globeimposter | 1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb

General

Target

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
Size

53KB
MD5

4a6a6b20f1cf998265b089feb5012ac7
SHA1

aa88da5ce9890bdf997f221a298ca18647f26288
SHA256

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb
SHA512

2a103455f0665bf1a52b18c9cd2a7d21ec16e92bf061a7f4890f970705fcaddd6770fc86d88b84e855cdae4f196eb589f05a43d0ac809d00e8cd99b6daa08883
SSDEEP

768:83vuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YvgO6:8TeytM3alnawrRIwxVSHMweio3+4O

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SuspendStep.tiff => C:\Users\Admin\Pictures\SuspendStep.tiff.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\UnregisterMeasure.raw => C:\Users\Admin\Pictures\UnregisterMeasure.raw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\ProtectUpdate.raw => C:\Users\Admin\Pictures\ProtectUpdate.raw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\SuspendRestore.raw => C:\Users\Admin\Pictures\SuspendRestore.raw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\ConvertToFormat.crw => C:\Users\Admin\Pictures\ConvertToFormat.crw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\SearchFind.png => C:\Users\Admin\Pictures\SearchFind.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendStep.tiff	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\BlockRedo.tif => C:\Users\Admin\Pictures\BlockRedo.tif.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\CompareInvoke.crw => C:\Users\Admin\Pictures\CompareInvoke.crw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe"	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

Drops file in Program Files directory 64 IoCs

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\office.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-60.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.ttf	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-200.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-150.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\ui-strings.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VideoWhatsNewItems.json	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\platform_format.lua	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-color.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-100.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-125.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\ui-strings.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MoveToFolderToastQuickAction.scale-80.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.scale-125.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\meBoot.min.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_contrast-white.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-400_contrast-black.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

C:\Users\Admin\AppData\Local\Temp\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
"C:\Users\Admin\AppData\Local\Temp\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\how_to_back_files.html

Filesize
4KB

MD5
2467233f6bd369e362fe5f9498031e8d

SHA1
42ab7a8057d1fc1d9249b1b9e2b4f71a06700a0b

SHA256
2aa16cf97c03100917337bb0b6e87780cefe6618d7f624183559b7dd53a787d8

SHA512
b64670e1e1d52b40cf6e83decd388061cef15e56bf261d016e3f5c18b23560ee533f40b794ccc8e807a71d171a8bc226bbc88f474be9d247ed3ed90bfff299df

Download Submit
memory/5056-133-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download
memory/5056-554-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads