Analysis Overview
SHA256
2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5
Threat Level: Known bad
The file 2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5 was found to be: Known bad.
Malicious Activity Summary
GlobeImposter
Modifies extensions of user files
Reads user/profile data of web browsers
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-06 06:40
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-06 06:40
Reported
2022-03-06 06:42
Platform
win10v2004-en-20220113
Max time kernel
150s
Max time network
140s
Command Line
Signatures
GlobeImposter
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe" | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.js | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-no-text_2x.gif | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\libvlc.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\extensions\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_tr_135x40.svg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Camera_Capture.m4a | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICI.TTF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker29.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7e3.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-336.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Extensions.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_selectlist_checkmark_18.svg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe
"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.bing.com | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-06 06:40
Reported
2022-03-06 06:42
Platform
win7-en-20211208
Max time kernel
150s
Max time network
124s
Command Line
Signatures
GlobeImposter
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\PushCompress.tiff | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe" | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
Drops desktop.ini file(s)
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107456.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Winnipeg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Read Me!.hta | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SHAREPOINTPROVIDER.DLL | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4 | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Managua | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN020.XML | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif | C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe
"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"
Network
Files
memory/1944-55-0x00000000760F1000-0x00000000760F3000-memory.dmp