Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-03-2022 20:49
Static task
static1
Behavioral task
behavioral1
Sample
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
-
Size
53KB
-
MD5
4d9f47ef1d60ed6be978869034c85b7a
-
SHA1
46408fe3437ffc49139cfc046db9f1b941965658
-
SHA256
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e
-
SHA512
8a40e4fa485d27a427cb00e32f9632f688384ed514c3a5d64d6fe05fa67ed090a4996cef21a050264b27a7cdabc0d28fd781b931e54cbe906484d5d7b766eff1
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������06 0D 83 EB 7D 2E 23 60 8B FB 90 C6 7C F6 75 8C
01 21 FE B4 AA 71 8D D4 95 4C 54 09 FA 5C 2B A4
28 0D 43 2C 58 4B BC E9 71 D3 79 C3 25 9F 0A E3
BC F6 EF 5B D5 F1 03 E6 FC 55 95 34 EB 44 42 3D
53 44 64 EC 5A 4A 6F 58 10 E2 B6 96 5A 53 38 64
10 CE 86 08 30 D3 13 A8 37 FC 59 66 F7 67 4C 48
D9 23 4B C0 2B F3 23 CB 14 F6 D8 11 D8 81 D0 94
CE 35 5F 22 EC 5D A8 3D DF 3E 51 9E AA D9 C3 70
AF 41 B8 AA 28 92 78 1A 5F 26 63 5C F0 F6 0C F0
CA 66 E4 36 4B 24 C1 AE 0F C5 73 4E 79 76 86 24
15 00 6E DE B8 A1 EC 09 8C 3C 92 DE 88 CD 26 71
C5 A9 D0 89 1A FA 4A 64 C7 DA EB 3A 00 5B A4 69
CC A6 E9 61 F0 7F AC 0A 1E 9D DE 5D B0 48 C5 7F
70 47 5E C1 7B 8D 93 66 86 56 4F 53 7B DA 13 B5
0C 10 E4 A6 EB 3C E0 93 B4 70 DA E8 61 2C 3D AF
34 2A C6 56 8C 4E 37 46 DC 11 2D D3 F0 32 D7 DB
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li> [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�����������
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RequestUnpublish.tiff b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\RequestUnpublish.tiff => C:\Users\Admin\Pictures\RequestUnpublish.tiff.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File renamed C:\Users\Admin\Pictures\ProtectStart.tif => C:\Users\Admin\Pictures\ProtectStart.tif.mxlock b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Desktop\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Documents\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Music\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Videos\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Libraries\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Documents\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Searches\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Videos\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Public\Downloads\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Users\Admin\Links\desktop.ini b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.Tile.winmd b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-100.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\placeholder.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-125.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-400.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\CortanaMDL2Assets.ttf b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\FavoriteLight.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureImageControl.xaml b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxManifest.xml b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-100.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewBoot.min.js b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-200.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\how_to_back_files.html b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-100.png b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2920