lumma | 8e938e1b74eb68ee2b1061b30c8290b08c0d64b93cbc193c84ee963237a431e2

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
Size

543KB
MD5

fd6b82855a5dee211180e8e2acfe61c2
SHA1

74fff0793248cc7eb65bd423799e8bb89dd5dde2
SHA256

8e938e1b74eb68ee2b1061b30c8290b08c0d64b93cbc193c84ee963237a431e2
SHA512

f22e05167c16978d72d8db0724cd7f81434c64001cf46add0e90daae5b9b2c5bafcb23ae421b4675b6c86ec903abc68a151dd97d69d7170d1b97bc49b6a606c2
SSDEEP

12288:GDflNwb6MUmxpbMXesgag6sXMZG/wL9SFkmbgbNBELtL:Elk3xdR56sXCaWQNbeNiJ

Score

10^/10

lumma stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2324-10-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-9-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-12-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-13-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-11-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-14-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-16-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-17-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-18-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-20-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-21-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-19-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-22-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-23-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-25-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-26-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-27-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-24-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-28-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-15-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-29-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-30-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-31-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-33-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-34-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-32-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-36-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-37-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-35-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-38-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-39-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-40-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-41-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-42-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-45-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-46-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-44-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-47-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-43-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-48-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-49-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-50-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-51-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-52-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-53-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-55-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-57-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-58-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-59-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-63-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-64-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-62-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-61-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-60-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-56-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-54-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2324-199-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/1752-394-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2476-587-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/608-780-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2752-973-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/2808-1165-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/1420-1359-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4
behavioral1/memory/3052-1551-0x0000000000400000-0x000000000065D000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 18 IoCs

Processes:

adasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exe

pid	process
1580	adasoftw.exe
1752	adasoftw.exe
2488	adasoftw.exe
2476	adasoftw.exe
1048	adasoftw.exe
608	adasoftw.exe
2320	adasoftw.exe
2752	adasoftw.exe
964	adasoftw.exe
2808	adasoftw.exe
2016	adasoftw.exe
1420	adasoftw.exe
1916	adasoftw.exe
3052	adasoftw.exe
1636	adasoftw.exe
2236	adasoftw.exe
2356	adasoftw.exe
2848	adasoftw.exe

Loads dropped DLL 20 IoCs

Processes:

fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exe

pid	process
2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
1580	adasoftw.exe
1580	adasoftw.exe
1752	adasoftw.exe
1752	adasoftw.exe
2476	adasoftw.exe
2476	adasoftw.exe
608	adasoftw.exe
608	adasoftw.exe
2752	adasoftw.exe
2752	adasoftw.exe
2808	adasoftw.exe
2808	adasoftw.exe
1420	adasoftw.exe
1420	adasoftw.exe
3052	adasoftw.exe
3052	adasoftw.exe
2236	adasoftw.exe
2236	adasoftw.exe

Drops file in System32 directory 20 IoCs

Processes:

fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exe

description	ioc	process
File created	C:\Windows\SysWOW64\adasoftw.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File created	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe
File opened for modification	C:\Windows\SysWOW64\adasoftw.exe	adasoftw.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exe

description	pid	process	target process
PID 2864 set thread context of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 1580 set thread context of 1752	1580	adasoftw.exe	adasoftw.exe
PID 2488 set thread context of 2476	2488	adasoftw.exe	adasoftw.exe
PID 1048 set thread context of 608	1048	adasoftw.exe	adasoftw.exe
PID 2320 set thread context of 2752	2320	adasoftw.exe	adasoftw.exe
PID 964 set thread context of 2808	964	adasoftw.exe	adasoftw.exe
PID 2016 set thread context of 1420	2016	adasoftw.exe	adasoftw.exe
PID 1916 set thread context of 3052	1916	adasoftw.exe	adasoftw.exe
PID 1636 set thread context of 2236	1636	adasoftw.exe	adasoftw.exe
PID 2356 set thread context of 2848	2356	adasoftw.exe	adasoftw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exefd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exeadasoftw.exe

description	pid	process	target process
PID 2864 wrote to memory of 2916	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2916	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2916	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2916	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2864 wrote to memory of 2324	2864	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
PID 2324 wrote to memory of 1580	2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	adasoftw.exe
PID 2324 wrote to memory of 1580	2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	adasoftw.exe
PID 2324 wrote to memory of 1580	2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	adasoftw.exe
PID 2324 wrote to memory of 1580	2324	fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe	adasoftw.exe
PID 1580 wrote to memory of 2116	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 2116	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 2116	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 2116	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1580 wrote to memory of 1752	1580	adasoftw.exe	adasoftw.exe
PID 1752 wrote to memory of 2488	1752	adasoftw.exe	adasoftw.exe
PID 1752 wrote to memory of 2488	1752	adasoftw.exe	adasoftw.exe
PID 1752 wrote to memory of 2488	1752	adasoftw.exe	adasoftw.exe
PID 1752 wrote to memory of 2488	1752	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2764	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2764	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2764	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2764	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2488 wrote to memory of 2476	2488	adasoftw.exe	adasoftw.exe
PID 2476 wrote to memory of 1048	2476	adasoftw.exe	adasoftw.exe
PID 2476 wrote to memory of 1048	2476	adasoftw.exe	adasoftw.exe
PID 2476 wrote to memory of 1048	2476	adasoftw.exe	adasoftw.exe
PID 2476 wrote to memory of 1048	2476	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 1080	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 1080	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 1080	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 1080	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 1048 wrote to memory of 608	1048	adasoftw.exe	adasoftw.exe
PID 608 wrote to memory of 2320	608	adasoftw.exe	adasoftw.exe
PID 608 wrote to memory of 2320	608	adasoftw.exe	adasoftw.exe
PID 608 wrote to memory of 2320	608	adasoftw.exe	adasoftw.exe
PID 608 wrote to memory of 2320	608	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2804	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2804	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2804	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2804	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2752	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2752	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2752	2320	adasoftw.exe	adasoftw.exe
PID 2320 wrote to memory of 2752	2320	adasoftw.exe	adasoftw.exe

C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
  2⤵
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\adasoftw.exe
    C:\Windows\system32\adasoftw.exe 492 "C:\Users\Admin\AppData\Local\Temp\fd6b82855a5dee211180e8e2acfe61c2_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\adasoftw.exe
      C:\Windows\SysWOW64\adasoftw.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\adasoftw.exe
      C:\Windows\SysWOW64\adasoftw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 524 "C:\Windows\SysWOW64\adasoftw.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        6⤵
        
        PID:2764
      - C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 524 "C:\Windows\SysWOW64\adasoftw.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        8⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 516 "C:\Windows\SysWOW64\adasoftw.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 520 "C:\Windows\SysWOW64\adasoftw.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:964
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        12⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 520 "C:\Windows\SysWOW64\adasoftw.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2016
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        14⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 516 "C:\Windows\SysWOW64\adasoftw.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        16⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 516 "C:\Windows\SysWOW64\adasoftw.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1636
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        18⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\system32\adasoftw.exe 516 "C:\Windows\SysWOW64\adasoftw.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2356
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        20⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\adasoftw.exe
        
        C:\Windows\SysWOW64\adasoftw.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adasoftw.exe

Filesize
543KB

MD5
fd6b82855a5dee211180e8e2acfe61c2

SHA1
74fff0793248cc7eb65bd423799e8bb89dd5dde2

SHA256
8e938e1b74eb68ee2b1061b30c8290b08c0d64b93cbc193c84ee963237a431e2

SHA512
f22e05167c16978d72d8db0724cd7f81434c64001cf46add0e90daae5b9b2c5bafcb23ae421b4675b6c86ec903abc68a151dd97d69d7170d1b97bc49b6a606c2

Download Submit
memory/608-780-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/1420-1175-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/1420-1359-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/1752-394-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2236-1743-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-37-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-21-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-8-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-10-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-9-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-12-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-13-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-11-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-14-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-16-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-17-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-18-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-20-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-39-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-19-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-22-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-23-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-25-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-26-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-27-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-24-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-28-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-15-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-29-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-40-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-31-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-33-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-34-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-32-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-36-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-4-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-35-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-47-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-7-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-30-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-41-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-42-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-45-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-46-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-44-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-38-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-43-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-48-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-49-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-50-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-51-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-52-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-53-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-55-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-57-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-58-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-59-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-63-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-64-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-62-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-61-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-60-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-56-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-54-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-199-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-0-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2324-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-587-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2476-403-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2752-973-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2808-1165-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2864-5-0x0000000002000000-0x000000000208E7FC-memory.dmp

Filesize
569KB

Download
memory/3052-1551-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download