Malware Analysis Report

2024-10-18 23:00

Sample ID 220306-hfaf8sabg4
Target 2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5
SHA256 2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5
Tags
globeimposter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5

Threat Level: Known bad

The file 2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5 was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware spyware stealer

GlobeImposter

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-06 06:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 06:40

Reported

2022-03-06 06:42

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"

Signatures

GlobeImposter

ransomware globeimposter

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe" C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.js C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-no-text_2x.gif C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_tr_135x40.svg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Camera_Capture.m4a C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICI.TTF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker29.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7e3.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-336.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_selectlist_checkmark_18.svg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe

"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.bing.com udp
US 204.79.197.200:443 www.bing.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 06:40

Reported

2022-03-06 06:42

Platform

win7-en-20211208

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\PushCompress.tiff C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe" C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107456.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Read Me!.hta C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTL.ICO C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SHAREPOINTPROVIDER.DLL C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4 C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Managua C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN020.XML C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe

"C:\Users\Admin\AppData\Local\Temp\2e23adee1604b8f60fd367bffd989931f8d6af409230dc83432b2d90b5dee5c5.exe"

Network

N/A

Files

memory/1944-55-0x00000000760F1000-0x00000000760F3000-memory.dmp