Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe
-
Size
106KB
-
MD5
0734b966a27e64eaeff718b18e469f6e
-
SHA1
8214a6f9ac0c5c4ad4830b6829f2811a2dcfefe0
-
SHA256
28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e
-
SHA512
8a8c46890516e3e34be1de04a24720af96c217c472e133568b7220a191bab5560a9008aeb3d2c9239634295896ef237502c92cbe1fcfc51c76ce0adfbe73e063
Malware Config
Extracted
Path
C:\Restore-My-Files.txt
Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/
| 3. Follow the instructions on this page
----------------------------------------------------------------------------------------
Note! This link is available via "Tor Browser" only.
------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 2 file for free decryption.
------------------------------------------------------------
alternate address - http://dtutgqjuzv7sktgl.onion/
DO NOT CHANGE DATA BELOW
###s6dlsnhtjwbhr###�����������42 46 D2 42 DC 63 44 82 EA 28 DB 1A F5 3D 17 58
24 5C 0A A5 F9 93 98 F1 BF 90 A6 E4 2C 02 F6 DB
4E FA C4 D9 78 0C A7 51 F5 5E 2E A0 AC 4F 43 B4
EA DA 1B 61 51 5D 30 CE 18 8E 2C 4A 05 9A 06 E4
BE F0 03 A5 53 FF B8 77 B9 08 C3 B9 94 CB BF 05
85 9A 98 0A AE 1F FC 82 C3 94 A1 9C 41 E2 78 A8
66 D9 ED 0E D8 AB 6E 69 C8 56 EA 9B 6F 32 68 4C
24 F0 16 10 96 5E 92 05 DD 73 95 BB 46 28 35 61
71 4E 57 2B EA E5 FB 68 C7 56 40 54 80 3E 69 A7
B8 B8 4C 28 69 2B 77 B8 F1 33 58 B4 EB 4B E5 8D
9E 72 32 9E 8F 1F 5E 05 D6 9E 0C A5 90 3D DA 78
F2 58 D8 A7 10 22 6D D1 45 5F 25 91 82 22 EC D2
E2 C3 DC 0C 04 DB B7 04 16 9C 48 7D 60 2E 05 29
BE E5 67 3D BC 0F 5D 49 16 86 BC E4 DF 89 9D E9
93 86 29 3C AF 86 D7 31 14 B2 06 26 35 51 8D E9
2B 7A BD 8E 91 E2 A9 D0 38 38 D2 BA E7 0C 87 EE
###�������������
URLs
http://alcx6zctcmhmn3kx.onion/
http://dtutgqjuzv7sktgl.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SwitchRead.tiff => C:\Users\Admin\Pictures\SwitchRead.tiff.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File renamed C:\Users\Admin\Pictures\InvokeOpen.raw => C:\Users\Admin\Pictures\InvokeOpen.raw.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File renamed C:\Users\Admin\Pictures\MeasureCompress.tif => C:\Users\Admin\Pictures\MeasureCompress.tif.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File renamed C:\Users\Admin\Pictures\MeasureInitialize.raw => C:\Users\Admin\Pictures\MeasureInitialize.raw.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Pictures\OpenSync.tiff 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File renamed C:\Users\Admin\Pictures\OpenSync.tiff => C:\Users\Admin\Pictures\OpenSync.tiff.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File renamed C:\Users\Admin\Pictures\PopSelect.crw => C:\Users\Admin\Pictures\PopSelect.crw.DOCM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Pictures\SwitchRead.tiff 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe" 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Links\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Videos\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Documents\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Music\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Music\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OISAPP.DLL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMAIN.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\Restore-My-Files.txt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\Restore-My-Files.txt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.DPV 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.DPV 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\gfserrortogroove.ico 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\Restore-My-Files.txt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\Restore-My-Files.txt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCH98SP.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.dll 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.DPV 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\Restore-My-Files.txt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielReport.Dotx 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ11.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Issues.accdt 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EntityPickerIntl.dll 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SEQCHK10.DLL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LINEACT.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.DPV 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Phone.accft 28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe"C:\Users\Admin\AppData\Local\Temp\28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1472