globeimposter | 280581114b5770fb3eae124556992da45029624f33f1d856e0364bf38c02fcf4

Analysis

max time kernel
103s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
Size

53KB
MD5

90e1d6b8011c8da822d3e5605bb43b43
SHA1

70b836f42baee09119cd8dd4fe5e4a108d779db7
SHA256

280581114b5770fb3eae124556992da45029624f33f1d856e0364bf38c02fcf4
SHA512

1686865a45706f8a4259902ab7bbabfd68f91a1adce5a67698e3a1f8cbc807b3856e4a4562674684c03f9a0ed01fd202c23d5e17850446aee09767f27366c417
SSDEEP

768:uTHKvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5v5E9r:heytM3alnawrRIwxVSHMweio3Z5i

Score

10^/10

globeimposter defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��7C C6 DA 6E 0E 00 73 E1 29 57 A6 87 37 7C 44 DC 19 A5 F9 2E 82 09 66 67 6D B0 41 0A 12 CB 05 9E DA DB 0C D7 B5 5C 0E 99 1C 3A 27 A4 97 2A C9 49 0B 8B B7 F6 0F 1D E8 AD 92 27 3F 61 DD F6 BB CA 97 04 4E 4C 39 2D F0 32 F2 7D 7A 68 2D D3 FE B6 12 E6 10 EE 16 E0 97 92 38 32 DF 3B D6 04 3C 06 B7 9B 15 74 7E C2 1D 56 A2 FA 00 06 C0 64 F6 0A E0 55 BE E9 98 03 9B 48 80 E9 D3 2E 89 E8 87 8C 61 3C FF FB 02 24 09 18 F7 10 B3 E6 D5 D6 22 F4 31 48 2D C2 E8 2B DA E0 AF 88 5F 64 EB A8 CA 84 3F 39 71 29 DD F2 7E 10 22 4E EB 84 87 92 78 DA A8 2A F9 79 48 7D CA EC 6C A3 DB 40 1D C3 7A 37 42 4A F2 E9 90 35 DC 97 22 84 A9 5A 17 0C 1C 21 DB 67 95 E4 34 EE 62 AE CF 4E B9 36 6D A8 A2 09 E7 4F 14 71 2A 08 68 61 8C 9B 8F 26 5A 20 59 E3 51 42 33 37 DC DB 0F D9 33 26 27 14 BD C2 98 99 </span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>��

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Globeimposter family
globeimposter
Renames multiple (6169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe

Executes dropped EXE 1 IoCs

pid	Process
5856	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe"	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-125.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\HOW_TO_BACK_FILES.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\officons.ttf	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymk.ttf	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-unplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-white.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-64.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-down_32.svg	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-32_altform-unplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-200.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-100.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HOW_TO_BACK_FILES.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\HOW_TO_BACK_FILES.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\StepUnregister.emf	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_contrast-high.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunCalendarBlurred.layoutdir-RTL.jpg	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\prompts_en-IN_TTS.lua	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-100.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-400.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\BuildInfo.xml	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_altform-unplated_contrast-white.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\ResourceDictionary.xbf	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\171.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\HOW_TO_BACK_FILES.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\ui-strings.js	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\HOW_TO_BACK_FILES.html	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 5856	3348	cmd.exe	88
PID 3348 wrote to memory of 5856	3348	cmd.exe	88
PID 3348 wrote to memory of 5856	3348	cmd.exe	88
PID 5244 wrote to memory of 4584	5244	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	101
PID 5244 wrote to memory of 4584	5244	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	101
PID 5856 wrote to memory of 764	5856	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	102
PID 5244 wrote to memory of 4584	5244	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	101
PID 5856 wrote to memory of 764	5856	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	102
PID 5856 wrote to memory of 764	5856	2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Admin\AppData\Local\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
  C:\Users\Admin\AppData\Local\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png

Filesize
2KB

MD5
e6fce505c199f1d0f19610739c9baed7

SHA1
6a38b79e10e9c1c1469c382aa86acf87fafde3b3

SHA256
fad355f77b25456cc06a98f0ed0daeacbc2b3df5c45657625c6459f2a185361a

SHA512
fdcf0bc88fec5796f8de08eacf8771cb41ed276d8a7923c6ce55a4a977ac90090fb7d52d8b44c9f39e1851de3a3922bb9c4947089a6d4cc6f049856e03c76928

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png

Filesize
2KB

MD5
907ef70d7627da4cf24e14d270c0c06f

SHA1
0678d2aba9698a0423823036a5ea596b5f87eff5

SHA256
6cc332714a3dff038a5e8e1e9dff765656ecfdc57ef8fa7cb1ee1a653130b740

SHA512
6d347cd4929f094a9d158111970b6a34247b2d5a26d6d7db7b92c3ffc96c9dbae532389d96555f678504479e17d106374fb030d0338139ebeca31024911fe0d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png

Filesize
2KB

MD5
2644948d3030aeb52266aaeb098078f5

SHA1
0508feb1caa88325f7ff5ca37ba93dc66c4661e8

SHA256
4215bdb25e0842bd5a71eb0b73f62e19a4908907ea770c6cad8d02f66b47a1d0

SHA512
119ef9ec35940d790b9ccd54457a45ada68050483ceb20f2fe205034c3b3a994c90c3457052b41375dacd73668b67bcee134cfcfb5a29647f035b892c6de974e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg

Filesize
3KB

MD5
5435ae4bd7cd628d970de003d18b75e3

SHA1
806af379c42a125a561ae2ca6099c0b5679148e9

SHA256
6b7e7b7f0ed8c53d16099338a593f440be9d207aea12959498b3b6c9ee68472f

SHA512
3434fe9af4098cafe9b4725b363b84ad5f85190c871d0a075013f9c29d3b1fb99281bb7464610ecfeea51976288e6d7da517e5b18e21bcc5a0a7969c7dfe4c2e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses-hover.svg

Filesize
2KB

MD5
80242638944bd065275d5fbf232e3048

SHA1
7b746fa81f7392d7ab1b54361fa643f357009ee6

SHA256
6b25d294e223e5745259b5cdc3b01fb20a0eb34ac3a471dc2d33a34690e63c92

SHA512
1ce5125c0f2851cc1b8c071a3b30b7c894b6970d613b21b8eecb40e6272aff3ce30278eca8a14e1c3e983bbff9206c014767dd6b23f3edf122263a200d3b5ace

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png

Filesize
29KB

MD5
b45ce8a5f30928995ab676330159b698

SHA1
a0b6db2adb667cb8c0d962dee6718425e7e4ae02

SHA256
8226b88b619ac204276539ae98b16e6755308fea8b29fdfdba786d9113da5c3c

SHA512
f4688eb2b97ec35e5fd7cd88e0d7e5870303db15b5eb4307f6fc983c1543c490453d69febcd18c287fd04cb7ae9a6017996dc6cb418ab79dbd71050336521e24

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\editpdf.svg

Filesize
3KB

MD5
325aacbbd454729608b1fa0879c5fd95

SHA1
12f2bb23761501e9d65d44912209fd948d472f28

SHA256
0a0966bf9566285911d61459dee3ea4c03f2f7c835cf7498780f010f4668c0d0

SHA512
7160bf335c340f5465105c294c1e1d1da15de05b3c42b703422a8cf268a1a8603db8ac115d9e05411593c157550df16dc9211d6e2c700379c837bdb94be9e586

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg

Filesize
2KB

MD5
2e9315ac049006311ff6812521aed260

SHA1
b40fc9865769398c18b3b3800790e7d8fb20b810

SHA256
7a1fd23ebefe6f02fd20be9a025deff578a1e4e391e006de50563741cbdf9d33

SHA512
0392833f914bc357b916b61b466cf51aedf787489d0f207b98690c90787dfd79738f554c49890f37213084ff6963bdaabf59530e0369acdd63bb291301cbd015

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg

Filesize
2KB

MD5
6e7192eaa9adad6f95a77f2ca40a11bd

SHA1
473dfd7a52b28582e40301c249a52756eacce4e9

SHA256
3d012291de21f4a26b6172bfa18f104a00cb65fd69447f4a60ff6caf1ada124c

SHA512
17a37cf4d8ad975b8ceda97421707ef1a5f7bf095f51221e25be963b964356a3e3105a7d1adac53a61a084e9b9287f65316c195e840fdac1646e5b372273557f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_forward_18.svg

Filesize
2KB

MD5
f41c5801b3db3d951fc5f3331443e050

SHA1
821124aa2bfbe9f2ce579f6853867a757e3597b6

SHA256
79d8e2312f4c42182771b30662418043c6328cdbeca25dad5745d50d1cf5f544

SHA512
1fffe709bb100974acea45c8e6f0f1399b759ca0cc9fa13aa9ad1c5c77f33714918136c4f3899f61889082e97899f194bd1278a2337f299a58129add75b2b863

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg

Filesize
2KB

MD5
4c647dcab0f83e96c3ddb115273397a4

SHA1
3e8536642fde36f5a0f81c9c8c7b68d43124e372

SHA256
74b7c0ea81edf2bcaaea47f306269b9549855e564ad0f12c57d3cd5a8ab11697

SHA512
8c24f6f2b615aac6ff039a637511f92886f47df12398f9c2ab38e90914484636fe001572c3a3a8ef62cac99aaffdbdde271ec2636170e3f9f02c92fb656e39fc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg

Filesize
2KB

MD5
c2d0314e1bf1a3b009ee732f37e2e05f

SHA1
718ad40031bf7d2384176e1ae07db9b197545a4e

SHA256
245d00b3fda422072295f0a49a5f41b9797a0772fcb85bd558a6821574efce7a

SHA512
c3e00b338a57a08e9fdc14b2a4170258ebd329116f285b919ace207d2197faa753f35d5b88986c6c4a8226c8bf4c565af62a5348d0fcad3198d29319e50273c2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js

Filesize
2KB

MD5
79e1c49c2f3b81f06345bb1d17f910e2

SHA1
d35a60e0eaf697096881f6a872b6f0fafda2b064

SHA256
806e1cab7c80b17d7665a9706dd7e3dfde2917179aa8aafc02b2e72c998228d8

SHA512
9c9d82ff990f30a3c9ad74c8e5bc1115ec68decef115220fa4c91d9b88bff4f3ca15a23e1fea08055e090b1f021829e30442c1abde7f67bb56ec94452f92891c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js

Filesize
3KB

MD5
e8ff1ffea10abb2b0a3a914d12dcd2cc

SHA1
f645703c17ec891172ca980987d1b69b3779235d

SHA256
20e55ce5d8380fb85271d16950fc4505ba327287bdd5237738ad8958739972d7

SHA512
01c4088563adbe8701b88bb7096ebe6ae4b4ef3c12772d36682562c80d6a59672be54b21c5f8a6d905ebe4a48c6a016fffb9fa68889c4a88bc4ebd3ddb30358c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png

Filesize
2KB

MD5
3d186be84300492598129e9cc8a37526

SHA1
3bf9f5248a4ec97c36a15b0450693b07ec6f4f70

SHA256
65d878eb73f4753ee289962f363e914c421f1585a969f31f7a258ffae53a9489

SHA512
3e9c013c211643c39f391e7a184d5e62feb6a55ccad307e7b0ddb7cf856ebf1e6af727cb669423323e242a19dd56e80d425023b2a801e49a60f827ab689fea5b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png

Filesize
2KB

MD5
cbaf66e09d8faa030cde1a5638484431

SHA1
5d73a630d978085911e0d4c973ad489c0d7182ac

SHA256
00e53cb404b9a1b35ebf005340db566210f0b678fbd68334df37d456914f4908

SHA512
3f2ec5360fb66cd34eb6d7ca21bde9994bc83088e81c2c7206ee8523c63160790f00cf5a072a51fabd5574b2471f1d9b5b901bda05fc989ab24a74d24727426e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png

Filesize
10KB

MD5
014e72e86225ec3d37e6a7e73d31beb7

SHA1
700cf0092704806167643bf3e9c3e4019aca81d6

SHA256
5860649420bbe8e702aedde2e086237911950112097131f1b63700fe14be89b4

SHA512
56c1f174156f757eea7215fe31282b837554b6f203fd7104af24e5bb08607ff42917efd6c8a618c68b2d4dc2034e1b67f7d4629e5ce244b962dafe2eacd95b2d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg

Filesize
2KB

MD5
9b15652888cb05c516bc32aa6f707fab

SHA1
65f16a9ccdc15384ca022c41a895be79732a9465

SHA256
5064e2a9766d6c67cc8dcb46a78f1191a8426a2392bc4f0cbf4f1b2bef8dc422

SHA512
3a6079af345c70cccbbb24b04d9fdda17ffef6f7d3316bbe50e711888551c5544cd07261e98cacd4bc570f57bdbc724eae9264430eead6dd7ceefe5e322c7b77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png

Filesize
47KB

MD5
9acab0f5b206dd132c612a536d6bba67

SHA1
c6873aee7f9a33117d35d49041449e8f9d2e3903

SHA256
848446b5252e246787dbdc19a074d894ab27539df700e89d2ed08c7633c44309

SHA512
8cecbf8afe01e79f96f5c4a84871d76c8472a9797691a7e66fdefea75c29498bce188595fd14add47e99f2e96c441d4f771450474cc624a5d8da3888cd192a23

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\AppStore_icon.svg

Filesize
18KB

MD5
ea76da05fcf327891042164fc9b42588

SHA1
20f610e68b25c0fa489b0c909d3c21c2b5cd0169

SHA256
fb9e627a8e92cb847eb6b78d66a0d28f73ba2fb697558ffb25a97314a841c97d

SHA512
2b3b0b2691d85dc5a117a0c49e0ab5b3d063dce8c0ed82de4b5c5e6236e8662e4eccaf9f1902151afe56b2a15ff087421ebc6ef614a1637fec473313e4af59bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg

Filesize
4KB

MD5
5bf6051ae4fb285b0a396c3783cfdbee

SHA1
0062611aa48d56caa90702f146696353ddbf4b61

SHA256
01a4c61cd28c18ca94c803a23db56f044eda69f88abbd314b26819c8df0abec0

SHA512
89d31f573d606133ba3c52ea658a6b37f24686e0c773f414867e3deaf1945fc3ef4825e510f2d51e1c5fda993c360b0209519cd3d0fab7f4eda2bb47addcae12

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg

Filesize
7KB

MD5
3b3dbb5d3adc41b179cf60213632d9bb

SHA1
eb39c77af4514d0fe5d76e09ee34d40ab9839b5a

SHA256
6279c4fb7e59c8182d7d329e724d8aed6f63f498b43aa8643322e1c2dd55a785

SHA512
396047e4ed9947bc02b16c590d0037d4ddbf08fe2e27452e153f79802729ba71355836710bc881eaba3aa5317aef1815399bfbd37ffed3796fcf2ffe338d99f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg

Filesize
7KB

MD5
32cc9fe73f2af3a2eebb2c1a2de24b84

SHA1
fc0303e85145f577407e9e8c03abc8c78b084a0b

SHA256
1391bfd6b8ecbb295d542d4b4d167348d36a1a8805a9bcdefe285c8f9414fafc

SHA512
61dc998a2da2f100d352914c2ce881f0d1ddae78c23b0dd6f90d6c83e8acb304e392b15a73db9a344c6a1f29cc441f7e5721c02579f7e897f44578178dd7a969

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png

Filesize
10KB

MD5
6ed8c4a50b6669f5dfa23564271c4cfa

SHA1
cc9f807c0012576f4a412184f2538dc3aca59730

SHA256
f2c9d4e7032f79f5c460c775fab27c6f10830bc22761a49571a3455c373084e1

SHA512
0e60a559278565af5f9f778c541853f50f3ae565fa4e3343fee5990ef45a82597d14beb7f9606d0ae7bf7a4d737c74b5f4dc260c34a818a17e553b5e77c70abe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif

Filesize
813KB

MD5
3d19cac58f0f9a6c6404a6f0ea305f40

SHA1
5ebd3d698cb345f75deb6b45e96d7eb6442720b4

SHA256
dc7ad3203f9184fe43d77bc0ccf70421e9a3ae107e679b5c05a76008cbbfdd3f

SHA512
1b79a92f8555283b5b24581a8a59ccaab324bf57480b4129fadaf4e3f92158417760f6c951f2d44c67a43fa68163afff854568fd94b7e2d9eaa1b5881ea7dbd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg

Filesize
3KB

MD5
187cf8eee8971eb1c8376ef66f0a0d76

SHA1
cd115402015095fa7802e0f39ddab7f8b90bb09c

SHA256
b17830f9314f1a9eb38776239824636e297a5650320710182c91af24a29a2c1d

SHA512
990758cf5b69f6504f34d569951e50aa794ae8ffcf686f2d0a4ede019908e005aaf2e365843d499f9ff45364ae039064872cd1e1a3f003e51aa53e68d9a5448f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png

Filesize
2KB

MD5
ed0e043c842a1f0163b219dfa58d0404

SHA1
1362369f8d6f22847eaa3b45f8f35dbdee4f5a8c

SHA256
c624996de67bb8a4b8bbce60cd1b29ca9cdb80e9454755682c2b535c06f34ff9

SHA512
53284d77413e36afe898d4d7c0286127a0e40135a15eaf6152065353be6aa80efc1df8cc836a7aa7ae5e77d906abf2943d98660a37bbc4d085018e266936dfbb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg

Filesize
16KB

MD5
4aa2b1832e0283be72d300638eeef887

SHA1
373a3fd4d7cc6f0a310384b523ca15adcf837399

SHA256
71929732c1072fa654336aee74e21f240b7fc7f100f4a7edcc6ebd1167ad15ef

SHA512
b09863104aee37c8b55baf2433c973864a39b05645b52cc1a68e9c62ff67675d40fb9931c3f96264c6a7a15605c5590c7e10404426a77c9a9f59175cec8ac9b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png

Filesize
6KB

MD5
594eb771605611f2957cc10c57c65ac3

SHA1
1d8e496697e4abf997178148323b4fdeaf8cff6b

SHA256
68449485a17e099123fe4f4e151522c694fdb3f46d140c6eb84ac6c2b86024c0

SHA512
1f31fc603977db9ecab9d5fa3c4341d90e163298ccb34f15f1b75ef38f947817a12744a8c4cd5d49ba47ad89121a8a0a5ca88b9d6c1be494670d18af0e440cbc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf

Filesize
254KB

MD5
0da098b1983badfce4fcd58200c2af27

SHA1
df7abe11e9f5844ed96afa8a43c2ad715c6fe09e

SHA256
d947add580b5a06f5d3b3b8fe63cf05c9fd154d75f6d79a1e225c9b88460b412

SHA512
0bcf8d70985a344e1732be2939f41d130111355eb67fba23ef7d62a73a06fc6d8c8f699d70e5d79307755a0a49d7f5427590aa8f9ef73560731e610f106c69fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT

Filesize
11KB

MD5
76e38922037f70c0790a7f29d4a89b17

SHA1
9208f485cc18b0b91f889ce8ddf69793a2be8aca

SHA256
d795e67a056cefefe475a1d11a9eb4fc27b6ef64298af99f735d74f00b403803

SHA512
cfa4fee4edeb5be96fca67aef1f16754ddbf81cf81e3bad434d7f048352791e0244c548dd91b29026580baef3ef77c849e43ae16d4bc9eca547b32eb5900bed3

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms

Filesize
13KB

MD5
c76d67b6907f5a2c34e1bbc23ab0ef0a

SHA1
ab5901bbdd61115aa1723b2b47f63d2b946546c1

SHA256
7ef57346dbcdc4b4be83fb88cd93d6ee181b81b2276f27fad43c8edc2ffb584e

SHA512
5546e2c8665c7480d93085a918d5a3691f86a8b04f7f2608704ae670ba4462deaf168743fac7850e2237c42cfc5a9bb21aca5d96db27044f23b07e207b1555e2

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms

Filesize
21KB

MD5
6233538712acd0052740356c959e86a0

SHA1
dd2d4201c58851df02dd1d2e5c2548f1eacb61e7

SHA256
ab3c2b96b50bce1000f099a5e405ab6cd0194ac6e832a930843a05cc8d9db9d6

SHA512
93341e0a936189846e33b8dc6ed43ab19b93268172ecb57da993ed04b8fa1de0c9e22eb8dc1bc2aecf636a13600d69190e89195d7cece320cf64015110179b7d

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms

Filesize
21KB

MD5
a52b43e12210bb52bd83097e2b259635

SHA1
580e1ba2b640ebc189f79557da8763ec7020378b

SHA256
01b92851a0f2a684c4be83803032d184b2fc185e633a67467ed8094606ed0f04

SHA512
129ba8aa1a6fa8b27ff35af23536de47233519033ed5b7c8a25e0f999a94d9886d5300de3dd7eb6dc9df064a4a97f15f2a21d7e07c76605a836b05922c0a2050

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms

Filesize
12KB

MD5
aad108614093ea8b1f07a931eb1cdf19

SHA1
f06b133101bb1c6fa2ddf1897d6465fd84a42288

SHA256
02b1f94564fc3d69b8789a010b437bfaaf776b626758d0a7d5d73e83567c4bb0

SHA512
13c2b63633247e0bafa8524dd679131b7ce997bc56bfb5597226e4968881540b255082d0a7513088aec52250667290029036105c6261a5e1a2fe0f66a5d90853

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms

Filesize
12KB

MD5
489258e8583285740c946a4e51ca115b

SHA1
0167b789221cea6a3dc3e85fa4f17a75872810a1

SHA256
411fc89954f38a8a4665dd91c9d1fc7cc88ab5ef9c82d08c7dd128a990741033

SHA512
75689b7da6909fef088017d7f4925984045cacdb9116541378feea7952206fda0994aee5017f2df64e12df091d3f59f15d1cdabf3a8a9a29fc08818ceee209ca

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml

Filesize
5KB

MD5
f85ff870cdcf42a13e9bdf6b687ba18e

SHA1
5ca591ba244b15a86569e8b5e848e2c54b33cf46

SHA256
71b7fb028eeaacf610c3ea76a2bed983287afbfa048a5add8b6e777e564d9a9c

SHA512
4358bab2db01fa4d3f260748d1c29fe2c20688e624fc824909ec71a4f971bc6e198744978db5c222ad122f4a65655aa8e26d4bce1644d8a062f7cc1aca0bd71d

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl

Filesize
31KB

MD5
0a8537b2f74f0906eeebb7a838c49aa8

SHA1
e34c58c44ceae055e6da87be5e61b8f19390667e

SHA256
970293d44436677f352099740ec8e30e0e414d82d795e1a0cc666adc1567b7ed

SHA512
64f42656250ad97a74ec481770f0da5b65d231cdf5ffb81acbc04727760413f1e0c383231b00a49d4f178261e59f212aa5c3c490ac272f605601abdfcfccd978

Download Submit
C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png

Filesize
3KB

MD5
1c971ec594bacb73d20f9f4a11091bac

SHA1
983638edfdf62c65adeb93a1d578a5598aacfb83

SHA256
984e31d67b78fcb55f3380a1e7caad9e669e3d6ca2306c730a5e3e46434ab6dd

SHA512
fb34dc93735feddc0521a3934b7d281a2b929a7788d69b2fbab7d9dadaf5e521657de064fdd2d9fc46fd6fec15ced27829f282f9836bdc52b5474538c0dfd659

Download Submit
C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png

Filesize
4KB

MD5
895fe2af93e4780fc3ac95fcf84ebe4c

SHA1
083df779194d4c96e4cdd42e13a05277b6218bc2

SHA256
6788e7337f2a9d4f218dc47d4e827c0f6b852ca54a0a61b8d74d85826b968f41

SHA512
b236f6625d02081ee8792faf7969f8d8a46597fbe2d11167384b0671b34349c5e386878e6091aabd0183127e10fa7fa585e7ce3f4c9e75e1e0a83ebee9316b95

Download Submit
C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV

Filesize
5KB

MD5
88eadaeeba40edd370308ccba652972d

SHA1
8e55691ddcd886914b80fde040ddedf390a63778

SHA256
21e50e5425d21f2692da5c04fdf492bfc4f53a32920140e51fb9543c5673e470

SHA512
baca04606a8e81dcf4c2bdc2d898aa72b6ece11669c465d5d85109d453c2518ed233b361046fc78f4cf0117f09243d5bd916f2a9981fd8b6f03fc12e46d1c6ed

Download Submit
C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF

Filesize
51KB

MD5
3e1b3d7d21daa63ac2d8ab6eb2b76c20

SHA1
7c9533a7cc2c682f35e6d76d3c6ff183f7664b78

SHA256
b186c163547d5c9b0124f774e58d084b2ce4e0282d19ef13a23c5f8222333b36

SHA512
1c4d4a0ae9632a5700f9305c04bb5bd6f7b86226f559c833626a5ca587e1aa86aa140d5a25af05885beeb981140750706f152bbdd5ae05d813755f15da3f20eb

Download Submit
C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml

Filesize
2KB

MD5
c21923863bc4579abccd0348ba1d1bfd

SHA1
7924879c8485bd8f41483b87153960083d329658

SHA256
b001b4b08d1f5c4b6b8f572af6b0ed5618b171eab3fd06b8bb27a4d4146ea0dd

SHA512
c5f52ff7b1329e8fffdcb3c98d291062054289d160ac57dce4cc2f50b1ed0a4d558a9cd901701c91aa1d8f5cbb1b33c2ed1ec84fdd645b691a631eabedf4a42a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML

Filesize
48KB

MD5
90a46b801955733e65ee209176151062

SHA1
7f2318e419aff9cee0a9634c5c7d13596c3b136e

SHA256
22b2a42a0e3610442afdd8cf70ba79374e40eff9aadc0e0e0cd000e7d1006f88

SHA512
cda80963a03fb316fd79c89fa3c1a493b2e98e089d178894d7cc21afd072531aa29f42cfa1299024f5275c44cd6e31a925a081398470c119c24458f82c719469

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]

Filesize
2KB

MD5
1871b7905455b1f4b25e527e0ef0484d

SHA1
99aaa60b8ec8c5303053f67c5a12669ad0269304

SHA256
eefe77f9173eeb9cea5bc4a76ac226b91a7a981aaa9523455852ad190c2f987e

SHA512
c0b2a0b6a4e263ea32843e276210dccad9987c666e52a13bde63d7d0279b1b87bbd0aa4b4d3a7b9f480cb165da4c67ac70bac6f5bd77bc3025f24fc1c98276c1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]

Filesize
3KB

MD5
a25a97d9982e9d932fcbd966c35c8a3f

SHA1
4bf6e4c346fd328d94f87907ec9bcff4dc97c7ec

SHA256
3192b0e57dd9a355ab190bc39828cdf11da812ba83ce053d2c0bc6d0e69fa867

SHA512
a4b2ab806ba36b11da4a058f9b883336b274701433419d5c344946beb1467910bc0da7177d7bf3ce4a135d738b6c1b828a2b76806a75b3a2f6e99650e75715de

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png

Filesize
2KB

MD5
ef01b216ebc48da3c236b40a58c4f7da

SHA1
278602435c3a07c0a48286ed791dc8e405b451bb

SHA256
2fc57a307068af8b6f75d396c031968ac70a96027ed514f683ac38d3513fb580

SHA512
5dc9d4ffef5c5098df1cbb87f120e8ce7e63dc8e6b7807b3472f3e6e610b6f6f15fd1cb217ba58cb26f5e1a3571dfeed82da7ba4fd00c417854c140a244dc638

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]

Filesize
2KB

MD5
02614d0911fe42f9a41a6f8da8b7489b

SHA1
a72f032c9963397fb19cce34f6244a8c69169e85

SHA256
ebba6e0d785691a5314700c9bb07e32fb34b9dce237d9674022804fa6c6e6562

SHA512
6f7741419e86e85c0a60c416608e50fe16dc7f9501648c2e5403f470510f2813b34055f88230f8de03dd2b649f38c7a221d7ded56126db50662c39fb3320e2d0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]

Filesize
2KB

MD5
c2552b3c4a0c04e7c174ef772f17015b

SHA1
a33fe171c8815510e4dfa5afd958be618c7ce27e

SHA256
8dbd713bb700e5a465dca669eb3114489d3aed94b312edbc04ccef5b2b7d0523

SHA512
7212df63c3126aabb2f9482cd338dd97c9767380629905dd01aae763223f1705d40270bd465348a80983c0260f457be74935d6c63cdf786c6ad17a6d77d33ca3

Download Submit
C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat

Filesize
24KB

MD5
5d838f6c2a9bf9d9ed710254bca8c409

SHA1
8bb4ab468db2d2d86064080e235828607997432c

SHA256
38a167e7fb809c7ab65bd33ae3b00be17c0d0e10be749738f894cffe44825a39

SHA512
53eb0e588937d07f56f94d2faa84bb0daee49c53fb8df776ac931a4bc9f389f141e85c4d39bdf3faf98eb544c90967769db663f71572114d33f41ba7f411d30f

Download Submit
C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat

Filesize
65KB

MD5
e2c377905c1a5ca8ca23431d75becc9e

SHA1
fdb361f34197bd7fbce3bd39db8be8a53a7ee2fe

SHA256
8a1647c5d6e59ea50ae088a4e20aa57c06f4805d092926172f463b262b5a0e00

SHA512
dbdaf20f9c79141b412a3481c8b4a102e745bf419f0e64294691b653c0e322febf91e8a32ca2ee11fe1b2c20bf308ce0eeee2f9a56b656470a14798c6e015b91

Download Submit
C:\Program Files\RedoInitialize.dotx

Filesize
1.2MB

MD5
48678b75bd91beb86f3a10cab9b98fe6

SHA1
45ca1d4709a529ab83f687b70bdf1467ed8b2cd7

SHA256
be0a13d94f7f85ffaedb7984c7b99d5ae8faff66755f2613d68adb6008b6caeb

SHA512
7ec010d558c88f2af6ca27dac7672989b304fab4acb3126db030e653e05c5eac50a0f6f704e73a95b08b546acba15f1061e3ca667c3e38877096d66fbd293267

Download Submit
C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png

Filesize
5KB

MD5
8e65a570cc820a036fdf925a5ffb7772

SHA1
528ed52a577077d1ce6460c8b36a72e275bb0726

SHA256
ed70ceab06359528c83ea041190ce2c4d39499e0da5392248848a69cef3f2409

SHA512
e1ecddd3716103214e95bfafc394352465f3fc5da799c1e1d1c1267c2d7c94c303fad38346fccb5152d0657d2ba43f1687c20cff6419b4c0cd9feb23ea7d3f70

Download Submit
C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html

Filesize
4KB

MD5
b575e18ce01e2d38844e288315926723

SHA1
ef52f35ee7909c9c68c38111ed0291907bc1bb7c

SHA256
c25cbca28ff16154e79f987b32aa6e4432c8f8541b27c35be0df13046ec4f2d8

SHA512
fc414c6064147186eac96340d3b670c51f90cf8e4a40228e42ebcccd8793ba0835398371919f1b775fb39e9c3b990706902ecae1c15f3c25c2c24b35a91ef1d7

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\HOW_TO_BACK_FILES.html

Filesize
4KB

MD5
671311ab87cbe957e4ac2acfc4c900e6

SHA1
5c03bff2fd102bdb5c961dbea7df3a0982707aaa

SHA256
299408b0a421825482d1386467c83453b338c5f2cc10787a90813aa568883454

SHA512
aac9f81b7fdc02480a3c976caa1fe4e2d3e063015fa4d717358bd1d6263383924a8ddc7a661e07406819de1b74d1093921d841a65ae04bba3075432ed7f2257b

Download Submit
C:\Users\Admin\AppData\Local\2025-04-04_90e1d6b8011c8da822d3e5605bb43b43_globeimposter.exe

Filesize
53KB

MD5
90e1d6b8011c8da822d3e5605bb43b43

SHA1
70b836f42baee09119cd8dd4fe5e4a108d779db7

SHA256
280581114b5770fb3eae124556992da45029624f33f1d856e0364bf38c02fcf4

SHA512
1686865a45706f8a4259902ab7bbabfd68f91a1adce5a67698e3a1f8cbc807b3856e4a4562674684c03f9a0ed01fd202c23d5e17850446aee09767f27366c417

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
70KB

MD5
23f3a14739279bb8a5278b480f8adb8e

SHA1
6956c8e96789c4280e7ba4df5de7548aee40f885

SHA256
f71555d2ba68aa38330f5b64d0ccdde19e7528d2bc1172fa4b9e636655aeb865

SHA512
0cc2f200c43ff6b82d4010ba5b76043d01eb0fd494a74b37ec3db698e05e4bd83ac4453cb39d8b8afe42f6e77d4f6f9b9e2ab38670b82fa04d67f75a823e1d9e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
13KB

MD5
a90aeb5ed950c4dc1802879156e3a1d8

SHA1
69b4c61ff3068563ec6f28ed7889effc85e7de1e

SHA256
bd641d5f34970d0ea75909b61a9f0b7a67a06b92e27cdc9308d92f75b4525a8a

SHA512
5a9d7e9109c88ea533516b14c6504df6097b3016f1a920b084d27c13da672187e6be5ca215560cd769024f2574d5b12b503e250440318846231b92df5669c832

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\safebrowsing\social-tracking-protection-facebook-digest256.sbstore

Filesize
2KB

MD5
94b31aedc91120f05f0ef3dabf76b24c

SHA1
8837a961ac3f96452226d5fc414dcacadb326826

SHA256
7838180b3cbb76f12dff0c5a9150670a1790bbe7726b94b052d51c383930ac0c

SHA512
b1fd73ccf9f27915b49f8ebd904644c998eb0947b378ffea5662e012376830de9fa1ef00767f2090091719e76abeeeca7bc9d598316b5d47c8fb9274a25ab592

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}

Filesize
38KB

MD5
1a7e6521620109e6d6a68841201dc502

SHA1
c694775d27071bcdb3896c178b70a971bb692322

SHA256
0f79aea9c79c1c6db8b2a1622cedfff920409ed428c6769e223e15f5a5c496ab

SHA512
62fd29c78071985e4a557a5d1beaa634cdc68e90037a2dad1612eb0b400d1b164c81f58c6d82b75ce106526a9d109a5a3325220db8923d5734e10ba1ac61ea6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}

Filesize
38KB

MD5
6baa93d5c77051f28080c2fdbe8708dc

SHA1
53d141f5322f694ec90b82f7d09b66c871210b78

SHA256
b6c17d73a2058c3d8489e77b4e9cadfc2edc126bcbe75d1f61a57f2a18394737

SHA512
a5d50aab6d19e48c204d2644f32e9aea160c6e93e48984212d014ae8371ec13ecb014923dc70f2e1d916a9f7000b6cca2c98538d97b6fa76218522ceb35d4ace

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe

Filesize
38KB

MD5
77bb4796e01560612679f9e1846470a6

SHA1
2077266eb8214729d990700b3fd9a8c7643fd67f

SHA256
a96a3aa87e1c654fc98c577365f4bdb5e9c1805d364396e00c03a7049fa02019

SHA512
20f842cb8f7ab160ba41d056550fb0bfe538d1e2169010bed2081113505315412dda7c3de83e33f62d3c181e0b7ba0fb5b75be29bf4ece292784e6ac34ab1c64

Download Submit
C:\Users\Admin\Music\GroupEnable.ods

Filesize
585KB

MD5
f7d194cab54a0ef9732bb76a3fe14f96

SHA1
52d683a98c9698f42e5dc1900c822987aa272331

SHA256
7e01ceffce628f755633e8645e4e6af52670b766bd6784a3a75bba3260b817e6

SHA512
0b2c73a0afaecec2661dba4e4246d225dc0236d440662a87e6fda2f0f8d627b4645cd722bd51ccfa34bc6096454c653609276a330f24b9018c9b67df3459a05d

Download Submit
C:\Users\Public\4D1850727698D645140345A948C81E97506131CE6CAABAA2A018743BDCDD31A0

Filesize
1KB

MD5
252b8f47bd3b365f7c9f5ff08087d938

SHA1
17daf36530c2b580e99104e7ef2587f861d253af

SHA256
aa553e1a68ed7c8a4ba29ef136c0a43aa7c866aa9be57fbed00426fba1cdf148

SHA512
577e064e591259edc69ad4403ba9c0d54fe1a580e1be6810279f2b49a9c5574185dcba0a3dab218f1d4eb4ad15957bf9a6e4afe5fa256ecd5b000b0c7db25dbd

Download Submit
memory/5244-3304-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5244-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5856-3874-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads