Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 06:21

General

  • Target

    2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe

  • Size

    545KB

  • MD5

    01bf53b04ec2b317ac0ce374747fa249

  • SHA1

    dd39acdc2dd60b2f368d2ed12795af22cff107f8

  • SHA256

    7c46cbe01e45ad3a89a0e89dbdd74be09710e4be95bdd8f018fb63ccda2e90ef

  • SHA512

    d94cc20853e8034e709150db030b72aa7a7fd9803e1baf489057cd527eaaf54d1c50f7dbbb911b8e1bb874f527957e58a9df2b4c2eec5c435f6062dcb958d8b4

  • SSDEEP

    12288:x2+p3SIH+iX7azL0ZK0GY+HCigMxYjBtlhboZn/9arBOIo:x2E3SIeuazYZ8PCnYY1tlhbGnUEIo

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Roaming\Adobe\Update.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\Update.exe" "C:\Users\Admin\AppData\Local\Temp\2024-08-07_01bf53b04ec2b317ac0ce374747fa249_mafia_magniber.exe"
      2⤵
      • Deletes itself
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2772
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:3012
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2588
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1432
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://bolamavojaca.review/lp/thanks.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1700
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2872
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1952
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1988
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2932
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1720
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2900
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1560
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2728
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2880
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2640
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1832
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:780
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1688
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1972
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:928
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1988
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1028
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:316
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1636
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2440
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1368
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2216
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1736
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:836
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2076
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2508
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2936
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1616
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2208
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:756
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2596
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:2788
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1720
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2600
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2588
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1784
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:900
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2132
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1944
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1668
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        PID:1076
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1048
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1384
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1436
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:968
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3032
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2736
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2840
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:236
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2012
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2728
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2604
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2588
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2304
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2232
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:780
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2492
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1232
      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
        3⤵
          PID:2692
        • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
          "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
          3⤵
            PID:2184
          • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
            "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
            3⤵
              PID:2052
            • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1988
            • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:568
            • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1524
            • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1016
            • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
              "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
              3⤵
                PID:1372
              • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:828
              • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                3⤵
                  PID:1568
                • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                  "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1328
                • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                  "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1736
                • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                  "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:932
                • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                  "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2064
                • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                  "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                  3⤵
                    PID:860
                  • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:864
                  • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                    "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                    3⤵
                      PID:1564
                    • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                      "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2100
                    • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                      "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                      3⤵
                        PID:968
                      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3032
                      • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                        "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                        3⤵
                          PID:1776
                        • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                          "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2808
                        • C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe
                          "C:\Users\Admin\AppData\Roaming\Adobe\Share64.exe"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2900

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      402fdb0d660bd3f117d36b1f858f2edb

                      SHA1

                      f2026108e05eb54a3343bd5c336a35e5763ea026

                      SHA256

                      18f136c59d5c9c5dd48cc966fd6cfa414ee7a7477e93c971d264bed691a46d22

                      SHA512

                      9d509ebf288585bf5a30988b3a4444a5e328afbcc6fe0979cbcfbcb762e20d8e4b328d2d82276c6266ae2059e3a43280ba3d4df1246c610842c06eec371d1814

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      2ef6cdb4927bf958f499ef053395094b

                      SHA1

                      7f0454ee281df29c519124cbb4f6690403213cbf

                      SHA256

                      4a7e7d3cadd5da4d275e91922370f951a0c18b5f9618df2e4aedafd508116c6f

                      SHA512

                      7e4228f07507344ee95ea7661c7958410c4ef28cff4ae66e28bb54111f7e26aa57e91e0274edfd3d0d991c0c00fdd49def7873b45f6bf71bed65bc9642549d72

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      bf50d2f1336e1106f1d42a736517d5e1

                      SHA1

                      0521a78f15283625f48e3e15b290e704234074e4

                      SHA256

                      35eaa135f7023baeb1d410eebd5d0b4bfa504dbac9f74467e42a7869473be7e9

                      SHA512

                      847400fe14e520b51f65c652c83f7b88523f5481a85196c25e4767630922d609efd9f236442cd2134148963be85d8d16fb6fa22dc90023f72034c7db055c2cc3

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      028dbf0004a5a44a659719d17571613c

                      SHA1

                      7021b496528fa53d38e74ec83af438f6d7a9e259

                      SHA256

                      134830272353286d580fc5570b5de1c1281ffa573cd6d10b60d6901480c3ad4c

                      SHA512

                      eca9dd82dae005cdf56cc31666362c0f06f8ceccb3be4d4511130c80a8ad9e0a76ac870bd527eea41de2f8d9ee0e2ce80a9e5ad23e60c2e3c9a40f3c86f1b267

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      aef020cc6a0e86411d2626ffa270884f

                      SHA1

                      9dd9d0e3c40b0e4b42c4117099cde3aa11e21f7e

                      SHA256

                      61c551d64df3920565a4598952a741fe0841b21db40ba42a917cab7ab661b0b6

                      SHA512

                      9514c2d7d6abf864cdcc2f5f69179962761517c35defefb2b7f4eca6ed89447c300523f13fdcd0ac6f6a7e475dd76f3b89bc0222db3dc72968afaba9de5b54ae

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      be9722aba7226165008249d58f16afa0

                      SHA1

                      1e2c163aa8cab59365cbacd3df3e2d45127b5653

                      SHA256

                      fadcb6c33e54e46bdf806e08970149fc15af253ef479f776b3d98c2706c41ad7

                      SHA512

                      0b709686996a8ab5d0fcb13d5c84ba75927c6bebb07061b5db2976e7b80beef718ec81b89da003efc9b66981d6bafaf82ac22f7b7ebb1f55e9fc4b4c98c8c441

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      47a66045435b998cdae187bd61d83910

                      SHA1

                      157d5e93a46eeb00becbd0947cb44b4370cb84e0

                      SHA256

                      2e6be3e071f6cbb94e58f8b9e08763b10057c0d0f139a3dc90a088f8c65d7819

                      SHA512

                      86a25e3489f4633203cfc96a11f47b0acf44bd5c9f4b740ae36b0fd3f5d7e4c1bc27147445dc4248bcf5c3a4d692e08b1ee8b96080d979246278b8f5cf717eb0

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      5882e738e1e14bc41afa69f05bb935ad

                      SHA1

                      972d315d4e458ad73f6d1ebe1ddd5f53b9d6ea22

                      SHA256

                      def60266150d22eb61ef4675c1e71a27b29e723d46410b61198f6e6ba1371317

                      SHA512

                      a9a1eefe2957980299c35460ce82548d00c63d8aa5595fef62dea23d0361ace5dfa8c9dace349fa695880423566e312c06f6fab457d48b0d5451570deef3a651

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      f528d52313c1ecacb45c1f890980a1f1

                      SHA1

                      4cca6033f06def95ba46db9e6a12bee7fa98ff85

                      SHA256

                      981fe02cb87c9b80420b5fb67bddd581eea342c01a9cef977d6a29fac986ed59

                      SHA512

                      8b0d495c11a8b654e1e3a00788dc86e8434d0b84786de98e90f3c7f63cdab8bde1b395d82b1e6d6b83c2daa349499de28878500a765baf255fee72fa6027b6cc

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      e295884c2e84611523800486d11cf860

                      SHA1

                      da70628a87030239af37f1561f6878c51e4400df

                      SHA256

                      ae27a7de495dd634bc9512f2fbd62b791529fc384c5e16eeeff5afc2b97a482d

                      SHA512

                      786dc7640ad4f6773ecec81975f0c25a8c96b670e4cb730e59b8086301eb575e46694b377382eb6b45245517279ce96021def942aac486eabc3045908fe62296

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      34c599c9cd866ed5092147031a3787c8

                      SHA1

                      75d3ac5a62fda309587d0969fa865e0bff90d2f9

                      SHA256

                      7ca1dc2c94ba143b3d24ef0431c0350f8d8a0d1d943eaadb684be43ecb2f9ffb

                      SHA512

                      6c40ba6e1c7c88a6cd99edc2c7359a2552ed4f3112964517a87b09ddeb9244ceec0fbc58f241f296ea3cdc566471bf3c58cdf13c6ca54faa4d42918230a97c07

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      5755238867f3494e181f84ffe1568f61

                      SHA1

                      02f751492eab650182f3ccc27215606eae74ee65

                      SHA256

                      a724be1575e264ae72f23469c9ff1176e9f57348097899708c35c077bec02a45

                      SHA512

                      769b1421c973cefab450300af907d45c1a92428dd76af34765f0186274a3d80b4f27af4a7c1a1f9f8afe695f8708b708ba8974fa4b1e3b96776086de5d1e2731

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      23ebf8d6a81465e12be7154dd14d332f

                      SHA1

                      3eb0b3325e729397c40886e24e38912738702b7d

                      SHA256

                      d9fed699a73f0301e07c97d89526641d7296ad21e542652d4f6f5367b591a4e8

                      SHA512

                      ee18f817511d4ef605833071695cdf53d17ef90202c26c41367d7d87e15aa0f7433a6eccc3bf45a9274cfc581c9abdc1984f7733f60c0049224f04a51fec74e7

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      0d59e8bcdd7e87828a5d6d14b6107614

                      SHA1

                      46e18db5d3f8d93a40045a5a6a1d6cbb19ac66d5

                      SHA256

                      ff94d8e2bbdd1a78fdf2f3070cab9a80e5efb082e67f404c6462e620d9ae9af4

                      SHA512

                      bd8566d4a4e203615f13cef6b3667d0ed8a1848bc70b51ee7d08444c5277f4c65d4d5812a00efde05b3a7653746114795444bb2f3f2c3c22be05df1c9f40a910

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      39880af5493ba80c9f695f0b38eda49f

                      SHA1

                      009fd97d50fd28a01308076ec7d9cf15a2df1396

                      SHA256

                      e3d8383d40c390697e05510628e6a59e332ced8323f33d13a20e7ac9ed064499

                      SHA512

                      b212bea0cd3db54a57d54f00c9c2632756b14406b8cb4bac22f1a24a3b5420f0989877879b863c98117675206616c87ad1e1b123d6abdf5306454b67a53ca55e

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      07e50c8f7c56639f8c30d7d426097afd

                      SHA1

                      159b9e02682eab8c8cb3d2491a7d56a9d1c515ca

                      SHA256

                      1ca26114a2a38aceb09c8988c52d37a937d6c4d6376ed5d0c8fe4a6051b4fc7b

                      SHA512

                      dcdb711bcadc8e9a37a22a5442236650f409ba9479803109dd63352210e1a91394fa3ff4425021d2fc1f9593911213fbc8aa3f77505217ff94451f031fbc26ac

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      6da27e29c9be42db408ee3d49c58fc17

                      SHA1

                      8be3ec36b11bb7f6f2be5f88c70f3c23d20a3d98

                      SHA256

                      b2f7b64f05cd11320ab14e5f5d7c7b27db72e81d989baed0daca060f1c9b9018

                      SHA512

                      b90a5a7aa2ab3bc1090a03ecdb7974d2153164778e759a9ea10613c4638fd9a3a28d2e1a682bf8dac43302ffb36194710d365a41ccca3592fe302964a9d48baf

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      a2a93c0ede9fe2f3b113708aa66e3bd1

                      SHA1

                      b19f83afd89d7179f6cf6c6fd23724afb390168d

                      SHA256

                      d0fa6fc9769c288585e4ae690b9a37a3f53289bc1a0711c4f062be917dfd9f98

                      SHA512

                      ead9919a8d2d5e8e639d0a9e2ed5fb9391f99782edfbc24c0694a04c67b2f446086e6056c0c9731273436f56203c899b5d284196c44d994adccb6b984c722c39

                    • C:\Users\Admin\AppData\Local\Temp\Cab16B.tmp

                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                    • C:\Users\Admin\AppData\Local\Temp\Tar17D.tmp

                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                    • \Users\Admin\AppData\Roaming\Adobe\Share64.exe

                      Filesize

                      675KB

                      MD5

                      59467cb77c1839dfb1b40599edab245a

                      SHA1

                      06c67579ac60ab1456daf643c76e30ef7e0566d5

                      SHA256

                      c28ea7805a0f17b5427a6763834124e2f84c0db94250d4a84df0c55a6f130589

                      SHA512

                      0ee66920fcf551c85560b719b1c5662929ec13ee820da186d5638dfa12ba06ac73b00c0daffd88f200def68e81ebaca7a2f083223ce997ee2f55caea1109273d

                    • \Users\Admin\AppData\Roaming\Adobe\Update.exe

                      Filesize

                      545KB

                      MD5

                      01bf53b04ec2b317ac0ce374747fa249

                      SHA1

                      dd39acdc2dd60b2f368d2ed12795af22cff107f8

                      SHA256

                      7c46cbe01e45ad3a89a0e89dbdd74be09710e4be95bdd8f018fb63ccda2e90ef

                      SHA512

                      d94cc20853e8034e709150db030b72aa7a7fd9803e1baf489057cd527eaaf54d1c50f7dbbb911b8e1bb874f527957e58a9df2b4c2eec5c435f6062dcb958d8b4

                    • memory/316-558-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/756-612-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/780-529-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/836-583-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/900-641-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/928-546-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/968-1107-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1028-554-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1048-1094-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1076-1090-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1368-571-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1384-1098-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1432-38-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1436-1102-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1560-508-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1616-604-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1636-562-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1668-987-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1688-537-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1720-234-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1720-625-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1736-579-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1784-637-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1832-525-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1944-686-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1952-54-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1960-596-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1960-454-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1972-542-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1988-550-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/1988-59-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2056-533-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2056-42-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2076-587-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2132-645-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2208-608-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2216-575-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2236-516-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-14-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-541-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-55-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-591-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-26-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-621-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2236-13-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2324-11-0x0000000000540000-0x0000000000640000-memory.dmp

                      Filesize

                      1024KB

                    • memory/2324-10-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2324-1-0x0000000000540000-0x0000000000640000-memory.dmp

                      Filesize

                      1024KB

                    • memory/2324-2-0x0000000000400000-0x00000000004C8000-memory.dmp

                      Filesize

                      800KB

                    • memory/2440-567-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2508-592-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2588-633-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2588-30-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2596-616-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2600-629-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2640-521-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2712-34-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2728-512-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2772-21-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2788-620-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2872-50-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2880-517-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2900-504-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2932-63-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/2936-600-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB

                    • memory/3012-25-0x0000000000400000-0x00000000004B1000-memory.dmp

                      Filesize

                      708KB