Analysis Overview
SHA256
b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e
Threat Level: Known bad
The file b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e was found to be: Known bad.
Malicious Activity Summary
GlobeImposter
Modifies extensions of user files
Deletes itself
Reads user/profile data of web browsers
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-05 20:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-05 20:49
Reported
2022-03-05 20:51
Platform
win7-20220223-en
Max time kernel
4294202s
Max time network
124s
Command Line
Signatures
GlobeImposter
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ProtectLock.tif => C:\Users\Admin\Pictures\ProtectLock.tif.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveGroup.raw => C:\Users\Admin\Pictures\ReceiveGroup.raw.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RedoRepair.tif => C:\Users\Admin\Pictures\RedoRepair.tif.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartReset.tif => C:\Users\Admin\Pictures\StartReset.tif.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallSend.png => C:\Users\Admin\Pictures\InstallSend.png.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MergeOut.tiff | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MergeOut.tiff => C:\Users\Admin\Pictures\MergeOut.tiff.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\NOTICE | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Juneau | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187859.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6 | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152436.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1924 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe > nul
Network
Files
memory/1924-54-0x00000000759B1000-0x00000000759B3000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\desktop.ini
| MD5 | afdf67a9518eb1d4c6b6b9286c6989af |
| SHA1 | 0d6ed33e3da28eddf6802dc4f83f017154489cb1 |
| SHA256 | f7bcb2494eee8d8c305ef8f70b5ed8b194d3ee2a2473b592b6de28b04fc03a24 |
| SHA512 | d1547dfaee727c4f3f6588de8cc613caa5c04113c9dc546f51ecc14df18b0b96775ad4632a491c405aeffbba35823f623aa2574694d6c15a370b4233aa03a8e9 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-05 20:49
Reported
2022-03-05 20:51
Platform
win10v2004-en-20220113
Max time kernel
150s
Max time network
146s
Command Line
Signatures
GlobeImposter
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\RequestUnpublish.tiff | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RequestUnpublish.tiff => C:\Users\Admin\Pictures\RequestUnpublish.tiff.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectStart.tif => C:\Users\Admin\Pictures\ProtectStart.tif.mxlock | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe" | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.Tile.winmd | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\placeholder.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\CortanaMDL2Assets.ttf | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\FavoriteLight.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-200.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureImageControl.xaml | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkToolbar.xbf | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewBoot.min.js | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-200.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe
"C:\Users\Admin\AppData\Local\Temp\b2cff2b50051ad1924a8b2427212f44c4a5e7fcca8c188301c54974cb722247e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp |