Malware Analysis Report

2025-06-15 19:52

Sample ID 240114-wkgyrscbdp
Target 5aec0e99db7bd449edb9a923df3a2c27
SHA256 9f51d19f0129696e8086dcf8bc470180c210a175f2b0fdfc91163d46a67a7f37
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f51d19f0129696e8086dcf8bc470180c210a175f2b0fdfc91163d46a67a7f37

Threat Level: Known bad

The file 5aec0e99db7bd449edb9a923df3a2c27 was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Detect Lumma Stealer payload V4

Lumma Stealer

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-14 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-14 17:58

Reported

2024-01-14 18:01

Platform

win7-20231215-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2312 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2312 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2312 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2636 wrote to memory of 1664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2636 wrote to memory of 1664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2636 wrote to memory of 1664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2636 wrote to memory of 1664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1664 wrote to memory of 2904 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1664 wrote to memory of 2904 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1664 wrote to memory of 2904 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1664 wrote to memory of 2904 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2904 wrote to memory of 1300 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2904 wrote to memory of 1300 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2904 wrote to memory of 1300 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2904 wrote to memory of 1300 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1300 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1300 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1300 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1300 wrote to memory of 1292 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2200 wrote to memory of 2112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2200 wrote to memory of 2112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2200 wrote to memory of 2112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2200 wrote to memory of 2112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2112 wrote to memory of 2948 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2112 wrote to memory of 2948 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2112 wrote to memory of 2948 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2112 wrote to memory of 2948 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2948 wrote to memory of 1532 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2948 wrote to memory of 1532 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2948 wrote to memory of 1532 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 2948 wrote to memory of 1532 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe

"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 568 "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 516 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 524 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 528 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 532 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 520 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 540 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 544 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 548 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 536 "C:\Windows\SysWOW64\wuaudit.exe"

Network

N/A

Files

memory/2312-0-0x0000000000400000-0x00000000005E8000-memory.dmp

memory/2312-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-10-0x00000000756B0000-0x00000000757A0000-memory.dmp

memory/2312-12-0x00000000754B0000-0x00000000754BB000-memory.dmp

memory/2312-11-0x0000000075520000-0x0000000075529000-memory.dmp

memory/2312-13-0x00000000752B0000-0x0000000075308000-memory.dmp

memory/2312-14-0x0000000075640000-0x000000007564C000-memory.dmp

memory/2312-15-0x0000000075260000-0x00000000752AF000-memory.dmp

memory/2312-16-0x0000000075230000-0x0000000075237000-memory.dmp

memory/2312-17-0x0000000076C70000-0x0000000076C76000-memory.dmp

\Windows\SysWOW64\wuaudit.exe

MD5 7fffaf18f426d754485258a826ad4de3
SHA1 168c8f02ddeb714fa1090939aea68164489bfc0a
SHA256 4ba88f7cda7b2f8564738894b99f8a9a60c5bb6e4e65687752007afcdf6bce85
SHA512 b2d71d4ee4890cd8bad02c4875787d9283024dc4af34dfe80541afbb23d5c9570e34c9f405ce7feaff56494f7395dc87773a890f97f578dc11f30f9b92aa81cf

C:\Windows\SysWOW64\wuaudit.exe

MD5 ed9232b962aad41714297e8c29e1186b
SHA1 fa0c1de8a1dfeb6c14d4b55b05bd152de5da8be7
SHA256 0a3a1220d257d7a857974ba2d56c8fc52083b4e8ec7da78bfe1cf9f5dcab8cb9
SHA512 0e340bd1927a947b2240bc61e0771ed5d65748ff5c5cc70743bc566fe002d70cf37428c41ac76f2663c528cc1c2535a40fb1b1e1545357ded719e39294ee0996

memory/2312-28-0x0000000075140000-0x0000000075152000-memory.dmp

C:\Windows\SysWOW64\wuaudit.exe

MD5 a38637a25b9e5598e60c20c107459fb6
SHA1 ccfc1827cbfeac8deac8a9b0c30d84837d8e7138
SHA256 1997f853ace7586a8357adf3ba89aeb4fba935265216842f79ac57f01360e93c
SHA512 098eed932d7e66b7e30c965d169833aad397392c24a050d121ee8d43d4a83b97fadf6c18aace96ceb022365634274d950164ef061753b1d3d78311c8c5fe3298

memory/2312-31-0x0000000075210000-0x0000000075221000-memory.dmp

memory/2312-34-0x000000007EF50000-0x000000007EFAC000-memory.dmp

memory/2312-36-0x00000000754B0000-0x00000000754BB000-memory.dmp

memory/2312-38-0x0000000075320000-0x0000000075328000-memory.dmp

memory/2312-37-0x0000000075200000-0x0000000075209000-memory.dmp

memory/2312-39-0x00000000754C0000-0x00000000754D7000-memory.dmp

memory/2312-35-0x00000000751E0000-0x00000000751F9000-memory.dmp

memory/2312-33-0x0000000075520000-0x0000000075529000-memory.dmp

memory/2312-41-0x00000000752B0000-0x00000000752B6000-memory.dmp

memory/2312-42-0x0000000075260000-0x00000000752AF000-memory.dmp

memory/2312-43-0x0000000075230000-0x0000000075237000-memory.dmp

memory/2312-44-0x0000000076C70000-0x0000000076C76000-memory.dmp

memory/2312-40-0x00000000756B0000-0x00000000757A0000-memory.dmp

memory/2312-32-0x00000000751D0000-0x00000000751DF000-memory.dmp

memory/2312-30-0x0000000000400000-0x00000000005E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-14 17:58

Reported

2024-01-14 18:01

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wuaudit.exe C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File created C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A
File opened for modification C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 5012 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 5012 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3392 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3392 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3392 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1008 wrote to memory of 3084 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1008 wrote to memory of 3084 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1008 wrote to memory of 3084 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3084 wrote to memory of 1528 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3084 wrote to memory of 1528 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3084 wrote to memory of 1528 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 1528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4348 wrote to memory of 5112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4348 wrote to memory of 5112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4348 wrote to memory of 5112 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 5112 wrote to memory of 3064 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 5112 wrote to memory of 3064 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 5112 wrote to memory of 3064 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3064 wrote to memory of 664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3064 wrote to memory of 664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 3064 wrote to memory of 664 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 664 wrote to memory of 4228 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 664 wrote to memory of 4228 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 664 wrote to memory of 4228 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4228 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4228 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe
PID 4228 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wuaudit.exe C:\Windows\SysWOW64\wuaudit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe

"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1184 "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1128 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1088 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1100 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1104 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1112 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1092 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1116 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1120 "C:\Windows\SysWOW64\wuaudit.exe"

C:\Windows\SysWOW64\wuaudit.exe

C:\Windows\system32\wuaudit.exe 1124 "C:\Windows\SysWOW64\wuaudit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/5012-0-0x0000000000400000-0x00000000005E8000-memory.dmp

memory/5012-1-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-3-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-2-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-4-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-6-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-5-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-9-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-8-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-7-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-11-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-10-0x0000000000400000-0x00000000005E8000-memory.dmp

C:\Windows\SysWOW64\wuaudit.exe

MD5 7fffaf18f426d754485258a826ad4de3
SHA1 168c8f02ddeb714fa1090939aea68164489bfc0a
SHA256 4ba88f7cda7b2f8564738894b99f8a9a60c5bb6e4e65687752007afcdf6bce85
SHA512 b2d71d4ee4890cd8bad02c4875787d9283024dc4af34dfe80541afbb23d5c9570e34c9f405ce7feaff56494f7395dc87773a890f97f578dc11f30f9b92aa81cf

memory/5012-18-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

memory/5012-19-0x0000000000400000-0x00000000005E8000-memory.dmp

C:\Windows\SysWOW64\wuaudit.exe

MD5 a12f2de24349ac5e2a98d50cec31d85b
SHA1 04f4447f7c69045e73ac3e480b4b4c426660bfc3
SHA256 36eb25cf1284912eaf7c0d1b30e1b997f3e23c9f8556d657e71d96103004c43d
SHA512 2016e51022cf62cc6996db5e39f9c8ab30ef0219069901120731002a2e5936ef064949d8ff18a9307dd066790a2f13de2ae70734cbb195d3655708d4c4998c84

C:\Windows\SysWOW64\wuaudit.exe

MD5 282aad35586adda69ea5476e0e5261cf
SHA1 c13d068f8c37fec715c0e75003c9239db45a2e21
SHA256 4163a3ae0fd9d2ad2d672f59a1672fd5ad80464d295b0041db6a7f24bf754f70
SHA512 3a5c1c6eeb1079741f2f358665f92ee8fded26f987629aedd5cb35a1a127a43e220d269b81c32a6eb1743dba9ef6f7b65dc190ee095ab7633087d01047d5e123