Analysis Overview
SHA256
58f6b5a6fca911a751d3a30e796de0ea9612fca461404aa5eea6622be08a1aab
Threat Level: Known bad
The file 2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter was found to be: Known bad.
Malicious Activity Summary
GlobeImposter
Renames multiple (6063) files with added filename extension
Renames multiple (7315) files with added filename extension
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 06:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 06:30
Reported
2024-10-14 06:33
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
149s
Command Line
Signatures
GlobeImposter
Renames multiple (6063) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\AugLoop\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\win32\bridge\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SphereGeometryShader.cso | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS3.bin | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1076 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1076 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1076-0-0x0000000000400000-0x000000000040E000-memory.dmp
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html
| MD5 | 152d8c8fc97b77577fab5650f3ab8256 |
| SHA1 | 6adde26a6ea37c93ee75414ce93845bbba39840d |
| SHA256 | b91b9cafaa622e0d735613b4dd5c9bcf15d5b4d8bedb444984795022835e2bf8 |
| SHA512 | 9ca8d7603918b205698c3874949638e598c219a2ebbb9d3d22223ff27a40e7dcbba1baeb576eab09de8719a998c670f2bb1688b7537af770f1c847b9fcde3680 |
memory/1076-2245-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 06:30
Reported
2024-10-14 06:33
Platform
win7-20240729-en
Max time kernel
38s
Max time network
16s
Command Line
Signatures
GlobeImposter
Renames multiple (7315) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\messages_es.properties | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\Common.fxh | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Dublin | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Beirut | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Menominee | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\ResumeConvertFrom.tif | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pl.txt | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Stock Quotes.iqy | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\how_to_back_files.html | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Monterrey | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2524 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2524 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2524 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe > nul
Network
Files
memory/2524-0-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Public\Music\Sample Music\how_to_back_files.html
| MD5 | 247f04790a9edb6aeb62e06d7b3a17b0 |
| SHA1 | 0f77483bae95975e8e9fdacc368d63adad4719e1 |
| SHA256 | 6c2f36f015b06f73fb2e44c53580fc1434888115629ab11d29df9904cddd88ad |
| SHA512 | 4c90463092f7bbd59d7fbb5f7f95d180c31c8af1c969f4b30cb20ee757e730d599a741216cb208f9ad67774cd22282669ff2569298ad10ba0a9f981e097c9663 |
memory/2524-2636-0x0000000000400000-0x000000000040E000-memory.dmp