Malware Analysis Report

2024-10-18 23:00

Sample ID 220305-zl4qpshca6
Target b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e
SHA256 b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e
Tags
globeimposter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e

Threat Level: Known bad

The file b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware spyware stealer

GlobeImposter

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-05 20:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-05 20:49

Reported

2022-03-05 20:51

Platform

win7-20220223-en

Max time kernel

4294202s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ProtectLock.tif => C:\Users\Admin\Pictures\ProtectLock.tif.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveGroup.raw => C:\Users\Admin\Pictures\ReceiveGroup.raw.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\RedoRepair.tif => C:\Users\Admin\Pictures\RedoRepair.tif.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\StartReset.tif => C:\Users\Admin\Pictures\StartReset.tif.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\InstallSend.png => C:\Users\Admin\Pictures\InstallSend.png.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeOut.tiff C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\MergeOut.tiff => C:\Users\Admin\Pictures\MergeOut.tiff.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187859.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6 C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152436.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe

"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe > nul

Network

N/A

Files

memory/1924-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini

MD5 afdf67a9518eb1d4c6b6b9286c6989af
SHA1 0d6ed33e3da28eddf6802dc4f83f017154489cb1
SHA256 f7bcb2494eee8d8c305ef8f70b5ed8b194d3ee2a2473b592b6de28b04fc03a24
SHA512 d1547dfaee727c4f3f6588de8cc613caa5c04113c9dc546f51ecc14df18b0b96775ad4632a491c405aeffbba35823f623aa2574694d6c15a370b4233aa03a8e9

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-05 20:49

Reported

2022-03-05 20:51

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RequestUnpublish.tiff C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\RequestUnpublish.tiff => C:\Users\Admin\Pictures\RequestUnpublish.tiff.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectStart.tif => C:\Users\Admin\Pictures\ProtectStart.tif.mxlock C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.Tile.winmd C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\placeholder.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\CortanaMDL2Assets.ttf C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\FavoriteLight.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureImageControl.xaml C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewBoot.min.js C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-200.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe

"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"

Network

Country Destination Domain Proto
US 204.79.197.200:443 tcp

Files

N/A