Malware Analysis Report

2024-10-18 23:00

Sample ID 220522-gga9gsgdh2
Target star.exe
SHA256 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
Tags
globeimposter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Threat Level: Known bad

The file star.exe was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware spyware stealer

GlobeImposter

Modifies extensions of user files

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-22 05:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-22 05:46

Reported

2022-05-22 06:15

Platform

win7-20220414-en

Max time kernel

151s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ResumeApprove.png => C:\Users\Admin\Pictures\ResumeApprove.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeDisable.png => C:\Users\Admin\Pictures\ResumeDisable.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\SaveSplit.png => C:\Users\Admin\Pictures\SaveSplit.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\SkipDeny.crw => C:\Users\Admin\Pictures\SkipDeny.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1580 set thread context of 816 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB52D.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

N/A

Files

memory/1580-54-0x0000000000980000-0x00000000009E0000-memory.dmp

memory/1580-55-0x0000000076811000-0x0000000076813000-memory.dmp

memory/1580-56-0x0000000000440000-0x000000000044A000-memory.dmp

memory/1580-57-0x0000000004CE0000-0x0000000004D46000-memory.dmp

memory/1580-58-0x0000000000620000-0x0000000000632000-memory.dmp

memory/2020-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB52D.tmp

MD5 efef11175efa67cf47fdfc5d674fc3ba
SHA1 84b712204ffb9f24ef7953707986d80ef57e4001
SHA256 52b0fa5fd3c4263bb136cec86f505c8127876fb65f4a3c9d0463d9bf7f05a707
SHA512 279dbdddaf5aeb2b37a33adb69a30d3f301699fa83162d943b5d548fb28d93037c195bb3b0506e90dc81a05bada14215cb3cb86d6077d153192d4bdc7d6d0c38

memory/816-61-0x0000000000400000-0x000000000040E000-memory.dmp

memory/816-62-0x0000000000400000-0x000000000040E000-memory.dmp

memory/816-64-0x0000000000400000-0x000000000040E000-memory.dmp

memory/816-65-0x0000000000409F20-mapping.dmp

memory/816-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/816-69-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 df412d2fb14ddf0f111e836139170776
SHA1 c489a70161c6fa3cfe71921af372da3fbb10b2f1
SHA256 91fc6bd619163d74ea7861ddb3536b67d8d75fe3405a5ad899bb9002008771da
SHA512 751630fcb94df060b21141b7daafe585fb2eb3601b2bd00f4c5f75b430ac5ccd979bc2f332ec74fff52eb8dd5e11a91ed619d947632a0ec8562779c7ebe4a1d1

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-22 05:46

Reported

2022-05-22 06:15

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowHide.tiff => C:\Users\Admin\Pictures\ShowHide.tiff.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\GrantShow.png => C:\Users\Admin\Pictures\GrantShow.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowHide.tiff C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4824 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_cs.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ko.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_it.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zx______.pfm C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_lv.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sr.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_uk.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Oblique.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_am.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bn.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_nl.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_gu.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_te.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62A2.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

Country Destination Domain Proto
US 104.208.16.89:443 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 13.107.21.200:443 tcp

Files

memory/4824-130-0x0000000000700000-0x0000000000760000-memory.dmp

memory/4824-131-0x0000000005090000-0x000000000512C000-memory.dmp

memory/4824-132-0x0000000005700000-0x0000000005CA4000-memory.dmp

memory/4824-133-0x00000000051F0000-0x0000000005282000-memory.dmp

memory/4824-134-0x00000000051B0000-0x00000000051BA000-memory.dmp

memory/4824-135-0x00000000053E0000-0x0000000005436000-memory.dmp

memory/1996-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp62A2.tmp

MD5 243998c586e102d5706d22e1ccdb5781
SHA1 a8326b85c94e9f68b6a92c45551933fb5d5fdb52
SHA256 4bcf513eb854417da91582ebb18b08b740bddb3fb6973f3693cbcf65c76b4331
SHA512 720376589d9dcd21c138f4725b66a8b604b3d6691c61c3c980cc0cead4184da328906e669497276caee719363cdf09c19d11c4a4729983a7a632c817c0ab642d

memory/1708-138-0x0000000000000000-mapping.dmp

memory/1708-139-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1708-141-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1708-142-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 ada1c1e7c9dc488b3c5360de1853e46f
SHA1 e6416c7d4fa8b2a2b018f811d9e5dbad2913b4b3
SHA256 dbc4cf91610e37fc32110e83828eb74ae6b6326be76a9dcc0543bbfba41793c5
SHA512 bfb432eca280e9f0bff5cd727c798af16684d93429945e09657de4cef5ae93c35a552be1c7ab3ca0ea6073856054417334a913248acd9c5bfdc795e56901b70a