Malware Analysis Report

2024-11-16 12:47

Sample ID 240304-x69rcabh83
Target d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2
SHA256 d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2
Tags
upx discovery exploit persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2

Threat Level: Likely malicious

The file d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery exploit persistence ransomware spyware stealer

Renames multiple (8492) files with added filename extension

Possible privilege escalation attempt

UPX packed file

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Deletes itself

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 19:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 19:29

Reported

2024-03-04 19:30

Platform

win7-20240221-en

Max time kernel

72s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe"

Signatures

Renames multiple (8492) files with added filename extension

ransomware

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe" C:\Windows\Termite.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe" C:\Windows\Termite.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\mswsock.dll C:\Windows\Termite.exe N/A
File created C:\Windows\SysWOW64\mswsock.dll C:\Windows\Termite.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15058_.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297757.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR25F.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO98.POC.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01149_.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\flavormap.properties.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1F.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files\Mozilla Firefox\removed-files.Xiak C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.Xiak C:\Windows\Termite.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Termite.exe C:\Windows\Termite.exe N/A
File created C:\Windows\Termite.exe C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Xiak C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Xiak\ = "Xiak" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\ C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\Shell\Open\Command C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\Shell\Open C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\"" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\DefaultIcon C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak C:\Users\Admin\Desktop\Payment.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\EditFlags = "2" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Xiak\Shell C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msconfig.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\msconfig.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe C:\Windows\Termite.exe
PID 1708 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe C:\Windows\Termite.exe
PID 1708 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe C:\Windows\Termite.exe
PID 1708 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe C:\Windows\Termite.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2644 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2644 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2644 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2644 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2208 wrote to memory of 1816 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2208 wrote to memory of 1816 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2208 wrote to memory of 1816 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2208 wrote to memory of 1816 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe

"C:\Users\Admin\AppData\Local\Temp\d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2.exe"

C:\Windows\Termite.exe

C:\Windows\Termite.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysNative\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\Payment.exe

C:\Users\Admin\Desktop\Payment.exe

C:\Windows\system32\msconfig.exe

"C:\Windows\system32\msconfig.exe"

Network

N/A

Files

memory/1708-0-0x0000000000400000-0x0000000000617000-memory.dmp

C:\Windows\Termite.exe

MD5 e2825e7c7cec068e2a14dff6087d956b
SHA1 426c473ce7b87c9d8c4d4d07b9646f86d0fd5892
SHA256 d24afb6a82b6b4b2d08f2fa51eaa214371350534dc9af826e5a31f48fc8da7e2
SHA512 86800d7bee17fe34ad155b7990b9946869f81dd7bc091d461e0c81017451de39af894b94118894e0b2315dae76285afc0cf72c499873f0e261c9a7dc778c6c86

memory/1708-7-0x0000000002460000-0x0000000002677000-memory.dmp

memory/2208-9-0x0000000000400000-0x0000000000617000-memory.dmp

memory/1708-43-0x0000000000400000-0x0000000000617000-memory.dmp

memory/2772-55-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2772-56-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\Desktop\Payment.exe

MD5 9f9bb9ee4952cb514089910e19eac5c4
SHA1 c57f604e8eca50df40df93a6b0c3d65ab8d3b198
SHA256 0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a
SHA512 8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.Xiak

MD5 999aabe59f6d8783c0488940cb086409
SHA1 87af3c42fade540fbf3610e8cf5865d16b15cc13
SHA256 8ac228faf20f66369b34f004228ef2e7fb237da350c26cfba62f69d090a15f9e
SHA512 3117d49dd964ded4607e945a0341f7b950df4aeba883c9682aacef5b86616c94270791af90dc0d8bfbe259b94ae82734c91e550b04115a80b324e7ce50b89f00

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.Xiak

MD5 bec705a3c642fa48b8a388264fa0240c
SHA1 60abb0a22c75aaebf0cd854772ad8ae27b599466
SHA256 2102ba5afc25460597773270c3648f22bd2c6bae2674ab4a5fa0527d125ab1a9
SHA512 cb2ae844142d9b12e8ee4d98f17692ff60f7e47c4e2a3b59d34a4c1a208cb59a7cc041ecb81ac412f31bf3eef6b8f33e34210b04a25787643e711f88dc2fec3e

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.Xiak

MD5 73536a09fcd7f9614b2c4641163d8e1d
SHA1 214a52adebc770ee6e57d4d1f2e096706eef14da
SHA256 80cce4473bf90fefa6038bee590ad5fd3ec12d30889044469e140545b1971142
SHA512 ac00071c8e4360d2cf716f2017f9f1ebce5aa5eefaa3b0a1306f58142df329842fa6c304fb56eb063943219c300dbec1fa71aed0204b54838de292371e080677

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.Xiak

MD5 351bc16e0773b2e03b18bcf09c139096
SHA1 b1881bdaba915c5e154cb208f080bae8639031df
SHA256 676dc650b88026d42772c28cac0fc19fc5cddcb1c60cb9f28a7d75fdb06d98bc
SHA512 c4dc5e56fd6a6b6ffb5010fe6c99627f03c3beebc0cc0577e0f831d89daa2af0f08687cdd70782b718634986b1a091dff1a7e0c4b2cff313473dd4a31ba3bc26

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.Xiak

MD5 6d78180318be17261160dafeec7ddaca
SHA1 09f98180e94bd9687ac3661477e5b5338fa8c673
SHA256 40a4b176fb58f4e90b8d041f7d69b4820d76ad91785f3130aa927d9220b0d2ad
SHA512 f594d5e83a8229bf55c252482826b4d5cb221b712eecdffc60436b32e2918c2d32371b217905a896dbcd05c1a7851cdd5602c41a2a75b90922a67339a768ed36

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.Xiak

MD5 5f09ebcd60f5721243168ef11a61d6d0
SHA1 322d46f7a93dafc98e4ccc55cd4531fbebc021ff
SHA256 65152abe2ee191ced91ddda650fa2dfb88aab59e743299d08449fbbe73f8df36
SHA512 5e2d92e329c5f38407cdc14470c42de64bbad39872a8c91a82af9a05ec15b7d6c8f97b3c73b5f9c7e1f7b12c1084bc0c455afbf3380c0645546810f1f8da44a4

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.Xiak

MD5 298be6003c56a3b603e6a4d4d967455a
SHA1 aa1cbbec8a3ff4eb3dee42835085a1439a8b5950
SHA256 3668b737566d09e885c876da95cd8738a10916823c779c95f65758c7ce5e7ad2
SHA512 2dbbcbc3081f7c2386c1a7034b75f02d8a719f8c920e7add376503879a1cbaf8ba304d7abdd05a0747f1b3d27076c669869f3cb3f81e492e1ade17bc6a096265

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.Xiak

MD5 9399d9ef75897a472825592c7587a2c8
SHA1 00a168ee18eb66a77e44a8acf22b8586d0e40c8a
SHA256 86b49c4e12e5edc37aa9b963c721fbba1247652cf10c565b3322862e6de52c66
SHA512 ba66acc2115b399e3b3d1af26e22a4c317d5357af367c9e7612ff05c9b7f4e0b870e412b500f57d19826808997b162b2c2e3f0db94f7c80ad53989d241e27cc8

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.Xiak

MD5 00526d872c57d428892dabb2c831c8cf
SHA1 c662280bc2a72681e3d55cb329b448236569ae20
SHA256 745900d3bf27aae2f156784bba595976044b1ef93cdd34e37f6d9f9025357f7a
SHA512 d7728c6b02a3c68e63bd2fbcccf94d76f3ad712edf8d34b61639f2825d59baee29f1b0630b30869bd4221de5c4b5868856ea5b8e53333dd2f3a09340488d1c18

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.Xiak

MD5 ef5ff61e259f7baef17e16f3c2c18b7c
SHA1 82ec828daf3278cd4e715f1c54bb4daf2e63aab5
SHA256 ac23cf6ee1a6c5b846758bfb177000d7d894819d27a51b856af7b049e3a31fa6
SHA512 e393c49a34ccd00740640a4e1f3489654a15bb44e90f74a015e3b92533fbdb1a7c50938adaf9f8e29ecea4c75f0cfcf7f0331e69e59617bce0128ecfc1744038

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.Xiak

MD5 690bbb8d9f04f47aabdd904878988266
SHA1 76cc037292dbcb4d178010427f1a54acb6930713
SHA256 b17eb0c0ad8294031f2f889344bd9718c28dd8b9107a96bfd8783cb53ec01d4c
SHA512 378ddac98b5e9cdf279c95feab2d8a02c62bbdab356aa380f6386afc6da2fb46ef64b4a2ffb367859007086ff4afda82f77e1117a4ab394a401373b61a446e84

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.Xiak

MD5 7aadbe594fb81c9a840e508d110fa7a4
SHA1 6ed21df5c7a237e704d924594cd3f5a2100de296
SHA256 1430de39e6434a834e2274fe13036cfa27071ef67443789c492e980de8e4083f
SHA512 ccf85c11e8d116226b59b8b0b420ae6a75cae5be44090f27f0178f208b36d5e3344c9f212f0875acacba3936a78b9d1c7d60faf194bdaaaded24a507113159fc

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.Xiak

MD5 e6a8d17976390fdc5b946976a18de84a
SHA1 0abc51c5e4e7ec154c6953fa813a6081f33de482
SHA256 311609a785ab57bb24f4a2e29f798eaca150d630df906de3344eafe4b1168d7c
SHA512 86967763e258a7ccf730f53fe34c0e618ae0c8fbee485841846dea08e0203daa857bcd9b50beffffaba3041ee38e1cd03bd9e6519caa8a353c383728695c31be

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.Xiak

MD5 389d89db82fcfdb90cba79f7135b7401
SHA1 3c1382eafa83b850c99ccdd28ec53307429f7aa0
SHA256 08f65c463745022810cc45df3413f36a75aeab964eb1d29687988bed5fc95573
SHA512 70d5c2c767c92a27790f6545957ad6e4c83dc163a1c8174b631018f1eaf33ac7320ec5e388c625f27640806c0b132a5f1678628fbcab434dcb58e815c0fe9487

memory/2208-2802-0x0000000000400000-0x0000000000617000-memory.dmp

C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.Xiak

MD5 3ef5a84b6380fcd27fed9ceee249a7c5
SHA1 5c0461b1105f5c0fcc80a21e18c6bc2b2c27948e
SHA256 1904331efae098a50a1b2bbbe112dcc6ddd9cef6600a96b96598fcde90e98fba
SHA512 2529cefdd037b7b68e135de27309741c519cc8a1b8ccdfc5093bc2f342a6d81dd05885e357d889580d30da156b59ed1b2acf5c60ae98c9a073d04b91492ea9d7

C:\Program Files\Java\jre7\lib\zi\GMT.Xiak

MD5 3b8496d06ff7c2b167ebac03eb15a819
SHA1 d4353be3694b23bdab417f7f8996592be4a0b057
SHA256 ab1b81d87790d4c71c813ced5ba09b77fbdd057dc0f8ea2ea103d12f7c0312d1
SHA512 bf37d966517cb3a56dc0e16ba9bae56cdecfd48a4d3fd626b051e8e42006efe5876eb50dac17821bcf631a329e0cfdc32d2a5ac053f028c3f9427010151253ad

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.Xiak

MD5 a47405024a63b3c5f0bf2261ee580fe0
SHA1 777d8fa582825916df0b02de2a0ee5f28780e9ab
SHA256 5d874647e61252591c8afb15cd66507f56f0795f13164ee0930e620703c73c49
SHA512 1cdb62d458176afb86d55fb64a2652290a140c08639cd2f68d7732087ec9b94dfc9188085a6d4c92f28364aef8be887c5e939f86de075c9b693c9d66462ef6ca

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.Xiak

MD5 e156067e5edb9f24fc80a5c3a51fdcc2
SHA1 8059f7741d3f4dd7daaa98713c6af5184b27c097
SHA256 ee57698f8581d88bed1fdfafc5ba64ee8b8be7e406e33b86af38789ca70d0de5
SHA512 64c4626199d657180df0d91ca5eca0d9e3059a59f561058d66b4bb841fe0a1d59f85eb38851e45b4d8af284ca0d31f89dce2fa822d6782da0734d1b057217673

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.Xiak

MD5 29c69c99a6c6708454f583a1f768a434
SHA1 ec0c4122b8c5e39899d40883ff20b253a50a6830
SHA256 574b401dbe0937e0c4698c4053692c52aad9fed3039a8bc881584505c22e0049
SHA512 f8a9c203f1afe016876a94faf114bea30d252a2217643cf594015b1043a583d3f48983423a3704be1d2af57692a56ec912f76664b2c601da72d13a2245880910

C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.Xiak

MD5 00dacc23fab1354cfab03da1a01d7a75
SHA1 e7cec96229b989a75c9be56fab903bdcacc8001a
SHA256 397de4140b43d8ff12dbeae7364fe292b9a9c7385f242741d8d02f931c493448
SHA512 da9648d56d952f033baf1aee442790d4eea5c9c15e941f95c4762fcb6a245ef48d1ecb6f9a48b37edc3e6ec06fe89fcddd97080f48b16228c700c5baf4f4a2d7

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.Xiak

MD5 96d211a394ed798cc3b65978e751c7f8
SHA1 fa4d362f573145383a700a157d905a0e5af8cba6
SHA256 c664c17d52727bf18f7851346d9df82c7c75c41028a5d0a450ceb104a271ce8e
SHA512 bf7f1d3578cfc105f2687a8056e53a74a4b83288361249c738871b168f21c8dbec58768f8353c8ca048159c1c9573e62cd0c5cce3296aad535a81f87af803fd3

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.Xiak

MD5 0e9ec5d2dbad2850988b6c0e53af714c
SHA1 f153199b88febf40351125b59421ea6a661f033c
SHA256 e23d5e1a8c4f4aa2b20c1b026999ccefec77b81ccda9a91be3b3c02ee4e75347
SHA512 27abb087a5d3535f39d0dc25accc130e4d256883b3e869e8d1a7b20dd2a87e3b8edf7957046dc4501ada67401ddd1909ebe6817e52448ecb8718fe66c252cde0

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.Xiak

MD5 f1e5a62ce1ee9642809d2fffa43c4593
SHA1 13c80ce9f00d982026d2240fae39f23c8e67745d
SHA256 cbbd3cb57d34ef22e654de2d31530fefd3d14e7a86acd2a3a5054a2a71521b8d
SHA512 d04957f43b3c5746f0ce57645ab42abd9db0e01a9a2553ba8e19b1fd4ec87e9280c0ec362c3e8a9df4c982b69b3cea5ad418a9a63f0907f04259421decda2fb8

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.Xiak

MD5 62d80d52d298ce58698b8b39f26822f2
SHA1 6bc8289d2b957c69d41ca3c2c3630549371d0152
SHA256 8dcbdc2c366227c84a40da6e0adf1d0af473ee2b1b64b80271a3289899ac25b6
SHA512 5530a97fe3b9fb0685abf4341a9f3347a98626a41f11e93723fb730eb682e7a3d18f4bc9bb0c1cc19cccdedc34a57bf8449655ff39fe148a4519099fd87f44a6

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css.Xiak

MD5 36d70eb997df734ca98716c09458cbc2
SHA1 8bacfa89ce44081795c20c7d3553ef9b9164318c
SHA256 556d52a95c645b086cbddc6febea24869557e24d1cc26ecf68fa865fa96bde5a
SHA512 167ea37ae9b53e3f624acde5b72fd7a7ae40ab023b36ebc26f354261e07fbad3d52b64fcd08f44f20d54fb90c0e82b2fe2f422702ecdd5a7374c4787f0a2287d

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html.Xiak

MD5 dfc66d2de87695705fcbe6e37fb27040
SHA1 3f792987902894624262413f686b473cbd4ba276
SHA256 eb47db2fbd6f5ef2413f6313f10d545d88948c6eb664377c31a159cf1e2a0544
SHA512 57674ed58b19b706036b6a1b85db372eac87a3044ed89430ac1569a2c9821f1b32e50f49da7f718bb8f27e90b138fdc319465713e301f1466e55a102b766b17c

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html.Xiak

MD5 895bf0136ca27dba339f72e4c1714d09
SHA1 e103db8f327e89d4ff823dc485f5c0e7a23c9a5d
SHA256 9d5a9c15492d330e6fe0e5b5ee1a64da8018fef68d4cda580f99110326b5993b
SHA512 d8f6b01618438f450c49e4d3fa33dc6402297de61102e4e35598e72e012be5d59c1afd1a31c2957856bbab40a7149397313ed5ea9f1525efdc58771c8c244d79

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js.Xiak

MD5 d2c431e7318749937e024bdb734163ee
SHA1 1bdd89d32d87aa3daa4bd9ce3fc57c54c11423a6
SHA256 6955796894eb2940f4f08e8ac3afa6818b302930c47a49841bcc264a733f0ef6
SHA512 749d3d12f0b184f7a4f31bd4d4e7484ac5f55c2ff29e15dbc247476939f4e51c4751aa9d59c6478b9da9bf06034547106a3b682715a5fcef26de1155e48b2b91

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.Xiak

MD5 6fe63beb25e50f0e78cac746af6020bc
SHA1 c0db0559fcd51aee9948d44ff449ceeb66e5827b
SHA256 cb87c62856889e7230f14a037dce52f483df2f3dd454662fc066b6e66d1f7cc8
SHA512 c4c2b0351c36b27c5c3b678e65761cab750b7967b93e2f22d6bb0ab510622e6932f907537e19d4d6a74c51638d98b864f50809a252aa3a0ee8ceaf7db2a4cd4f

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.Xiak

MD5 721e0a19d2e25d49d4434a7e8b122978
SHA1 b58169abbb301d2866c17d419650569dc760d0c3
SHA256 b720cbaf0d6d3fafa435e219c280e656f041caa15f2ef7d2586e57ba352996ba
SHA512 290ddddd64ebf62380ecebedec56caad19a5c015e3641b12195c7222eb2ce7c7d0e7532c7693f19065e90fdbf738054ce59f16b16b1bc49e3c4de6898d350526

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.Xiak

MD5 be5c9e961861cc7cddcc67d25dc19e3e
SHA1 6d8be16a2f0910819c6a9ec06f7d348bffae9385
SHA256 085ce9f18b2456a8b8ff0c4849caf2473543e214726711842955210f406549d3
SHA512 9c491497673cb8f21bc29adf94aeda63df11f7af494585503576051c1191b75945e4832e2bdd315d0a4f9fe78a43a65b1c259ebf18fb2bfe7b5ad0b3c7c172f6

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css.Xiak

MD5 a3229e2fa36a11715daae61cab848e9e
SHA1 6e3d486863f87e3d47997703e0988d03828fcca4
SHA256 7d4323624fd180604f6677c22aa6a6f9b31d52adaf485ecaec19b5697f25d1c4
SHA512 efb499f49da109fb0d27af15478b5a8b6aa681b8bf33d2591eb9dac066ea68a3b470c2d3bf084479287b8d1a59105a29d8c9f282adf8acdefb99262610654cd0

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.Xiak

MD5 30df6a4c1af68a3ac16a00001705c079
SHA1 7e1d1dae9683915bf6b6d13970db4d6accd85d45
SHA256 677459e2b6ebdf8e1bacb1fc6404afc2f856f73205f4400eb55e7ad5a73928f0
SHA512 64a11020c5fea4318ffc158f83e7bfc831d9f3091b4468a50c6dc0e7c18c8c3c7913e73f2172e7a7f1f8df5a681c30f2a3d40c8eae122024ed6a9f34e3455b65

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.Xiak

MD5 59afd715739aa1fc43703b0cc2dbfe17
SHA1 a85b89e125ed5bf7efcdd3f7133ada8d1d029653
SHA256 9e604bf13c0b18424ad8228e4eccac3cc98b22c4153186c4f34ec348d287921a
SHA512 5786d0008877f3056ded40d6f61bf1eafcc9af8f1b1f40846ecfc0c9fca3a447415194c90897c65903f0cc80cb6b77b190f15a907dd015a0c27aa10b9b92a232

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.Xiak

MD5 b966a9d33695333549370b2e939aec04
SHA1 41df1ec3333414d3a1e8e5cf4460c25eb0e29822
SHA256 9713ede3d0ca080f01edf870fa301d8260f1c8e3ea63790cb03127540481368e
SHA512 dd0c89632068977ca2aa8117587ef59c6de5f29268c49f53c54febbac9383f46583f2b36a5e41523cdb43ad14ff35a68482655bad6b778ac0019d1a7386dc38e

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.Xiak

MD5 48f635a433f2f043c937822acf479e0b
SHA1 84d837b85247c72efa6b2425ae75c66e1c1670bd
SHA256 e29a18f587cde24c188e67bcc560e51cec39349ff720784b0de456f1d81dc278
SHA512 3ffdb2f32214ccc9f4121f06fc9b0c689dd32c75eded3b2a822e5d4db057727c7b82b46339fe48a245dc96b7cd2de56afe33a3a2487bc7de92290c75ed62d951

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.Xiak

MD5 a197204ad2b541eb1276bc044f57a2a0
SHA1 876deb90e17462b4d8a7e014b72209d90db272db
SHA256 2752c9bc3409af9c85c9e202ff7abc7413215e452f680165e4af1026c068d7f0
SHA512 3bd67622f394587ff9a945a3848ac4ded7e54ed9ee2c6eca33f5a36625da2232b13a9d196a967ecc137865f47805627ccca471cf78d91900f838ab5dd27738c7

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.Xiak

MD5 86234851ab82064daea6330ca0d62712
SHA1 5c78c061b2a751717519e548f9e0c31a2a91bf65
SHA256 8f4728bbeb58ccb056b89ea12f3d5f6f5c69be84c78fd624864d1659c7b910e0
SHA512 c53af78402b1f6e883a443e6e392b500bcb394be0d2fc5d3b1adf8a90ec161f2d18ccd172306f313026b8cb4e3bb01107d48d96b81ee016a8c285f2062415e24

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.Xiak

MD5 be242ce03ffebb7baa289466dd4f8113
SHA1 1f2d6c82e0c1aa262bef96a05e8e0f321a1c03b4
SHA256 66518ccf5660ffd18be5f983a95f0e3443c731ebfba0bc3c31ea342c75908bd8
SHA512 a5dbed696bdb3aeec7f5bc2ad55f992db8737228dfd82261d4f03c7e7bd277eebb64f9af4e2df1e7227d3a4820db75a0211ce501774c674acec15c77c3259955

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css.Xiak

MD5 d55c83638259942eff4dae4a4eeccefc
SHA1 3cf69112a7a49146ce428abddf99d18bd80af504
SHA256 9ab853a0be6a4bcdc2655e9672fe2732e06d854ff4ce5e0845a4e40830394528
SHA512 49c100a59aa79b91fd9b61870282714c19edbd70e8eb72735bc5ca21df9444efdb8a0e8007fcc171a397096fe347d3fc46e40ee66994faa977152df812341450

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png.Xiak

MD5 e3437eec17288db28688419e7dbe44d3
SHA1 91661e7a1920d13bbf8cf9fecdd3bce685556fc3
SHA256 7c175bfb73b5323d2e9421d270c8e118e6f72f22d846c0bf191841ecdbffa98b
SHA512 3844195de711c105a51af7ad24c881e58ad1c8481b7bf425b0f6845ec17f7da57ca127d41d465d7edd447fffc72ae41a352f40f8d23e2367301216e5031bc95e

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.Xiak

MD5 8897dda46311bd371996a1727f6c96ae
SHA1 def787ef57a99556433809456770823cdda635a9
SHA256 4a49987381385acd7ce452dc1b3a168ba21d17618baad017d0ddd33b1ceca68b
SHA512 03d06b39ec11c8b5064e1ef31e564104afa968b7e5220d20af4030e27d4a84c56d0883fc08502d85c148e7fe17c4ca974eb46f01850afcd40f54ee9e6116299c

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Xiak

MD5 1c3982aa99ba67c600bfd86cb06765e6
SHA1 bbbc09f3a04969a6240a5269938ea3f77f3ccdab
SHA256 bff3e0b9316b78c0d7c3271b3a15545c320927040265bb3631de026123dbf016
SHA512 713de860845cee73f047d124400d75851b6115b5b92782f4a25fb96a7b4698d183c0cf2b0189a6f5bdfa5959e1108b3b668884c55c69a21d96917c1b3c05a136

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html.Xiak

MD5 da978cbda82654f5170e1b61964b189f
SHA1 ea4565dae102c8e50d319354bfbf464479cc947c
SHA256 9096c3ec74e11aa15bc942401d914baf279bb3c49523b6ebad9166a70d175d9c
SHA512 3f600bf04aa03993c343b1077183686c46bf1586dc60ff1c307a150c003401a0c0da233d8da8310c7165e81622587ca9fb6ae2bec9f5c4c8d663dbf4dd39dc4b

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html.Xiak

MD5 5c140c762e8e705356f2d2d332bc9b5f
SHA1 35b09115b1fe85363a06a3ef8a33ce18dfc96b50
SHA256 16d05c99dc0d27bd7b8b16d6c3faa620ae03f24b900c6a755fadd5fc081eb5fe
SHA512 d064b64bf820f9c3a1525f4c892ca5d29aba1bde4a369efd4c551dece96e7dad5141f0a98691cbb2f2c95fe1c7560e26f9bdce11f382f5bd229d399f5736d00c

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.Xiak

MD5 2eb8c90ebf4fc96016ad0189c7b14b7e
SHA1 2139f15708deb0975e4f114d6206e2176762c197
SHA256 952e14f638ac5add973708aff59ebfdfdff3caa13d955cbbbdf3a82b4e0e7452
SHA512 4945119a497e5cde6f32e60ac3329425007b7a80edcc346121bdf7f5ceaeb7ccbc10ad2c9c4783740a67273be697799bf5b8c153b32029e941284390f4bfca04

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.Xiak

MD5 d93a9fa4c110d9ff6aa596b218c2a7c2
SHA1 abe0629536629464c41b8fec6542299ada32e91b
SHA256 bb252b04d72dc33eadb8da10a300eac7f126b884f3950af0e359fc1fb960cf17
SHA512 e67b1c8e7367d91475031b5b70d8a8322b57ad68419b7e24b896bf4b192109396cea856a46a37fe80ac52f080c71cee8c8426cb89db1849919c3a45d15da8f7a

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.Xiak

MD5 2dbaa77aab3658d6f593328e509bf20b
SHA1 2be6c7e78c4481d2c7ca933766545ab31e67f3f9
SHA256 00b817b0e41fcdc2ae01b17db56aa62a3861c4694bf525deafc052d96b225e57
SHA512 ae62713e981244b7c01ca996810de996f0e787d7e45bc3294e001714f90029a1ac8266db6b946ac2fe8b89e9091113cbb155fdcaa79b0143839afd770438823e

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.Xiak

MD5 b26b52a372903bd8f857edb75b6e880c
SHA1 92fd4c5140a45417c5e4ca32c409b0ed51b335fc
SHA256 16023a902a3bc9a71a4991949651a767257ae20fe50dd55e58bc2db658cce4d2
SHA512 de33d9aed24584f3bcb1a1d9f19f601e6093619d3dcfcb46d7d48e6f0fc6c58ad97a394139fb9bb0cd64d3ae8099f80fba74ec164249f502943bee23530dbae7

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.Xiak

MD5 83f66905412c3428cf01d74db135c495
SHA1 c927d30ebffe70484dce53c79f3d46c6c6bc47b4
SHA256 d554678f129afba9e92f51ad6c1aebaa90ff0a299daf231a2cf33305f25fa003
SHA512 1aecab2fba76cf179b57e55c204063b31a2db05781e4f9d265e9fcd976c374909494cda409495a788544bf08f6a1f1f7b4f03abcdfe1f865e34fbc51b231b3ff

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js.Xiak

MD5 4c1fe5208c6972c04cf0cb4ecd3e235d
SHA1 d824f675f15b75c9df653572c38cc2519fc2899e
SHA256 3f6502a301f51cecc2dce123912d3d272b66b1c84657134a20a8c4375f2fcfd3
SHA512 3cd35264fc6ce309c5c0e5b7b09794a9bf1fec35134c2fcac35c8dfda5441d67dded16f5df832ca429677b700f88813dbc99afa88c22d63712a7b64eabfe3517

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.Xiak

MD5 01377bf39eeefa3d5e28eef007f95e8b
SHA1 ed4bb3c0d4dbaf7c191137a5f6b0d5f5a54ba2ff
SHA256 9501425a3fbc080ef2965adb3300a01f2e7b89db836f7b4f6d5f52acc6a99625
SHA512 9d87f084d4b90c2dc3403f1b8152518c21fd25c6b9492fa11bf70cab1a9992ef6c1086f13ef13c085765aa755880b3e5161f59e9286b8dd5e8da7ceddd19cb37

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Xiak

MD5 e7bfaefada88e6babdba6af6dd42e0ee
SHA1 5207290a773f4a86680d39fbe46db9985ce4e55a
SHA256 10d2339d62de8b17aefa363dd882ecdce32eb7b2b354a6ebf3931f7f256a0966
SHA512 1b7b5607c9762c80b37586e8c5dd0c61b0888d546706d933c18bcdcc5960d459829d9c1ca3809283538018288ba0c0de8a5d5b138ba5ea06779389f1b4111c16

memory/2208-7600-0x0000000000400000-0x0000000000617000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.Xiak

MD5 86eced3ff17a5bc578b1047481668dff
SHA1 4e55cc7afaaa8be67c3ec5c534dbb6e3fb6d40e1
SHA256 9d8dee1afea2623864ae0f9036da3df9845135394ae8f2254d3ce1d8f23e6bb1
SHA512 7afd6f386c403e325557acfce1212304df760c91ae538bf3f277587ef0e8109854c7508b66ca177b04d9f6224a673298ebf4c94763faf10ae68d1b45bc70e02d

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.Xiak

MD5 2c636f98e272602ef06b99a3f27563f7
SHA1 88f9c8deb7bfb13af3fa4504ac2428310fd993db
SHA256 1f2843ace08ac2ed8c0125b0bb23b7986272ff389099d2317c5604c7c5f6f99b
SHA512 de22de8b6ae91b73469ce4681f116f655974f91c9c8f3eb6e12a1fde59f6052ab7a52dd03129ed6cb51fdbb4a82260c60d6ea7d9b689d4646c4c627bd8907c74

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.Xiak

MD5 7737c8b3d30f91171dd72dbbf5641d16
SHA1 93a0f51857cf3774a9934affabe9169f601902fc
SHA256 f1dd05c6be6b9cdb68d3b6c21ca12c0e98e0f85f6eb63072872c653ed0ddce4e
SHA512 7b0c12c137821b0520b488aa66b3939e68c6f6e9a7b11fb18b228629523c0f91d62640bc5f27a43ec618c067fe8d908fbf9a0a957bc834bf6dbd60f2914c2ad0

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.Xiak

MD5 cdbd0e0fd8a32cb918ddb1aec18a015d
SHA1 a896fdf00306ac0bcb576c6c5b8dbe3882bca956
SHA256 9c50645f0b82f2e44565e83b13ee7fd9571b2d0b2ab33842694d8451dd9fc2f3
SHA512 f5693fd62b9ca4bedb2daf82e932e3cf0724b7d402c6b0e16be2aa3acafaed7678d057bc8a9f94ff7646e1fe4f4500a68f40056b1007c49a496bed8e8c3942ca

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.Xiak

MD5 541fc9df5b8e72e37873892eea8266fc
SHA1 0dd204ffb48ab7c8bb04f19569499b13d6a55b07
SHA256 37334ac02c82ef1ad2ad61aaf66263ba9e165eb6766b3e733e253e7d38a9903d
SHA512 11ab4aa2856accecb24304e2f1d6b1960040ad1e2a650d4fc9aa7fcde46285122bd08b04e4ca114ec27a880756fd846a7902efe1f14af03869b20ef78712f286

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.Xiak

MD5 0c26eb2a619508d1416507ffb44725be
SHA1 51b99a40f8d5af789934db738f8f322c92015d53
SHA256 b012dac3cf5b6d11a0435e01838b79217f36e9318c3a61c0c3d64b3be253c2ab
SHA512 87d463e4d4b749e190e9a4415a857d81fc6323973c93a9f6d94f36ccb2f274b6e75014f5bfeff2612622dbff769ea5e6fe8e92d156b43e6d3033456c56fa3680

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.Xiak

MD5 490282e852daa5c5657a3ceeaa195034
SHA1 0b3483bcd15543826862769cb5ad7575eb01e1b3
SHA256 e88d95a5821196f76e36d8143e35678f32995110a571f3ac57373bcf04839442
SHA512 897f127b3b62c0f8e302dd42d28c52cec25e81eff4e70d822312fe91329ad0654c55ca41bc289615e2b684dcebf79c1b408634baa063781c818f7e827c0449d8

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.Xiak

MD5 5e2dffa9007dfae72114c827e343d406
SHA1 3a8fb44e5e15e469505dd5556ec5b6f9d4b324c2
SHA256 1d2ad45f283c0c6d5a7e5bc604216e23a3c6171b4b6d3aebb2dc4c132660c1f7
SHA512 aa835dcd8c1f1178182678266b08199d3b3d2897afa81b229857c5c8f4f68d0083ad1ea2322531a63e20a878be65c4a71f6b777bdd73192c486162b3139a47f5

memory/2772-9254-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2772-9262-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.Xiak

MD5 d5204a91c497b43d5f45e5baba2d32c9
SHA1 609bd346cb9811e2b9fdbb258cdfd7d9c2ec88bf
SHA256 0122f208d87d3c8fb8fb87fca8262ab628eb6ae7719726c9ce54da312608cef8
SHA512 c434dd8dba82d7dcc7fb9f5007dd848ec8e783c09f6404402e2757905ad4807a2844adefd527c5e9ba5379fc1665022d7f141d1f406f99ae80a624a83e348aca

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.Xiak

MD5 813a566708447258f41b9877f0a60d77
SHA1 f086de7b5ccf2f26f5edeec0ba731c7f193240c9
SHA256 c499a5652abeacba11490383397b7c0be97af0420269c73ff9fc27da3db56410
SHA512 00e80984b61d96619fa7aa7d1254ce32d2890defd91398c60a6a144acb54fa2c647c254a7abdc509fbff62a6d1e5ce59907032705b3e9068c296035e3967de6d

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.Xiak

MD5 b13254f1c1d394e506cde24fdfed6a78
SHA1 766151acc30a5cd37b761b5ca22089f4294df04f
SHA256 5fa27fc5316728a30552614ddf985769fdcd09f07b206f6e9dc33b3415288fb5
SHA512 c35680027b49cf424778c385e9a36c9f30eaa91ae05d2fa84c249ccf9ac1ea21ca824dca3783572e2da1f818a9d3da7d7108b42a63b945c1d70e9562b6cb41bc

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png.Xiak

MD5 d413af7dbf6b5de7a362e4fd5613b2a5
SHA1 0cb9469b83fb4f7d9fa24648a36f98bea7365d8b
SHA256 07392153a4b4e1bae9d88879509931739e54bcfcb0213cfc27b884ece92e2abe
SHA512 2cc18db17302a9ab81d1881322e850d6286fb963811981474d069fb2306ddfb67939087ac5c1816a2a9632ff2a065fdb4ef7dc1a05f3e1fbf010f06128adffb4

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png.Xiak

MD5 c664253ecc5afde31f02d8425a5d244d
SHA1 47ff83ce31c33c07b91aa2e9fab0ca9d99ccc9bd
SHA256 a0110e16837ee51cf21d6712716340bdbad971514d3ddc46481bb2e35363316f
SHA512 10684fe8c7f346cfd616fb7d600157ce1064252ee8305efc72cc048e755772872d197b3b88b54a9a0aa7fdcf7bb59611585b5743ec97671b3f7c760dae387a3f

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.Xiak

MD5 c9c7ef631e7de363ce1311f4956e9544
SHA1 cfd2972727392c5af3167e3485041717818d4648
SHA256 d0aa829902eb5d1c7ba3e519ee5020a5ce563e9e137979977c1d53fe3cf0f16a
SHA512 5e0a401cf755333c4835f441d92a4261cd373ff1dc252944e4d499382420f05e7c7cc3a40f577ef5347753d3131b05579f70577451d9a387622ee32bab5345b9

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.Xiak

MD5 176667119c359ea3a178395e4e6cd780
SHA1 46428bf621742579c63f04abe9fcea6c8714c909
SHA256 ef51e53933f15bd1089d667479814e42605da3bb58e42a81ca644e25822de6c0
SHA512 2cbf66cc3ca3f0d8ef8822792dc73394ef829213c83d85297d1e3d1a22c60ed7e995b3a35295d919498a87c8fa1f0549d17a75105402c3f5d41004903bf6bd89

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck.Xiak

MD5 3a7079a53c0d124a389b16544751f523
SHA1 bd684573deb5bf504199a69eb9ef2d0c88533d59
SHA256 3f122682fd4c5bef0d280add83a903ffa2d13f6ae696368d3ec3693050194852
SHA512 677ed81193c32f0050a6e3344d6440ad98f5d6bf02cd3ad7ff01a02062ec90b1fafc8497083b44fd4c98129045e120ff87be0414c6a4db9b777bbbddd71fc22f

memory/2208-10714-0x0000000000400000-0x0000000000617000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.Xiak

MD5 f987ca77e3f42ec8d29e70de0b47fc95
SHA1 f8c2998c18349aecd1dc457ffd26a316027e960e
SHA256 14d72725ddfb29c2df47605b273e593a81005dbffe0fec618f64984c0276fb2f
SHA512 611fa3d8914b994ec61ac238fc9caaf926e92cd7c99faf8a59a3ae05489a0b0cd8bfe8c5ab9deda025ab297ee42e52728905816d83557705f89413eb2a0a7dc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.Xiak

MD5 324fb2d8e47c35f924bf89f15d427a54
SHA1 2a3a13554ad1d097603ffd414bd9544113cb81f9
SHA256 961084d0c59715127945d1cb4efde4d71aaa5c6b61d4ab9815a63dd2e8f71cba
SHA512 5954c4aae645c489aa3ae5099e0fd71e3423a87c40838c50587626ff9d7bd7ce1dd600a782da8a9c5f5e96f863974f57548d6f11a26b3a2b48d1bc694dd70329

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.Xiak

MD5 d6415c7b343dc3d951e70f5182e9041a
SHA1 0336f8c751287f8c63b3b2ee146cdae9696545d1
SHA256 15e2be704abb65b9b723068a8eace7d220e01e4d9d439cae86c24c9fdcf07631
SHA512 757be5b5a26e0f35ed849b68d8a4ed19d9d04b22451245f2bb0f9e0dd930d038cd1516c1b7c07cdf0e43c92c900213411a0b8acace259387d427ab6707b653a5

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.Xiak

MD5 b36c2d66943ef8146cb6ee5afcaa7a5a
SHA1 7e7115845b35438c05b183af815b57e638f4a396
SHA256 e2eb1be53a916aaa6c8b91de912e416dbfdb19e3e3e9d967c2c514caa9df684f
SHA512 0d71433b4a30d5f594bd606b9c476543eccff366266112e0ab217e2067baaa188f221892bee5a2e13ba338e855b96b1fb13c70a134fb3bb96b361a9007162e31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Xiak

MD5 b531b1dfe6e28d7a8c19ca92a184a1fa
SHA1 16ca926b9c97b6807f1fe234a98c7e2a99fcd5c5
SHA256 cfa3837937e53d756919c84d1308d94d8487c5cb726baa365ec0579713bb01b0
SHA512 e37197c8a50e8f5a1be34a0fccd77cfe012c0b15f33dba8f485825986285bb0c4d4ff98b79b6dc038aed3613e8567b73509932495de48ef1a5c7fde0ce735413

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.Xiak

MD5 b606f9438902fcac4062e7b57a59d5e6
SHA1 241d76fa1f8c3fd37b14a79bf4221fa6654bb34e
SHA256 573656b4577be8408ad034707a0b6e085c529ab3994feabdad8138f810904eee
SHA512 831f4caf0635d47a42e58259a7920142db84c4863b3ff71cd93c0527b7b14a34ef32991da32af0115653c195045efbbabd911939248cec8e7f1c9a7ef752d4c1

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.Xiak

MD5 90412a568896448e07ff051a2001125f
SHA1 062c12d26d745af10bb61db07d08a121ec295ed7
SHA256 9ad3cf8941efb92709b1c45e3cf1af641f060c5f5952e67807aa148c89cd7e9b
SHA512 a7ce68effbb859c187ac08e411ebf12ae22f46d7ae70c9fca5f27497247707a329a59c97d9e8f272eb3fe7d6b051e97f2eac951a8063656b699c9ac761d42fbf

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.Xiak

MD5 de1fa320a7aa457e4e99fba6044ec16a
SHA1 f37e178003040eb4e298d9c9d9ecc5bb38455b54
SHA256 723a6ff80dde65be340599e63d593d0ff2aa98ed69fa80e1ea6f50ff0ba202b2
SHA512 6451dbbd6e8702a4c101f236927975687a54d8164a33074536fcd6b239aef365da64b17596ba2c1592c6b9813044fa88bbc4822068cee5dfdd1a7c391573bd21

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.Xiak

MD5 4e175b08736a66cceeebe49c8eb7d7e3
SHA1 9a57879e9172a230d0f5f6b716b896f6690ff30d
SHA256 4312aa9bd5d7ebfbf7b53f05f53ac8bdaf8d2ff526cc68aafe361806791d5720
SHA512 5665d7adb321dfeae3ec78c48d0d384ccbe7e79edc2f7469fd93d10b7de09a502d251315cc8a1de92ee45369699e7b98f54a1f1d9d17935be4b2e04614b8b0f7

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000.Xiak

MD5 41658dfc6a11a258b58bbdc920dda8a7
SHA1 8935aaa8294c8aaf8737b3d8921e0b6d25c1b232
SHA256 fe436ba5a30e885e0365fa74e79b88d79329421b9fa39ebab9fad79a9bfc4679
SHA512 ae1160df5860ce147360bf0c83d658afd454870964d0afd2be734ba6464af4cd9aa2eafdb867261ac55e42f2b7d0dcfc0f785c9c595fd9aff06361653e829031

C:\ProgramData\Microsoft\Windows\Caches\{7CFD48EB-5B01-43F5-A3D7-15C1A2553FC9}.2.ver0x0000000000000002.db.Xiak

MD5 2a9c6ef9cd2a9dc5ae3b2519a935fd2c
SHA1 b39122ad69ead2591d3018c755cbea5e8b791724
SHA256 a92fa11bb2e5c97547643de00afff510a167a73a0753061fdf6af0be424db8e2
SHA512 84eeba111f522f388b81c82b7bf66ee1723ebfe41c843dc5f908f6b1a6c7568076273688ca0a19ffb6377c41aea041e92bc8661f5c19cb0a8006b31bb021b8f5

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Xiak

MD5 b192137f1d24ca14bd31c7f191991c8e
SHA1 bda5423ee2c50f4f39bef6d42bf0547ae7ae33ee
SHA256 d2d9617df575dfa27e107c9586a17a0d4b7dc0eecdf6c7b2a91e3e0836a4d2c6
SHA512 836e7e44f259f8ed3dad846a247cfd52d041833466dfd237e28a73c29cfb69fd7e8dd6eca51d02a62bff0b63e7b7e8d7f2b2f14d0b9f468ae087f3a845478d33

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Xiak

MD5 745b1eae1b2b0acfde1e6f994ae185cd
SHA1 229b81faf0e720e0fd84eed1966abfd53130f971
SHA256 c788ebad00528de5218779fd21b9602f8f644c4ece6baad3fbf8c3ad6c3a2215
SHA512 c225c1c678f6ca361c9234407f86c069586272173d565796480de3c0b752363bbc15f5a82c06764d574798ff987aa26e2d14cfc6b18db9dfd4cc5190bec8fdea

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.Xiak

MD5 d339bd550353bced4d2ff99e23829fab
SHA1 2bbbfd7eaa177f0e0d9194af526257c6ac8e7c87
SHA256 30e9aec4ccc5a48cec889f3a2be6ffede1b4daf7bd447b1edc18083ba4d59904
SHA512 d25c5206f4f560a0aa4cc849e5ff957a6493bcf4f6906f99ef77b1acd3565fb9958d4265ec8639ceeb7d6d25abf09c5f08e30c784b1cc2d97690c4160fbf2981

memory/2208-11877-0x0000000000400000-0x0000000000617000-memory.dmp

memory/2772-11878-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2772-11879-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2208-11880-0x0000000000400000-0x0000000000617000-memory.dmp

memory/2772-11882-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2772-11883-0x0000000140000000-0x00000001405E8000-memory.dmp