44714cd9728dad3312c2ac
SHA256 20231b1ae1eda375ad4ade3320e8f6c3f3c6e1163e0805915eb32a9c81b14b62
SHA512 168afdc089b3bb03f10ba749612f314b6088a0c012d43c49164a9feea6001fd8b53b34683fa03eb6e786dd43f81262e56057510139863d3743f0574ae422f951

memory/2820-115-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1220-131-0x00000000771B6000-0x00000000771B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d47999aff3c106d2cb4d77ace3f99325
SHA1 53ffda7defdb3a2654f27d496e4621631e30cb5d
SHA256 b051ef20bba1757a1676008dc14866b8eddd729e275ec8f229be2933dbae723f
SHA512 b8b5c21ac167fb4c0946976b331e7452c40f4deca5edabe98f67c5f0c06a4c36718254c3838159b2d16c17c67c1b78918276aab91ad92520bc4acce34fe0edda

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 16:31

Reported

2024-01-07 16:34

Platform

win10v2004-20231215-en

Max time kernel

116s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\g7c\\GamePanel.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tASkdf\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7Te\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hDBqQrTI\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 4848 N/A N/A C:\Windows\system32\wusa.exe
PID 3516 wrote to memory of 4848 N/A N/A C:\Windows\system32\wusa.exe
PID 3516 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\tASkdf\wusa.exe
PID 3516 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\tASkdf\wusa.exe
PID 3516 wrote to memory of 3196 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3516 wrote to memory of 3196 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3516 wrote to memory of 4052 N/A N/A C:\Users\Admin\AppData\Local\7Te\GamePanel.exe
PID 3516 wrote to memory of 4052 N/A N/A C:\Users\Admin\AppData\Local\7Te\GamePanel.exe
PID 3516 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\hDBqQrTI\sppsvc.exe
PID 3516 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\hDBqQrTI\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\7Te\GamePanel.exe

C:\Users\Admin\AppData\Local\7Te\GamePanel.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\hDBqQrTI\sppsvc.exe

C:\Users\Admin\AppData\Local\hDBqQrTI\sppsvc.exe

C:\Users\Admin\AppData\Local\tASkdf\wusa.exe

C:\Users\Admin\AppData\Local\tASkdf\wusa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/5072-0-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/5072-2-0x00000295B1F30000-0x00000295B1F37000-memory.dmp

memory/3516-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/3516-7-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-6-0x00007FFF50C0A000-0x00007FFF50C0B000-memory.dmp

memory/3516-9-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/5072-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-25-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-32-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

memory/3516-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-27-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-39-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-40-0x00007FFF51F80000-0x00007FFF51F90000-memory.dmp

memory/3516-51-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-49-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1776-60-0x000001ABE3460000-0x000001ABE3467000-memory.dmp

memory/1776-61-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1776-66-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/4052-77-0x0000021439350000-0x0000021439357000-memory.dmp

memory/4052-83-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1684-94-0x0000024BA71E0000-0x0000024BA71E7000-memory.dmp

memory/1684-100-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/3516-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3516-14-0x0000000140000000-0x00000001401AA000-memory.dmp