Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-d52vkafg6v
Target a81de519432b6d76d9b881cff0cf9cef
SHA256 bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce

Threat Level: Known bad

The file a81de519432b6d76d9b881cff0cf9cef was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Modifies security service

Lumma Stealer

Detect Lumma Stealer payload V4

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 03:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 03:36

Reported

2024-02-27 03:38

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3036 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 2208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 2208 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 2208 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 2208 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 2616 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1880 wrote to memory of 1972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1972 wrote to memory of 972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 972 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 972 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 972 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 972 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1972 wrote to memory of 1452 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1972 wrote to memory of 1452 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1972 wrote to memory of 1452 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1972 wrote to memory of 1452 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 1452 wrote to memory of 292 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 2200 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2200 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2200 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2200 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 292 wrote to memory of 736 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 292 wrote to memory of 736 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 292 wrote to memory of 736 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 292 wrote to memory of 736 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 736 wrote to memory of 1276 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe

"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe

C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 512 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 524 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2208-2-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-4-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-6-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-8-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2208-12-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-14-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2208-16-0x0000000000400000-0x0000000000517000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 7fe70731de9e888ca911baeb99ee503d
SHA1 0073da5273512f66dbf570580dc55957535c2478
SHA256 ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a
SHA512 4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

\Windows\SysWOW64\netX.exe

MD5 a81de519432b6d76d9b881cff0cf9cef
SHA1 e35a6446307b3e55db9097cee2cdeec87e6145b6
SHA256 bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
SHA512 eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

C:\Windows\SysWOW64\netX.exe

MD5 a44ba2322cc89663d4f956a1f29b124b
SHA1 f27eabd4a09aa6063c591bd2fb64dbb0aad0955b
SHA256 70c777afc8d0c0825ac19eccec2ca19b815b24f125ad5df70e9c19fbf0494f40
SHA512 98cb33d231971176fc8744cfa106d1791e10fe1538ca66f9b28750b7a90e9aa9b2ecf9a8f285bd2889e513c6a5535e7f9844ef93cef5ea82254510af545c55ba

memory/2208-150-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1972-167-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 54ca6e3ef1c12b994043e85a8c9895f0
SHA1 5eaccfb482cbe24cf5c3203ffdc926184097427e
SHA256 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

memory/1972-277-0x0000000000400000-0x0000000000517000-memory.dmp

memory/292-306-0x0000000000400000-0x0000000000517000-memory.dmp

memory/292-415-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1276-445-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1276-553-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1776-582-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1776-707-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2580-721-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2580-846-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1340-860-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1340-987-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2556-993-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5f6aefafda312b288b7d555c1fc36dc9
SHA1 f25e2fdea9dd714d0fae68af71cace7bb49302ce
SHA256 60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a
SHA512 97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b79d7c7385eb2936ecd5681762227a9b
SHA1 c2a21fb49bd3cc8be9baac1bf6f6389453ad785d
SHA256 fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019
SHA512 7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

memory/2556-1123-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1588-1138-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2372-1271-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1588-1270-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 501effddf60a974e98b67dc8921aa7e8
SHA1 734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA512 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

memory/2372-1400-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2108-1416-0x0000000000400000-0x0000000000517000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 03:36

Reported

2024-02-27 03:38

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\netX.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File created C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A
File opened for modification C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 864 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
PID 3904 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1764 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3904 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 3904 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 3904 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5044 wrote to memory of 4172 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4172 wrote to memory of 2616 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 2616 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 4172 wrote to memory of 2616 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4172 wrote to memory of 5052 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4172 wrote to memory of 5052 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4172 wrote to memory of 5052 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 5052 wrote to memory of 2100 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 2100 wrote to memory of 872 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 872 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 872 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 872 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 872 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 4016 wrote to memory of 3256 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\netX.exe
PID 3256 wrote to memory of 3160 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 3160 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 3160 N/A C:\Windows\SysWOW64\netX.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3160 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe

"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe

"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1168 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe" €s¦ˆ

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe" €

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe" €H‡ÿ‘

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

"C:\Windows\SysWOW64\netX.exe" €Y;Úc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1144 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\netX.exe

C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\netX.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/3904-2-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3904-3-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3904-4-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3904-6-0x0000000000400000-0x0000000000517000-memory.dmp

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3a1a83c2ffad464e87a2f9a502b7b9f1
SHA1 4ffa65ecdd0455499c8cd6d05947605340cbf426
SHA256 73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6
SHA512 8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c2d6056624c1d37b1baf4445d8705378
SHA1 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83
SHA256 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96
SHA512 d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Windows\SysWOW64\netX.exe

MD5 eef77222a3e979f58cb3b5c08cbddd68
SHA1 e20201618d329c4cee535a85c7e64511e99c0976
SHA256 c90406c4af8728ec268159452abdca3d1f670a6af3caea7daa4796129ed8820c
SHA512 32cb83cf924f937204b2cee2f5103676d74b77a05a32e7dbaf1d07395956c0f6078ec3da3383ffdf0ae8d60075f979e7e0c33e97c5a22863a87ec363dcc1a602

C:\Windows\SysWOW64\netX.exe

MD5 a81de519432b6d76d9b881cff0cf9cef
SHA1 e35a6446307b3e55db9097cee2cdeec87e6145b6
SHA256 bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
SHA512 eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

memory/4172-126-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4172-127-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3904-129-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4172-131-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 63ff40a70037650fd0acfd68314ffc94
SHA1 1ab29adec6714edf286485ac5889fddb1d092e93
SHA256 1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b
SHA512 2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 752fd85212d47da8f0adc29004a573b2
SHA1 fa8fe3ff766601db46412879dc13dbec8d055965
SHA256 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512 d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/4172-241-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2100-248-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2100-247-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2100-252-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a13ff758fc4326eaa44582bc9700aead
SHA1 a4927b4a3b84526c5c42a077ade4652ab308f83f
SHA256 c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588
SHA512 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5aa228bc61037ddaf7a22dab4a04e9a1
SHA1 b50fcd8f643ea748f989a06e38c778884b3c19f2
SHA256 65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b
SHA512 2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

memory/2100-362-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3256-368-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3256-372-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3256-369-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3256-483-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1948-489-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1948-490-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1948-493-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 294976e85ad11a45853f99c1b208723f
SHA1 8d83101d69420b5af97ec517165d849d3ab498fc
SHA256 04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff
SHA512 e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

memory/1948-604-0x0000000000400000-0x0000000000517000-memory.dmp

memory/552-610-0x0000000000400000-0x0000000000517000-memory.dmp

memory/552-611-0x0000000000400000-0x0000000000517000-memory.dmp

memory/552-613-0x0000000000400000-0x0000000000517000-memory.dmp

memory/552-725-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Windows\SysWOW64\netX.exe

MD5 3e18bc121e44850ac941541a4ad7126e
SHA1 5e8e589d5ce5d6c119fa879b64606060a04ff0b7
SHA256 ee067497e476ac34d73c10dd72a992020bcceb2165d3454e6c7efc7eaf41027e
SHA512 ff53391ae2f51e6e3acc8e39e75d0d20268b369fa6f268cb24ab37d2ad9160f16d6323a81805becaaacd648c8d34f62d89033cfd3d3aeb47925bffd74d3f69f6

memory/1096-731-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1096-732-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f1cbbc2ce0d93c45a92edcc86780e9f0
SHA1 d893306caae2584cdeba4c80c3bfe18548fa227a
SHA256 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7
SHA512 b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

memory/1096-767-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1096-846-0x0000000000400000-0x0000000000517000-memory.dmp

memory/5060-852-0x0000000000400000-0x0000000000517000-memory.dmp

memory/5060-853-0x0000000000400000-0x0000000000517000-memory.dmp

memory/5060-857-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

memory/5060-967-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4548-973-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4548-974-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4548-977-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4548-1088-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1772-1094-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1772-1095-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1772-1098-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5002319f56002f8d7ceacecf8672ce25
SHA1 3b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256 f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA512 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a437192517c26d96c8cee8d5a27dd560
SHA1 f665a3e5e5c141e4527509dffd30b0320aa8df6f
SHA256 d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23
SHA512 f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

memory/1772-1209-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3868-1215-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3868-1216-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3868-1220-0x0000000000400000-0x0000000000517000-memory.dmp