2dd41c29562c147a954c40de016f11c34b6222f1bbc9b631e2e83c5d617e5a27

Analysis

max time kernel
121s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FireflyAI_JC.exe
Size

46.3MB
MD5

85c3116e8002f9a4eb4737a9c6953778
SHA1

49159014347f523ae60f2887fa8155b2b9262ba5
SHA256

2dd41c29562c147a954c40de016f11c34b6222f1bbc9b631e2e83c5d617e5a27
SHA512

7e8605a564e2b72f9619c807773b4808afe8fef9b3bdb0279677ca243048f3b0173175eeaeb0ae62d794da2fada79bbaf70fbe669208facc58354fe8efbf6d81
SSDEEP

786432:80NEjasoddrRM8Z94SVQpqEXeD4xYhuIUT/Gwv5OWiX5D8Jd8jp06L73U9HKSycE:1ajXozrG8bQdhvbGwvQWvJd8G+3U9qSY

Score

8^/10

evasion

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3940	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	sqlite3.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	sqlite3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1692	reg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 35	1768	cmd.exe
Token: 35	1768	cmd.exe
Token: 35	1768	cmd.exe
Token: 35	1768	cmd.exe
Token: 35	1768	cmd.exe
Token: 35	1768	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1464	3364	FireflyAI_JC.exe	83
PID 3364 wrote to memory of 1464	3364	FireflyAI_JC.exe	83
PID 1464 wrote to memory of 1768	1464	FireflyAI_JC.exe	84
PID 1464 wrote to memory of 1768	1464	FireflyAI_JC.exe	84
PID 1768 wrote to memory of 1516	1768	cmd.exe	86
PID 1768 wrote to memory of 1516	1768	cmd.exe	86
PID 1516 wrote to memory of 1692	1516	cmd.exe	87
PID 1516 wrote to memory of 1692	1516	cmd.exe	87
PID 1516 wrote to memory of 1672	1516	cmd.exe	88
PID 1516 wrote to memory of 1672	1516	cmd.exe	88
PID 1768 wrote to memory of 688	1768	cmd.exe	89
PID 1768 wrote to memory of 688	1768	cmd.exe	89
PID 1768 wrote to memory of 4104	1768	cmd.exe	90
PID 1768 wrote to memory of 4104	1768	cmd.exe	90
PID 1768 wrote to memory of 5040	1768	cmd.exe	91
PID 1768 wrote to memory of 5040	1768	cmd.exe	91
PID 1768 wrote to memory of 3368	1768	cmd.exe	92
PID 1768 wrote to memory of 3368	1768	cmd.exe	92
PID 1768 wrote to memory of 2296	1768	cmd.exe	93
PID 1768 wrote to memory of 2296	1768	cmd.exe	93
PID 1768 wrote to memory of 2632	1768	cmd.exe	94
PID 1768 wrote to memory of 2632	1768	cmd.exe	94
PID 1768 wrote to memory of 2240	1768	cmd.exe	95
PID 1768 wrote to memory of 2240	1768	cmd.exe	95
PID 1768 wrote to memory of 2624	1768	cmd.exe	96
PID 1768 wrote to memory of 2624	1768	cmd.exe	96
PID 1768 wrote to memory of 2548	1768	cmd.exe	97
PID 1768 wrote to memory of 2548	1768	cmd.exe	97
PID 1768 wrote to memory of 3740	1768	cmd.exe	98
PID 1768 wrote to memory of 3740	1768	cmd.exe	98
PID 1768 wrote to memory of 4680	1768	cmd.exe	99
PID 1768 wrote to memory of 4680	1768	cmd.exe	99
PID 1768 wrote to memory of 4800	1768	cmd.exe	100
PID 1768 wrote to memory of 4800	1768	cmd.exe	100
PID 1768 wrote to memory of 3232	1768	cmd.exe	101
PID 1768 wrote to memory of 3232	1768	cmd.exe	101
PID 1768 wrote to memory of 500	1768	cmd.exe	102
PID 1768 wrote to memory of 500	1768	cmd.exe	102
PID 1768 wrote to memory of 4012	1768	cmd.exe	103
PID 1768 wrote to memory of 4012	1768	cmd.exe	103
PID 1768 wrote to memory of 5056	1768	cmd.exe	104
PID 1768 wrote to memory of 5056	1768	cmd.exe	104
PID 1768 wrote to memory of 4448	1768	cmd.exe	105
PID 1768 wrote to memory of 4448	1768	cmd.exe	105
PID 1768 wrote to memory of 2392	1768	cmd.exe	106
PID 1768 wrote to memory of 2392	1768	cmd.exe	106
PID 1768 wrote to memory of 2844	1768	cmd.exe	107
PID 1768 wrote to memory of 2844	1768	cmd.exe	107
PID 1768 wrote to memory of 2340	1768	cmd.exe	108
PID 1768 wrote to memory of 2340	1768	cmd.exe	108
PID 1768 wrote to memory of 1660	1768	cmd.exe	109
PID 1768 wrote to memory of 1660	1768	cmd.exe	109
PID 1768 wrote to memory of 4500	1768	cmd.exe	110
PID 1768 wrote to memory of 4500	1768	cmd.exe	110
PID 1768 wrote to memory of 2408	1768	cmd.exe	111
PID 1768 wrote to memory of 2408	1768	cmd.exe	111
PID 1768 wrote to memory of 4616	1768	cmd.exe	112
PID 1768 wrote to memory of 4616	1768	cmd.exe	112
PID 1768 wrote to memory of 60	1768	cmd.exe	113
PID 1768 wrote to memory of 60	1768	cmd.exe	113
PID 1768 wrote to memory of 4176	1768	cmd.exe	114
PID 1768 wrote to memory of 4176	1768	cmd.exe	114
PID 1768 wrote to memory of 2964	1768	cmd.exe	115
PID 1768 wrote to memory of 2964	1768	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
"C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe" -sfxwaitall:1 "replace.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s | FINDSTR /irc:ApplicationPath
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s
        5⤵
        Modifies registry key
        
        PID:1692
    - - C:\Windows\system32\findstr.exe
        
        FINDSTR /irc:ApplicationPath
        5⤵
        
        PID:1672
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Required "Required"
      4⤵
      PID:688
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\cs_CZ "Locales\cs_CZ"
      4⤵
      PID:4104
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\da_DK "Locales\da_DK"
      4⤵
      PID:5040
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\de_DE "Locales\de_DE"
      4⤵
      PID:3368
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_AE "Locales\en_AE"
      4⤵
      PID:2296
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_GB "Locales\en_GB"
      4⤵
      PID:2632
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_IL "Locales\en_IL"
      4⤵
      PID:2240
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_US "Locales\en_US"
      4⤵
      PID:2624
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_ES "Locales\es_ES"
      4⤵
      PID:2548
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_MX "Locales\es_MX"
      4⤵
      PID:3740
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fi_FI "Locales\fi_FI"
      4⤵
      PID:4680
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_CA "Locales\fr_CA"
      4⤵
      PID:4800
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_FR "Locales\fr_FR"
      4⤵
      PID:3232
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_MA "Locales\fr_MA"
      4⤵
      PID:500
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\hu_HU "Locales\hu_HU"
      4⤵
      PID:4012
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\it_IT "Locales\it_IT"
      4⤵
      PID:5056
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ja_JP "Locales\ja_JP"
      4⤵
      PID:4448
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ko_KR "Locales\ko_KR"
      4⤵
      PID:2392
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nb_NO "Locales\nb_NO"
      4⤵
      PID:2844
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nl_NL "Locales\nl_NL"
      4⤵
      PID:2340
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pl_PL "Locales\pl_PL"
      4⤵
      PID:1660
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pt_BR "Locales\pt_BR"
      4⤵
      PID:4500
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ru_RU "Locales\ru_RU"
      4⤵
      PID:2408
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\sv_SE "Locales\sv_SE"
      4⤵
      PID:4616
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\tr_TR "Locales\tr_TR"
      4⤵
      PID:60
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\uk_UA "Locales\uk_UA"
      4⤵
      PID:4176
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_CN "Locales\zh_CN"
      4⤵
      PID:2964
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_TW "Locales\zh_TW"
      4⤵
      PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe
      sqlite3.exe "C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1988
  - - C:\Windows\system32\netsh.exe
      NETSH advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
      4⤵
      Modifies Windows Firewall
      PID:3940
  - - C:\Windows\system32\find.exe
      FIND /c /i "ic.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:4608
  - - C:\Windows\system32\find.exe
      FIND /c /i "1hzopx6nz7.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_AE\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
96B

MD5
303d07950ebdb1129ed20b56517eec03

SHA1
af8ae6e4068d13bd59aa282cdd7a10b4a1f46b92

SHA256
999dd9c1b23bba7418102e894e7773176fb6b95d783ad1530924bf63249284da

SHA512
1e695f05a23e3194aa4a57295b6914c46ff785a08e1dc4b1b280470f8d55b4c3446eb75b6850fad9ee52d7e2843e8710e68dcccf10c03a84d2a15727a0be9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_IL\Support Files\tw10428_Photoshop_en_IL.dat

Filesize
4.3MB

MD5
763c1f52280d0cf2cdb93ee46e1306a6

SHA1
d6966171784e4bc9f20e37cfb8758c8b9c16b3ce

SHA256
128a032d3e1d34b510dc966901d46d0520ba5678e6f9ad1857938c1278fecdbf

SHA512
eff655d9e509ecf92cf7d0d47392beef045d0538836141414dcb554e2d191867123bf4bfe90e90770fb6df4bc5581af6aa88f1042b4076c11f1f6c1487296e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\es_ES\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
79B

MD5
77f7f250b5f11ccbcfe7be885de67e9f

SHA1
caa24c5a1acf4dad73415dc5429ac4198e7db63e

SHA256
31fd8d2f4c5170bd2d0cbf106d1b3ebd15da6a3c6fe4ae85cf4b6d0de8bd0c30

SHA512
00afc6bfdadfd911d0c0fc0082895db615e36ea715a560066b0f41a97a31281cc836658f5c199deff3fde5ec1e2b3c90039b3389b7f40aadd0a0e8bdc7e910fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\es_ES\Support Files\tw10428_Photoshop_es_ES.dat

Filesize
4.7MB

MD5
da544e35c9ed3e6c67e0c4fb509e0d11

SHA1
1feeb2629f3b8b604890fac1fe6aa7cd206ea2f5

SHA256
d2ac5566d39ace48c723ddc8ed523b97beb47a2d3c47283c567fc255ca7edf3c

SHA512
366c0381e3451e9ff06cb305e00d449dc40d50b58db18ce3fc1a1423b755a1b580496185cd109c0495fda3ef4713ef21adca34b0215aa169131fff0818d0e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
62B

MD5
8390d32666562a7f99f17b6893e6df80

SHA1
a8402c23d66f348314dcbb722a1d8435fcd3e745

SHA256
8f43479b5bb5047ba774c7c4f5dcf86967655642bb401ea44d78a75b1935ad0b

SHA512
729f6c2f79fea8dcb3d0b0912d39ccdef7d1417b56c2912ed7ff93c3537fcd6bf9451c3c5783c72b1572924fe99a65e230d7d5ca08ad074f542fdfc1179a7f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\tw10428_Photoshop_fr_MA.dat

Filesize
4.8MB

MD5
39b13607bec545685adfcb141802b8b2

SHA1
77ee13edf3f996c02cf5be9fbca9c0dc52b9e1a0

SHA256
18bac24baa9f117f2edf7ac7ffcd3a40c931e759d770f37e8a458ced3f6ab22a

SHA512
6b4e0a24baa15d76f3a685f6bd96f2d589f88b20b00500a4e24a795bbdaa17482ec5051b17ba1e353fac4a9bf4e60bb5ab09b9b50dd44e8109b9fe9ce8f8ccbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\nb_NO\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
79B

MD5
6e77a75580a4451bb6f15b31e555f75c

SHA1
4822d8c407fcb0ebf3311a79029fa83455e2ee2e

SHA256
e9dbca0116cef1d354dab6e54b9b7414d1df6bf6a79bc9329137391a227bd7bf

SHA512
2aa08ba3332751cd61b1e0fbb2c6f33b39ef740163457fdf59998a92561d378b3d4ccf11ee7a0b36b660a64e27dfb57f372f898398561acc787830c4fd65d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\nl_NL\Support Files\Shortcuts\Win\Default Keyboard Shortcuts.kys

Filesize
19KB

MD5
ecb8ad1305c984244bccfd989bf84912

SHA1
c3ffe86aa022f734fb65cbf3d21925174c285019

SHA256
9df95d7c815eba41cd3b4e4e564e3edf45eef8312c0a946d16d9cee4f9aa54db

SHA512
57507b2f3523d78a8d49e6d2080cb3990f18320da28b774692d5843938f906e70069caf1c7871c20a455c8d3ff78f24b64aeb92eb123da12f7912dd17f426edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSRes.dll

Filesize
834KB

MD5
8a7374621ea8dfd6f1b72f669aed26b2

SHA1
b66f1315c825951693a01a644920b04203c7c6ad

SHA256
32bc9102a131b9d341ad0135878318992d1945b0a10afd3b7ec2f7ec2b9f0aaf

SHA512
7755597d58fa50970ddf7d1782b05a7c3a50a4303941b5d3e8efcf87ce27cc58660286829aa311437abf5cbc3b0efdfde33af6e9eabd76b87907915448947d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSViews.dll

Filesize
3.0MB

MD5
6ef7328ff96ca0d57e1009b697861494

SHA1
5b6d7451310bee7aecdee92768ebf7a396ee15d5

SHA256
ae4a3f96b9084efbb992aea722e05322d2cc45c74bd45fb94e3680b70906ee44

SHA512
295cea489742fc0c8814d55a6d7382b8bfef20ff8dff5e55f7fbd9442e17d8220eb975556114df852e2ac034c7c29049b8fd6a2469103582503965e8a926ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Photoshop.exe

Filesize
165.6MB

MD5
c8696d1623c05584582cb57ceee397a5

SHA1
ab73849f3d63c86d988169c302d228bbc37f1dda

SHA256
e91d3db6105956df495515a172753c010b1afc9536440daa861a7f0c368a062b

SHA512
3365a52ac866ea98cf8baa1d0dacde99c26d3cb5595b6062581f51fee1bcd18ac0d238291c4c35a61a8e9d17b2be2e45eb056209cb07fae53a46b4e8fa6f591f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Required\eve2\cxui_generate_bar.eve

Filesize
3KB

MD5
257d4833c5f1ce3cada5e379a02adb0b

SHA1
c209ad3ee1c938de454f23a8b95507510e0a54be

SHA256
6cdc63d50ff5f4c8a23d796617167e66e1ae5dc8cacc0b76c56167ad42dc1506

SHA512
e317cef11ea67b2ecd73319e014667fced04ffa8ab9d38874ed8f218c2c77d570d0d81529907afea9079e635ebe72b80b8396c2b25aa945449804e08a5398ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Required\eve2\cxui_generative_layer_bar.eve

Filesize
6KB

MD5
3da1e0347e709ce9ccb6212fd4ab2c34

SHA1
a7b364d570b14fa7c0c5e2b477aac0fadb805f52

SHA256
cb9ff11bad6179fc0877730834da60081d1448ed080d6f2ccf8c7c7bc5b1a7cf

SHA512
2d0c3402f675f811edb8c6ab08742e295dd6480a9006692c343aebfd7ec69a37ec6b80429d9174a30caec1353d46f35a72fb80be073bf44f17210037919c271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Required\eve2\genAILegalDisclosureDialog.eve

Filesize
3KB

MD5
cbed885b8614fc42ae5f61fc26cba0ac

SHA1
5d92877817896ea734cac46b329ed5ba77220ea3

SHA256
c7a453332da55a5cfe714b0d6c03a128d1186e5ed2b4e05d083b9d4527692ffd

SHA512
219380901f8978c710e5db0d962c9340045c27f7a6511e13bc2399542c2a029cc116b45c3e018117a536906dad8fa38f75ff57c8ec2ad5ed5738640033990d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Required\eve2\syntheticFillPanel.eve

Filesize
3KB

MD5
ccb6df73762bba8465fe7f18e78cba06

SHA1
5e0f61a1443b72072b7a5fe96d56e693b035fece

SHA256
3ed852e1e2be643b72075dfd7dbe6bafed63878eb184a3522c29fe5162ac2baa

SHA512
3554ec685b507233b4594d4e78632051637d64285604db15e3be0d5b323884a23f4dc872039910ef1d0f34ab6a4aadede4466b151f23e6d7f8c9d2a931e75a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\WRServices.dll

Filesize
2.7MB

MD5
b81e7e43ffb1c8233510c477425865e3

SHA1
c547837aec64f5ec590886c900bde82a72e30923

SHA256
efed8cb70af40f54db0462acedcdf66d9fc206315694c4c41ed8237259d8854a

SHA512
8bca31a8bb89a0c2f6e9c3b1de6c53fd4bb4692ffe4ef41df844f48a61a30ef82d57688903b26d098a8a4ba2823b5255ccb76b6a396329a95e88f2137f855012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\hdpim.sql

Filesize
14KB

MD5
ffba435c350f34e6089a68e2e0b3a184

SHA1
1a1385c3117b4bc173e3b53dfa8398fbc4f3b723

SHA256
78edfbdc5b7e7c1f6b25ac2d8e6a1966d6504a009560cdbfa678b32f78ade236

SHA512
defb77a6b132c3e244fdf6f25906e3ea4a211d79be78c19133db271c4f8292d359cfaffc6fb0a52cb8daa6f8af8575cb0eb4818f153f83642ac611a9ef224cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd

Filesize
4KB

MD5
75b7542f8cb8916920393cf256117665

SHA1
70e58acd46733070f68b13609d04bc04318cd2c4

SHA256
1f903e27f8d9886e8de8585d556649d9be5ce60aff7d7a5f3aa5ed6dc2c66751

SHA512
c87570542fa1d205f0aa664cbf23fe85d753a89305c100d52a8b6a249faf538b18cb903da803e0c7e997ab22981389dfeb5bf95a70dbe6f68d0e8c6a92372129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
6503021da439cfdca49135394fb68cc1

SHA1
bdd4de3bac42cf8d05b910166fe667265c19b09d

SHA256
db0d1665a3f1cec205695f636063d7bf8b9af33fc49eefbef442f364e5b3c3d4

SHA512
55dfb87eb569bbd3a9cb6c88e8c35f3e6afaf41ac98fadec19433ac1c507688473c5d579315b8404ab2ec5e7c7af2dca9a7507b47febdc1e657a01f76627eb5d

Download Submit
memory/1988-279-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads