Malware Analysis Report

2024-10-18 23:00

Sample ID 220523-3zp19adefj
Target 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
Tags
globeimposter lockbit persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

Threat Level: Known bad

The file 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53 was found to be: Known bad.

Malicious Activity Summary

globeimposter lockbit persistence ransomware

Lockbit

GlobeImposter

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 23:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 23:57

Reported

2022-05-24 00:00

Platform

win7-20220414-en

Max time kernel

128s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

Signatures

GlobeImposter

ransomware globeimposter

Lockbit

ransomware lockbit

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe" C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Local\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 1064 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

Network

N/A

Files

memory/1064-54-0x0000000000DB0000-0x0000000000DF2000-memory.dmp

memory/1064-55-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/1064-56-0x0000000076C81000-0x0000000076C83000-memory.dmp

memory/2044-57-0x0000000000000000-mapping.dmp

memory/1064-58-0x0000000000820000-0x0000000000828000-memory.dmp

memory/1064-60-0x0000000000840000-0x000000000084C000-memory.dmp

memory/2016-59-0x0000000000000000-mapping.dmp

memory/1064-61-0x0000000000B40000-0x0000000000B4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

memory/1784-65-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1784-66-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1784-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1784-69-0x0000000000409F20-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

memory/1784-73-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1784-74-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 23:57

Reported

2022-05-24 00:00

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

Signatures

GlobeImposter

ransomware globeimposter

Lockbit

ransomware lockbit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe" C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
PID 936 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp

Files

memory/936-130-0x0000000000CC0000-0x0000000000D02000-memory.dmp

memory/936-131-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/936-132-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/3128-133-0x0000000000000000-mapping.dmp

memory/936-134-0x0000000006210000-0x00000000063D2000-memory.dmp

memory/1944-136-0x0000000000000000-mapping.dmp

memory/936-135-0x0000000006990000-0x0000000006F34000-memory.dmp

memory/936-137-0x0000000006150000-0x00000000061E2000-memory.dmp

memory/936-138-0x00000000014A0000-0x000000000153C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

memory/212-139-0x0000000000000000-mapping.dmp

memory/1988-141-0x0000000000000000-mapping.dmp

memory/1988-142-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1988-145-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

MD5 beca53ebe027a5200ae7b0158f2d742b
SHA1 1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512 82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

memory/1988-146-0x0000000000400000-0x000000000040E000-memory.dmp