Malware Analysis Report

2024-11-16 12:23

Sample ID 240321-bfhdhsga74
Target 2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite
SHA256 5d0083f61a95508aeac3d37fbc1f21260ab09e2bf79f469feb93790bd201e5b4
Tags
discovery exploit persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5d0083f61a95508aeac3d37fbc1f21260ab09e2bf79f469feb93790bd201e5b4

Threat Level: Likely malicious

The file 2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence ransomware spyware stealer

Renames multiple (8372) files with added filename extension

Renames multiple (2575) files with added filename extension

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 01:05

Reported

2024-03-21 01:07

Platform

win7-20240221-en

Max time kernel

151s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe"

Signatures

Renames multiple (8372) files with added filename extension

ransomware

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe" C:\Windows\Termite.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe" C:\Windows\Termite.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\mswsock.dll C:\Windows\Termite.exe N/A
File created C:\Windows\SysWOW64\mswsock.dll C:\Windows\Termite.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Mozilla Firefox\dependentlibs.list.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01657_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01039_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.Fuck you C:\Windows\Termite.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Termite.exe C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe N/A
File opened for modification C:\Windows\Termite.exe C:\Windows\Termite.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you\ = "Fuck you" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\ C:\Users\Admin\Desktop\Payment.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\EditFlags = "2" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\"" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0" C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2460 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2460 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2460 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2288 wrote to memory of 2624 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2624 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2624 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2624 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2776 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2776 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2776 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2776 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2568 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2568 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2568 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2568 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2288 wrote to memory of 2604 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2604 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2604 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 2604 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2288 wrote to memory of 1624 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2288 wrote to memory of 1624 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2288 wrote to memory of 1624 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2288 wrote to memory of 1624 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe"

C:\Windows\Termite.exe

C:\Windows\Termite.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysNative\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F

C:\Users\Admin\Desktop\Payment.exe

C:\Users\Admin\Desktop\Payment.exe

Network

N/A

Files

C:\Windows\Termite.exe

MD5 96b8036f361b0d093394bea6e30fbe40
SHA1 117ea2ef8c960c86eb829ce3b937307a0964bd68
SHA256 5d0083f61a95508aeac3d37fbc1f21260ab09e2bf79f469feb93790bd201e5b4
SHA512 47dc01cbe0e800d9ffbb738398af84388efadec99d1123dea247527c0afd5ce0bffa4c87b4399bd45aad8739015c34d87a5f0dfd6ac991493acfabd7034ad9c3

\Users\Admin\Desktop\Payment.exe

MD5 f9011216b0769cfc500cefb76265a987
SHA1 0dd725039e730097d1fd67b2b72dd51b7d0d10e0
SHA256 ecb514b9c4149ee1b184c23bbab756fdf647e50e78413c0ec00abb88ac52eef7
SHA512 90e41ea42b83ddc1e22050b0b731cf0f32dcf45db44affc29eeffcd5d9131a83711f96330c5faac7b5c3547f9b4419464681a585ac37af737d939842d330fb16

\Users\Admin\Desktop\Payment.exe

MD5 9f9bb9ee4952cb514089910e19eac5c4
SHA1 c57f604e8eca50df40df93a6b0c3d65ab8d3b198
SHA256 0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a
SHA512 8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

C:\Users\Admin\Desktop\Payment.exe

MD5 dc3c37d05a489897de5553ea79cf504e
SHA1 39a80df90b366462956d9b8e81318a2bdfc4f055
SHA256 6f993a2df54f0a79b88440c9267b669a7e42d132e18ae88717eea13d0bdb6e54
SHA512 5ff3c35348f492214496472a58aef2529c161bb7cc7e9a7a9e896cbcf7fcee57283a7bd70d4f4cf21d1428f3e2b012e8e35037f0b3d611ca1792157f5078bfb4

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.Fuck you

MD5 331a3aa97ba4cc7f4da6e7a0f496fea8
SHA1 fdd62853cfaec89fe37472cd24efeae7fca8d6c5
SHA256 3efee8365679007805f20fa82dbce9413398cfb9ac858f91ea1b05c9f76a3b65
SHA512 adc88700bb297249732c08f3110c459cabc0eeb9d63bde235ae061bcf9957febcc87c1dbc359c770961fd36a4029954d470dd9654ab675fbf96dacbcd363ac70

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.Fuck you

MD5 70b74657f84b94d3cf6a87c095fe14e6
SHA1 2f762391f74525526c1d012ce0bc78c2a3fe54e6
SHA256 e81da398dc1a4247686c2d7fd17b250a6b42c80a85474e4909199dcc4717db54
SHA512 ca2e63423fa9f5da006ed40c529443ccbeba9b59234670eeef3bb253ea7ecad5b750630e5608e9b67e97c07307bcc180da2eab1b75f8a9f293265bcfcbfbe3a2

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.Fuck you

MD5 f2483547d4c12eadff408d02abf2bb9a
SHA1 a8ab4fc0c0a265d4333a16f491780bf43bfd2ae4
SHA256 a9089bef26556ca5cdc4d94282193e4802700dba5e82a3911c320e58a3e73d5e
SHA512 8aa11aa82f98c55873022f17a4ac1087716d079703ec9bcee6ef7f57d4cd48e4450a6d9179a4029b30570a856456652023b0af51fc38ef1f54236c52ce3cc978

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.Fuck you

MD5 bcd50099a7a4f64861f4f92efd50902f
SHA1 a072f0f9734296e74bdff9b8d3b79de81b0659a7
SHA256 a3bb1dcf5b68849df55ee290eb5006849896d26d964c1b598e45658a9b2825fc
SHA512 62925a63740ff807b51cdefe8ae3725fe164a7f631ab72bd47d6acb55ba189751cfa465ab929c0669859572b127f11a9c70cdfac61ea9f439298f075fc3b33d4

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.Fuck you

MD5 f3b84995dc1e54408cb7e01b2722fdfa
SHA1 19bc3bab2a606a2ba821ba591a86df988b297b0a
SHA256 ea108d9015f72dee7ccf6374b3b9a5a41ddb37d3e6208ede761d74c28318b1fa
SHA512 aaf738a05f30693758c4df606bd11049d7ca1e4e15cf1dd8775d33a33a24ea17be5d67ae6ddbba3efe360837d84d89161f097f1ca5d42aa13bdf0c07c177b2c3

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.Fuck you

MD5 c531b7534b6825868289e5d89f390acd
SHA1 5fbcd20a51f6f2fc30d73b4cfe41018fffc99751
SHA256 144e6f6990e95d13ae8f998d4b0d0c8ea27bfe894a9a7866988d0cb82035c593
SHA512 3d73ef1b9b0bc41d9d317f5b7cd3f4de83f18ac0d0bf130ffbc11183cd37152d0472af88988009922c462a74692b2accdc2585d9af714ec91db4917c9ee630ee

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.Fuck you

MD5 f86900097caf3dcea0f076a3a4ab5c3d
SHA1 bc9430da502d051bfec0278b804e7733c894c317
SHA256 fa1b0e9eea91bc4877300c16cc47666f2fd6c088b1d6d5c63e0f102aae5d5ad2
SHA512 3a8b60ddae6c127133e5fe09cac410ed2b3923b037be03cddb1d4874a9f43fdae2e2e9103579bc51bb78592ff394d73a5c9f86003bbff6675ff1f59efd91a21d

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.Fuck you

MD5 66281a8ed8a23966a4b8f9d7a2acec0f
SHA1 5c67cd89572da5aeb47fcb2e18c0d167e12197ff
SHA256 dbfbdb468e0b1fff8a8a1a3714d97a3c2517d4a88e69473ed30f09813ef2fda1
SHA512 eaa3e82c606fe8fd34ce8dad6483c83f89fac25a37ac6e6b855cdb7bf51ffd0e50d9213c1db2cfa863c2c9e373147df260d1c1a81c6a64f9f8118f441d88a096

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.Fuck you

MD5 a8579c4e48293d99d2cf1d3ad8e0c0bb
SHA1 c88b20f78db2938de277217e50c601837ec54b40
SHA256 3d8060eee26ff6f6130f178ed58f632f6ec31895fcbef873b6fdff0217cfdd90
SHA512 a20b08896a26966498eb551fe423cedc21277e177ba925e57249c0f4469b64fe9ece2aecf9e296bbfaa1e1932edf7866d231ce71ef95ade48981abe55c257163

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.Fuck you

MD5 6a1307af8f55a3b825a9f035db13d9ac
SHA1 4da3233163cc467104836a9ad7a39a0f3d1eab85
SHA256 75bdebb1ec246920a3bf651a6bcc64bc875a681a209e56c1dae187dfb2d4761c
SHA512 8c3ffdfffd622becc14bddb358696d06162a2fcb7025aba0d58757998b930195b5b5f1416a3b4a7036cc12167bda92c7bd73cd36070a74b2858b859d3dac6e00

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.Fuck you

MD5 f949a3c2cb5147c5facaf3c9bbb793b4
SHA1 44127e82a2c5be0202f354995c02736411bde239
SHA256 9f344e896dc24e309e896c02cf58d34dd8f163618a7ca33fd2088ad5081ff6d4
SHA512 d06293e6be691ea78ed3d22ea1c92086e8ca758a924c31203fc22133768827c9e497556e70c26f882a20d2955c601493bd9074a1ecf1770efa95cc93e94e6acb

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.Fuck you

MD5 257bb4e65ab29b16df59d0b0e3761b94
SHA1 8f961b9a60df3e39519d936c5bf523f44b25779a
SHA256 fd693657d82331c2360ff41910f0d0fda98279dcbdcaa3be367f67edd1ac58c3
SHA512 fb7a9aac562272acc566bfc5eaecece1e5557f1f5b7d999ea4a79151a12eac8836dbc92be7307853f794df080d4de9156928470635aea090f565e6719beb1330

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.Fuck you

MD5 31d5b42e12e4339a90449106849d633b
SHA1 eaf2321ee7186e4b2a7228f9091bd33a3bcef9d0
SHA256 ea5678ced3e060c6c856cb8f65a9bf1367ef68e73d543a5c9707bf64ffdbe124
SHA512 f88d907427023de13e362af60ddba09235359e8d84afa3f9f5d97929e2d018c4772f95eff1691eefe3ec82585a9a9d1c7452cddd9f76c76a64809a49a57ea7f2

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.Fuck you

MD5 8e7399dc89c087a7a9765b72667e777a
SHA1 7b92bfaebcbd31ed338ced9ef0c5d1f734d82e0e
SHA256 5c816f0a996de607ea63d9ff65f9e559a6f18591baca2f85f12563f0c8336c36
SHA512 8d9558cb1fce883f0e54248cbcac1655e07b5e93de4b54d32a9b3571fcbf81ec9d2d04999dd01dfc2012f188151aec396f03f08366a5d706f7f6671f784b6a52

C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.Fuck you

MD5 c636a07477a11b9d7f16630a19a3cda6
SHA1 c29cf8d773ef1e317c6ea89fd8474c91ddf3fc5c
SHA256 5c1d397d14fecb955315e2ceba5cc7e6025556374577c8bcffed5c670a92907d
SHA512 f22e162d0b8a52fa6faeb91070cdba82de385c85a3571cfda5a5dd4f533f06940b158ea021649251b44ab2c900e531f629151136520209b7078b2482c26b6187

C:\Program Files\Java\jre7\lib\zi\GMT.Fuck you

MD5 d2c1f0600efe6412e41f9ff9705a6b69
SHA1 006bd2499b1d8d9f1ca72d1ac1ae13c94735106a
SHA256 3475610f34097ae3acc4f949e44ca9183ff2e6b62f79e8343f921e67cbe888ea
SHA512 15b41240ab27ac377b75968d9814c0cfc8c16221c96e9a0c1407bc2fff0f837c3211e28deb5aa32732ab4c960b7cae9e4e397dec83280df72f914b6d0dc4477a

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.Fuck you

MD5 20735005d2187caff8fcdbad4d5defba
SHA1 218944adc6e8b43a56970925a7a1e6e15bfab0fb
SHA256 6eeb412903f209d480167ff5b3a6cf5cea58a60338617972cfa4832576349cac
SHA512 1e60195bb0635e94f42ffd3fca419a8ca47e3773c9541153e5dd67e4f6dbb044ed6d4b89dfff50c5a078e47e2dd8dab9e4030e2a7ff8e49899350c674d021e61

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.Fuck you

MD5 f3ee9924d975e6c0fc840fdfbfb6571e
SHA1 2bf453983b98d4d77272abd1e898bff1ea30215e
SHA256 e1bb6105a256fdd1da6a0dc994c73e2380fcd2ec4a514f2299120c3dde5edf7e
SHA512 78bd6bcc874d09c911a68389b13c91f09aec4cd53b22a7a4ba423258953614e8aeb4de13032d85bef3ede882d4c41f1d4eb2ec348cd26d22f1789dcf0a5df97e

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.Fuck you

MD5 90b212d372e46e9d6ed0483dc8903ec3
SHA1 64f5e835c18ef7e71be0dccc24d7358c842532d6
SHA256 114181a828436f3f37dfbdcc29f73fb7337dfbd023c6e1c45485a09480500347
SHA512 5732ac6745ef9c1d393df74bced74084224d595dab20590020e6e44980ee19bc56752777e9bf9593f48abefd9b9b54499dd441d9eb971c682d74536eafec4d3b

C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.Fuck you

MD5 d3b5f71e253291d4c135f0e9b4af8a73
SHA1 06c0d576084887852fa9b9abc09ed7aee66e8fb5
SHA256 966c268ee2b02e10ce73dda8b35ec20fc8464139cd95cfbed5c364a795b42083
SHA512 eef1f0175ac8f09ac3af9e7edda86b0c1a98d17a0248127c2b763f238f7647705f30e7e9ee1ce90e9a54f7f5fcabb01fb5a2871834d10d7255ed7386ebedf45e

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.Fuck you

MD5 7abf17cad5415effb62015ace88759c1
SHA1 d54da5822f9f19ee81683516aed9faa8bc9afcbc
SHA256 988eff76d0e6c9118b5011b514c16828c5ab5dee26c27cd8affed5a41aa4544f
SHA512 b2f1c8e165651a0e3011107636cd283f01ffb92040e4afad3e8b36864d13aaa1c27654e63caf2dd541d91e6941133b02ae269fb18a50c44b5443f47b50e7eba0

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.Fuck you

MD5 5669a48c8c81cc018439b6c3e5641ea5
SHA1 b9a6bcc37dd918d1b1fdfa271316bdf2eef370e2
SHA256 6fba0c4e0e9bc23f48154179373a31db1316b94f3541bf5edffda322598e3e8b
SHA512 806c1d14a4c8a15caea7a6de1f911e8432e48b782db3f656f1170eecf6e7c2fa8fc43b4a2781beef3cb3d3e77a059c90a2bbecb59916658cd6789fcfd177c4be

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.Fuck you

MD5 1d40cc9e40bc27935e388a4f0e15f526
SHA1 c21f7e7159bb65f5afcc1360bed5b17452e75c9e
SHA256 1249791c89ba10f7fa5880600854ef6954b2769368af4a3f418aabc8dd73fd83
SHA512 eb00621afa20160f117c6ec06641cf2d330e167610d11dc89d3c006d9220762435f1f91c34cfe5b10f27c3fb92de2b1a49dff9f42467e736bc42b797faaf7e17

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.Fuck you

MD5 62003756082263c0d9c8a97de3197960
SHA1 f37f12be1a9d2c60920a7654193c3423773f79d0
SHA256 06272d09c3d64915a2a1da1f77e105d83bf3927f37f3cac0b600a88be44e6979
SHA512 6befae93e7c5dfa2b670a13d61671fc8672c45076b8215d21401c20730f87a1f545198fe125a48e1ad5cd97b10408ce3df28b71e18cfa51f1278033c0a0e1b93

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css.Fuck you

MD5 c3057af5dc7ee32f650eb47584e0cef0
SHA1 35e5f8d68d3b7382640212310cb0c7f0cb9526ab
SHA256 084f63ffd667862938e46eede92a42a324ca125afd7b097db7981aaa69bb9dab
SHA512 070edd98f21074dc32880395cec0f68e00e2751b549aea3d5d42656238d95b601fb2fa800acd22e76a29960dafe9003446584b091dcb5ca614414f1c325a8cfd

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html.Fuck you

MD5 7f148be61fe09a5f8fef43b477f68677
SHA1 5666fc13c4bb2a9242a83f7208811df7e1c38fa8
SHA256 3435b71fca6d703cf24c3c8b6a44ef9b283f090637db35e86c3a069b03adffa9
SHA512 7e18b8cbb147677a130def84a170b2aaa308ce178542be62080f0f3a549807bdf2514553357c26197c50194d1bab3a8455a5a6aa88bb2b7bb233f9ba3bedd810

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html.Fuck you

MD5 53e6fe3c9e1583f8620f64d83c1fa16e
SHA1 7747d69c3fb2e4fd10dfde101e730ff1ac2c4b92
SHA256 5562bc164f37e46e7a77f873dce69aa9507840e66677bdd8cbf04dbab6abdbb2
SHA512 d7dd055dee676df4c15d00bdd1f5e88ab63fa4c8c5617bf3209aee79e63c141a85364e5476eccf9092ea49daeead5c37256e51b356638fd861409b44a0caee3a

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js.Fuck you

MD5 768f771937511f365f14fc12fba9f6f2
SHA1 155236a7e32ecd383d12842654ed7eda40c2f3e9
SHA256 1857f02efedf3b7ae058a5b8f147e0899fd898906f441d9ef12946f9896cbd8f
SHA512 9928ac44c13b57117fd2088463f12e83f74f06ee833dbfba50873db12f3ceccf1665e44808f0f78d87e205f7356631905e72f4d296421f2df311f3c3f16e628c

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.Fuck you

MD5 81c70e158232f9e0fb754e7c3497277b
SHA1 6b7190991ecea17a8aeb6d6745fc2d238baaca5b
SHA256 414b5557ed7d594c1eb8391cfaf34989f804faa161292783b727bb143c9079e9
SHA512 bd8e002b7e531170452e0229d60a710e2be29b0237cb49d6537713df2d3ec93c2caa1f6466549dc02963e1e7ec84c0a8551511a216eef14bd18172aa1061935c

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.Fuck you

MD5 e91b2b8720131b2dbc284a44a9c3f1e2
SHA1 0270b2ef31d66fd50b797fc6bd2d68eb9f87630f
SHA256 575b051e929cec5dd393f640b186b7a5df87dd1f9d7d7167152b22705a75ec89
SHA512 71e9713ddda7ccfab7f2ee1be860b7f5900c915437bce1a841d8a99b42c5c86324754e82da72173a88a9374b12e94307296880993ee3f31500ceab3588b143ab

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.Fuck you

MD5 19f1f88a36e142c81a5162657b046f3e
SHA1 b5856171ee29caeb1fbfd162f88fdadff9bb53ff
SHA256 5ea741b7936e4cbe976be9fe207a5554d8e9d7072e1cb1e872599883cd19b9c8
SHA512 968e70bd7ead494682b167571e418d59b5489aa44bb4a32a1b9195dbf63fccaba6b735370c0614bce4b650adc90782d3859ad6c1abd32cb570a63f94e4bfa56c

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css.Fuck you

MD5 4cf7073324e837d0711a94aadc8929bd
SHA1 1bdcd8988fa584d756f6fdb12a4f82d2bd4b718e
SHA256 18dabbf29084481b2c968ccf998182fc890f0f93883bb3514eed5a7efbd4d8f2
SHA512 3b58e82989b67f4f70cdfef28033098e926779db3d40b3f2f4245098108a4b336ae7fcebde963258b917cba8889272bc14d0b78ecdc345fe62a91860ac4a5332

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.Fuck you

MD5 26911e2482a24a75db8d7fe3c219e174
SHA1 4938fe3bbb3af0bf61ef3c222fe7becd9bafa131
SHA256 d3b98639efbb7fe4a989c26da7f73850451da64082d28ad867e47df43d2611eb
SHA512 59f5a5d3c522472e2e1f1b1268951bff59a2406eccada158ec2f853dbb35c2e78ec9feda4fd6812b1f9a319750cc38e806daeb494d7cfd89260de8f9e617a28e

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.Fuck you

MD5 b630256b142a90b578bbae87a4c3ff71
SHA1 cf6f29ef49ac92b6cd3620ac29f5a6de9f9a2b1d
SHA256 8c1d69feab50f044c731fdbf55037d029011870496388b556a2b489e8b126285
SHA512 e77ebaec039570b5a98ebcb2eb90966ff98b95f452e6fedc7006d3e743777d93a4fbc83b87621eda0a911be3056075a394187b47093d630c9d7d3bafd953c813

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.Fuck you

MD5 7d72c50dd76c4cc5443b75382ee3f6d3
SHA1 955174e7eaac4167a235795a3c294c2bbe99152f
SHA256 39cf29925d3685123b9114b8e57424c9915bd003f1a529640c49f38c1a4aea65
SHA512 be50e640044f631247215b92b1ecf4f33ab2bd69c5e5f07752ecf2a5dc5c8b171682b6c4c287b40b00b362ee3eb70ffd6c6e698f3f83e85757ee6acd77c8083a

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.Fuck you

MD5 96fc4a8033d99fc075de351cb111e329
SHA1 27a9f2f1396d32df89c29b0acac73144c14b19a5
SHA256 77916888e7b2213b26aab45483b5b6198a7d341809281d39c082e386f2b193ef
SHA512 3acf9d68514514d8886814a3e05b51a2120916f0806d6ecca0912c61d61fda9c956804560142ff9e6586fa8f4c7fe82b71d7a0a964b0c67a402e2aac31d274ae

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.Fuck you

MD5 81c27fad2f461562abd11dfa4f0c73e6
SHA1 3f3d2c4cf56ae87ca80419e264828c8f91abfac9
SHA256 0a5f65fd2d36d101d1b7e60f37a482e831e2c53b72876ddc5741ba354e5bcd9b
SHA512 8bc3db94430dfb6456d1239104ca6654d673da01402191aed955a323fefd3d6feb8a0e3f1b72324c9a65b238ab7d6a5b6d5a99ec47e2dd36903079f20c154da1

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.Fuck you

MD5 e12227303296d7da29ebe4e4a430f73c
SHA1 cc69eec150247d22c71dd0050c783364a91ff977
SHA256 d3bd42dcbb0004ef1c24317897d5b3032337b8c11e948e63128ada10e88c8ce2
SHA512 94bc1f374d13fc2e257d442132237606a3f41029e1b61cd2c70fa9da9988374e00a2b23b8ced4aa36b20449c9e61fc380a66efd9416be6287108cdfaed98fc0b

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.Fuck you

MD5 7fc8874101e82306ae7ad6a560e02bb8
SHA1 5b661edadda3a380fbeb2e820ac741bfc124e3ac
SHA256 fbb717f2d7a0578610fa3cd966b36e944b3320bba10bb4ee51ebeaa21cbc19f2
SHA512 d1fce7dc651df28d9835c3af5d5b646c71f3fd363453fe86640df7ba4e2b7de1502c23b5c18f657db47244039541e9558afccf61a6c23b52453ce6ecb1f290bf

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css.Fuck you

MD5 d8b3a79e7bed8e0596209c103449cc05
SHA1 eee0ca768b875fc2954a5d24ff739dedb308dba4
SHA256 af57822ee2002d21a18afa5330a6ac233804a3294843f8b3b9d50f807cde6655
SHA512 c6136b8aa6b7b3b693c6cd8c0e469fb7069585da2d6c3186dfbe70efebd703499ec688b4e147f08ffb3d59a48077ec918520a9923e5f1c7d0b636ecdb1577a8b

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png.Fuck you

MD5 0a57bf80d86aae4188232e07e496fc95
SHA1 12b787ff809676f442a9fc2a44b1eeae26673105
SHA256 854dac764b6830a436c31021dea750e10e4c4624b4dbcb74326cf151d2d3cbad
SHA512 7fb73d483e0bd0905345878d2476cebda910ed8b573e50eed86db676e5b78473ea37aa989295cd99c74f05f4cf55515ec8c79f9515943a8781dec76c5e047327

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.Fuck you

MD5 acf790013e8b5b21bb8f515ab6f5e886
SHA1 2a0d96ab28c617c73822b31439df082d286d23e2
SHA256 a7870683aa70ae1b1d4ef0175d3fd07ca59fba0475039b3f14b31c9720b68b2b
SHA512 9a8744563b418b91834838d23d9c29bd30a9a1a68387aef28ba76d52d55eaf429a46724a3529b9fb822998335fe625dba538e584c9bf991009e85b17fca8a716

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Fuck you

MD5 0b921e41706fb198ead98805f5ecaa65
SHA1 1305e79d72b90b41a8fdc1fc3c97fcc487fbb54c
SHA256 65c352f56e73a0ff34b3196e0e994207bd6ba2c936f4501d5261e399b2c71a45
SHA512 8b06b612701dd13adbc1a4ece5a92b2590f2ad884440bda6c0b98fdc8984306ee2488a3c98ba29d0cfa20084aa927354dee0be7a698cdaf51d5d5d5c0e03d8dd

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html.Fuck you

MD5 08c809a2d789c67341a4051bab453fc5
SHA1 27c58942817da31a72fc9c6846523cf397fdb4be
SHA256 574e6ea04b11ee08d8b8026a81858bb7b2a8db46b63e6877cbfe8e7389f7f277
SHA512 eeb09cf28e1b9a9785d21c7e71d6b79148c2e576608fdc82f4bed51ea31a8fdbc3522baea23e336449cbc19138b9e44f1ac43445168fe9041380511a73bf0469

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.Fuck you

MD5 94483d81d0627bdf018e8989b3be147a
SHA1 606aa3206b4db78598d621a2774c150348bd9fb5
SHA256 0b8b36c8eb2740871f7ea48d4ad9b7f9071f6de906e23b2c0688fffc4cd6529e
SHA512 261cbdf84e6057583db6de398d7f1734ae04baae20e5c8a1439ce5d3e65c58b969034da52f3ae4cc952621d9ab4226a2c07f0994315c3e13ba8bc595f5716b5e

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html.Fuck you

MD5 37d03eb43c31ae9523de9ea3acff9bb2
SHA1 2b6929501b318326133f9906e8647b2d70850e6e
SHA256 5917b7a6110b0f0320cfaeadf72715332bbbd7f07db0f27d44196de139a4025c
SHA512 0224158958f8f3ba0cc168439b5dd5d7296f636820151a08c51e390820b578af5f4fbe19d02db2e8ec7588f2c593d101588c1319d4060224481496835a860069

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.Fuck you

MD5 e5349186c7ba6f643c6593fdb887f0bb
SHA1 41e4b233fb54c14cbeafa03337bd032cdb78bfa4
SHA256 3b8b16a446940f7e3eaca92f94a8bd49775a43ccde1f165ce75cf1ea7e94c34f
SHA512 f0bec322ae6261eb25cc583a00d1ddcd4fd7f27676941ed558d0ba7b6f636d74624f371acff14436c7a361c9958f4131f49493cadf95fd38f4ffdf583a30a344

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.Fuck you

MD5 3d592e46f2181e837e2c069da58cd174
SHA1 720cd98746844ed98fa3fe80873f3ef7d42afd5c
SHA256 93c596e74fe19c8e797d02f3904dad057033375822bb9ff6f545c887f9a7dd0f
SHA512 395712b20fafd93fcb2f1b08158e3e7b578560fbb95841643b1713b71dfe3eabb8af545d9172496d97966915536488e07956d81cc12d5d9e0919c949da8c3f08

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.Fuck you

MD5 33206cdc9dce04864311c453016354bd
SHA1 4ffce2c0aac7779b566c627ad6902f8fb7390b36
SHA256 9098e793147df26b5a5b893fe39802d441dc06df1322e5a1e7e2b139897ee4a8
SHA512 07e2380d7d628576e4833662f2f7c991700e64a6c32271a58d9ee893bddd4b4f5d18dd479a0fa3893ce50245edcbbc09f83f18ace1a9c0f9c03278537f63140b

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.Fuck you

MD5 b1ac3b34a2a3b32c1c1cd86498879401
SHA1 131b2607093e27348ec88aa58ccd1bb1ef9fdbfa
SHA256 061ba27765fe8754682e0f832a8af79a63ffcb56d10b936665cf097659f777ae
SHA512 78ca1cea40398c942f2380eab0ca29be7608c94bcf7915799f4be3181dd005cd41f879202f905a9f27bc21fba4fad46693ecd86e8f7b02041a07938743e9f4fb

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js.Fuck you

MD5 8466a73753b7e15db6e9be68324daab4
SHA1 4d04c4d5dbd7ac7aea17b0c666f64977ba807b07
SHA256 964660ff371a9bc85f58d6d57eb1be577b605845e038b18234f2b707e56f54a4
SHA512 f7735efb13e0e0bf8ddf51ea3de561fe6ba287f18b5f88102d4a6ee10edfeba162b1f5b4487d1f0db4ea8117c7acd48b2743bd9d16657c463e5d018068421e89

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.Fuck you

MD5 0de6056a58506ded4fc72923762589e5
SHA1 934978fce6b045297a8162c70828a0ad76752976
SHA256 205f74b34ae25adf4b02c4adfd6a3724f8fe2af2e14698dfd95a4afd4386228c
SHA512 28ed996abca975b9ddfcf1d08b1a333e4b2937fe8b0fe8a0d17470acd7ad0ee3ed34fd58302ffb17d7956e228be00c92466ef4301190dc8f5fd521a66d08345f

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Fuck you

MD5 b3cc5c62684af983a7cef0e62d4c6ccb
SHA1 4500c78fcf444e7b8f85a38feb554c9ec99f8473
SHA256 83c7bc2cc6464c4009affcb8c91a84d91a1237e97125175f4158a348829f382a
SHA512 82549dbf4f95b362661d0386f432b3e78c80e09e4a6db35cf89b3c1a817af7c5eab896838b78662dc82eb6511f357f9634359805de5206c8175e53fc553ea657

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.Fuck you

MD5 2eec9db222794adac142c4b8f6752ca2
SHA1 2a5a0bba79c89f05e21383fd37f6283294fbe673
SHA256 2203487e586a54746a1b819161d51fbba388af44bb22e67537591f8e6adc2ca6
SHA512 5e8b561d320502b33cdf3e0e27a9bb09abf2e591d2fe58193f1b7211ed6180855dfa64ec6b3b3fbe16f6944a3ea3a41069a0b16c53ca4169946e046c7f6597a0

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.Fuck you

MD5 cefa484ab0dfc86ab1f11b77eb0e2b52
SHA1 4cfbb072d83d0dfffab83592ed2fba1becfb3a17
SHA256 3ab48112bad28776fbdd3bcae44063de147c8f71bfc2813e7011ea0f3713f522
SHA512 45be0467b20966c1fbc31a86ad0a62b33b8544740f1ef2e57e4f0f206360ec8c0a96f4e34017ec9351135ed8c251da1fd3e72fd11e346962a793334d0e505863

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.Fuck you

MD5 4bfec07229f8d10237ba2b3a5af709b6
SHA1 865f64de77913e04b71b27c69a0fe91b52035b87
SHA256 9503032cb9074851c8bfe9da748a345168b8edc0ca6618a16b32480fe8f4f56e
SHA512 2c5a87f4d781b61f8f231029ec53579f0911c61ea92649ce573c9bedab1c5f1170e67db04ac827643009a0176d46762658c35d1e849c4c58d20a7540985f4ac0

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.Fuck you

MD5 90179e1ad2228ad22aa394dd04ff684c
SHA1 d5dd8572e6ef8c39b0d7899617d95a2ea81035cf
SHA256 655169b77f851e0803e24dcbd72a294a26c7e5333a4088eaa898e685b5196b59
SHA512 0509d570454e9f83a284b5ab149d7784e1e9bd4055ad2da7153eff54be9e8c44c3725b79b3d56f02e2d39a232fe35d541fc14cbac928a95b5f73e5c2c21dff59

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.Fuck you

MD5 f5eaeed9d0b2d44982ffe9bdcb88ab42
SHA1 4e626c1cbac60637c6818d13f47dd13b58bb89d6
SHA256 f2b01f191a8fde9220ef1a399b7b185eccd6580c387545790d939312f773a11a
SHA512 ffcbb7b54a2e914a4e7361eac024896ac89c0d9a64db92f154a85daa2550acc7d517f1adf90b2fc820026de8ef802c14d09652e0b4460ae07cfe7411ba59f587

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.Fuck you

MD5 116bdfdf8989c292d0620412bb9cd7b0
SHA1 65e823bfc2e21a6f54a743e492060bf8aaa9db4a
SHA256 76b67908698f4f44bf5112668be69b6be4ae3b9a09467e36913ca717b7d6eceb
SHA512 c5f88fc94bc6d91d437c7ffe181475da0cbb098481421c8eabac1cfc85a19fb23324aa5773869ea3efa99ba87909673b531ae821abc1c6e6c40f97b9b78e4191

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.Fuck you

MD5 fd995de86764cf4d15e1cbf3d473364b
SHA1 e6a8ec77cb5c8e5b0d17a2ca06d0d2a94813cb1d
SHA256 6a7b81d58745e74ea0dc5f04c279a805548a51653fe7c922d2ce8d9af7a83aa1
SHA512 074d0f804b0e3d1b36f506f5ac5b7122a6152752bbf6d5ef2045519d278adc8450c157f586b7d44af6b0bd588879f94de2ceb187e30d21ba7f9e7c9fb5514a4d

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.Fuck you

MD5 596d84d2d743805765344dab32198cac
SHA1 9b86d88ee6b63b01ac353f0b5d2b268b86faa193
SHA256 d7e0cf96844a18fd12d7f872d296fffb10c54e3861a8f61510fa975bb8fd3a20
SHA512 174f6fb12c18bf731a8e04576df5916d9bbf71455cab78672570cb6950bcc012574b502cee8629c1a05e67f7a3b55662bbc6435230035538ecf0d3dc78da2d2f

C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.Fuck you

MD5 07508bde5d09f941a70f0bfecab44ae8
SHA1 e8bb6bfd5676028d1deef3d76c32de3c0f7030f0
SHA256 2ba3dca4190e0b84c95e8c9c445c62b54ea6cf5d48048c455125558babc69020
SHA512 ebed159045b790a5663adeb820f5bb40dc5528822fd2ed42638e520dec56e6e44e5b273c88035eb5df2ae5d027bc4b1cb0a3e8534ae58e40a31cb23795fa49be

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.Fuck you

MD5 920627df0f5bd4f36b3f6b1c365d2bf6
SHA1 ca1b93c111f26b785ef498f6ba55ee50d869c730
SHA256 e8c2d0242745479127d977c03fdb33d34f222844ffa15f346e6ad5ebc4918dec
SHA512 ed7614f43e57cd3702eef8de1b9529c0a106c8fb806a51c001d617a83e4713c78f85a9b9ed5220a9507fc94e93aebd08b05212e892e8d20a06b4cb78a245b8db

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.Fuck you

MD5 9bfc405b90abed00e29c992ec681e422
SHA1 e05a3c61336c14c6b955cf91c2de677c1778a6da
SHA256 c0a4f31545e4e5a7ca0e4f2ee4444c2b852cc78c58bf3121954a871e82bfe6d0
SHA512 09812146f4e0f1b04acd9c34f775259852a70e1cd5495a22191bc7e053d1cd97cb1859dcb66769f45144e64d03e9644f2d969b9a2f80adb3b7eeede064bbdd8a

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png.Fuck you

MD5 ef0436ba7b22c399775099980341f9c5
SHA1 1bb248334d723b9476132daa6375d7fd720a6731
SHA256 a6d6c2cf99cc75e3b9d7b39118281c2c0085e3962427b8c9d647e5abfdff0500
SHA512 ab685c1b40ff95cf5cd47276bbad2638606f185f7ef474d4c889e6ee418ec13734ef304dd1e03389b54abdb4cd3f82b77d29ab9ae2e85ae7d12879f39c62526d

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png.Fuck you

MD5 77c58931ab36836dc70a3fadd1075fbd
SHA1 2c1558b05f6ee8527c5e4b007378da16f1416818
SHA256 925e4892354f7ccd8f8865bf652dbee8d14fc0818fd14cb948a97988158b4e3c
SHA512 8043ae34c02996629a9a34756b4a7ca054e6cad8be02062350c7c68ebebae3d7ccb9413e31eba8959d06b0963ec8e85ac85759103b719f02d0ef5f8b6d01c641

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.Fuck you

MD5 e6aabc67d72163ba964865cee381fc19
SHA1 e538137e840f21320673fd16527b8807b1264bf0
SHA256 733db7532e36ef97e47c61802c27bd7de75e7da124514e295b8ccc7a6d9e9259
SHA512 926a5ce508584a741c78a16fc8f49e7f4eeacda356016c0b5fce60c75c872784b97bb041b50efd16e1075d4e5704acd7626b6580f937646065fba6f88bebf815

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.Fuck you

MD5 49f710c4e939ed2ec18ffd20ec95609d
SHA1 b983e82c682d0555ebd764f1e7062f6c0544250e
SHA256 3115b0e508d5ac4e7b39419189782043917095edc7269b1c4997c751e352f4bd
SHA512 fb439d2b8d4dc6117e9325064164c86fbc223830c94453ec57c16408f7980f92bba01a65b3fe586fb3c1957b02a7ffc1b45971e38232ea3b393c47c9dc856e5b

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck.Fuck you

MD5 9facbcc1531f6f51a63ca8a5239d16ca
SHA1 ed8dbd007206965a870b5c336d157df9263d2bdd
SHA256 94156deee2c5252e30cf390d23e8f29885ae5647d283c481a5c322efc11aeec5
SHA512 83a5d25335f6e6e4664a3d200d3be9a894bc28eb5eb4d70a7aea249f636440e78316766583230dc066ed53faa64a0a3472bb3ad794ec07e1697fdae8637b2e79

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.Fuck you

MD5 6fcd9f4b14c39d39ed9939c5ff2143be
SHA1 171ab7b2876958184fdf9c1c06e6912dc60456f0
SHA256 855081c987da40d85853199d16a4478ad44959d5ff7aacbae3e1596e40444b71
SHA512 695f826cf07ee8a006b8e7dc5555275914a14646c0da778c23ddf1f3012fb2dfc1121c3f337a742039c60a4970fd5085ec78099cceec8760eb545ec856db7e67

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.Fuck you

MD5 abb3192098a75c4466a7bbb91b751f74
SHA1 5c8e759d3f1908e0137b1d1f77944990bc9d4f7d
SHA256 3d10f60581582056791ada9cb000c5627312f4c33ea0bf09a34bc0d61e0b35f6
SHA512 dd0ac5ccf21024a63c777d201a82ad4df2ca23e1f211e812356bab38a6622fb29ad67d2bcdb75e015ac51826e29296bc0524c9489b710d984fab5f93ba38fb39

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.Fuck you

MD5 6fc1b9cef750b7d4c75958276cf12f28
SHA1 aba37e2f5104c84ac21e9a6ad200eb2fd1d39033
SHA256 1c443d1f970a5cb4b541fe65ac66864e420a98893d792b89f9e5042721569501
SHA512 7e87768c1f799d574a6fd587ca346c23a54e479469d693c8e92ef0770dbaf53973deac4c2b3b66c014e5bac0acb05e3cd43d2c56f362b0c799661545107f5d4b

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.Fuck you

MD5 cba4994891636e6d16a484dee6efe3c5
SHA1 936af9d467feeb11eae6d6e6c4a02af50c9e35db
SHA256 550039a034daf35d8daf6ed8798447d01e657e871da639f8baf9156906c0e328
SHA512 7e3a6d40b937ec6b641a2269c8b75d6ff69bc711e36e22da116ff7c282321ce12eea09f1d1872573fbcc9b20042ff2b8245a37f23531dc30c1a88877202485e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Fuck you

MD5 2e911f895b8a5ef2f9d621b28839f931
SHA1 ec0cacf2c3c2d7c1ebc46e97ca3723aae9200501
SHA256 be564d42ff71af84decdd05fa6190664a1f873d88935905f612b92c966f644f2
SHA512 6a43f9ede24356be3398fbc27f7f26ecbe8ca0dda278435f642cae9197969ab5773736b9162bf3dc58e71c4f3497479fdfcf2c5c3d85e9a5dff037d01c1bef0b

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.Fuck you

MD5 6ac9d4735e2b77c2b55e47587b4d2303
SHA1 feb0d79fe49b1e803bfbffe8f197a3431842405c
SHA256 2f54e9bd5d3b1950db33b3de5e9b7a6d85cb8c10244c86c5b6d22bfaf6ca391c
SHA512 17f6385ffc3bd9c7fed3185fab4b8ff4defc0d06af14731214da9db77c584a48eec08785e7112e4f10c1095771f9004c6d4ab6579f27c55d60cdbb250ad1d0b5

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.Fuck you

MD5 95cdbce34d501e245114e35e968cdc74
SHA1 2f05aec351f0d9c929d459661cae91ac78987cdd
SHA256 9bf88f04cf681d973f39b04e89a5ca8aebd6a6b586cd3d79bfe490c8ef383ee1
SHA512 07ad5c5ed2c6ad6567f59cbb7c8c20925a674eb8c38bbab8806670ab2e2684f4d7f0e7308ee09d826d9862a05265c4a659457455f7431e306eb11020c5013717

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.Fuck you

MD5 7ddb3bba5fef1481080d4d1ee8e51cc3
SHA1 05a5102556e96e8ee437d2422396f8109c2e7723
SHA256 ec6bd88dbafcec985d91db43009b9e9bdc9eee34fe243e0ee3f0f57d3c68cfb8
SHA512 fb3c174c870204cfeada7caf60fb683703a9dbe70e96cb77e282544511703043376d07bc56c354a68c97cbd0923b3ea64f9cf30cfcf6715703ef8f294a777a56

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.Fuck you

MD5 72ca9fee5463c2bd659d3db885682942
SHA1 50effd260b7e29eb651f633854740b77f98824da
SHA256 37662f12636069774745f9e3c0502c16792ec21299b126ff8debe99e9d426174
SHA512 8d6adfcf7e9c897f1cb001ea20627160bb010f2165790eae8eedb5f652a1b786cf650f33088591f2815b10f06a6b635c121b6694654b9543b7e48b620a26a4de

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000.Fuck you

MD5 2646ce284e24e9317c1d778120fedcc2
SHA1 20057a84ae18417872c76b392a40fd4f1d9577fc
SHA256 653588bbe0493f23a1b0db185217f9b9b312fef36c949db6fc9f86680078727c
SHA512 313d71b3504d615dbb2f8f3fcf956fcbe2d411ceaccea83d2526e58da9aabe53f620b2856c3a19a8678e639024a9d1ea585ed75b77e67150b772ba731bb1fa93

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Fuck you

MD5 01f100b261d2c29875872ee11b6eebc9
SHA1 794fa99900f9d5ac1968502cfc6cf4a0adc76c96
SHA256 63e0e381a1d9910dae0297d16b27d0e8c189b3bb4d23fb2c37406214d29ca03a
SHA512 fa3fc70ecedfb731031f48a21e0262921c5f7e72983a70b53ad500800c18276040beed98d5f98dfc7901652c9e894e96dafed3c8c8115c3922b9e809e35f5ff6

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.Fuck you

MD5 9bc0e4fe1ccce38608d7d64ea850303e
SHA1 39929aab5e69d2396f6900e80e5976c469096b2c
SHA256 6486afdfe5a34aedbc23bf55e35a32b06c91fd02050b75f492207eafb218ba75
SHA512 8264c51f4544f64a3d39fc5a110b903d7e7da1c0d96101f5548284c377ba1d3cfbc5d7054f4a442b8d4aa5cb96095d631a5af96abfb5aab807e2e1eb2da1f035

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Fuck you

MD5 d9838a736619bf237726cfb934f205da
SHA1 de579826cb09b06e448728c797e06ad5bc9788f4
SHA256 ea8113fd03d08155a78248d915ce719dd29331e2f979b41b3634132c09830e20
SHA512 6240e027056e1f86aa52b094ec41401c51fb87939a072f60ff239937e708a4c5056b7e1cfc02ac3ee28c24970ae3904435a138ba80e100b54bfc50ae32ec9bb1

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 01:05

Reported

2024-03-21 01:07

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe"

Signatures

Renames multiple (2575) files with added filename extension

ransomware

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe" C:\Windows\Termite.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe" C:\Windows\Termite.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\mswsock.dll C:\Windows\Termite.exe N/A
File created C:\Windows\SysWOW64\mswsock.dll C:\Windows\Termite.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\COPYRIGHT.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.Fuck you C:\Windows\Termite.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.Fuck you C:\Windows\Termite.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Termite.exe C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe N/A
File opened for modification C:\Windows\Termite.exe C:\Windows\Termite.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you\ = "Fuck you" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\ C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you C:\Users\Admin\Desktop\Payment.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\EditFlags = "2" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\"" C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe C:\Windows\Termite.exe
PID 2540 wrote to memory of 4452 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 4452 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 4452 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 1436 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 1436 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 1436 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 3156 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 3156 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 3156 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2540 wrote to memory of 3460 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 3460 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 3460 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2540 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2540 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2540 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-21_96b8036f361b0d093394bea6e30fbe40_termite.exe"

C:\Windows\Termite.exe

C:\Windows\Termite.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysNative\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F

C:\Users\Admin\Desktop\Payment.exe

C:\Users\Admin\Desktop\Payment.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Windows\Termite.exe

MD5 96b8036f361b0d093394bea6e30fbe40
SHA1 117ea2ef8c960c86eb829ce3b937307a0964bd68
SHA256 5d0083f61a95508aeac3d37fbc1f21260ab09e2bf79f469feb93790bd201e5b4
SHA512 47dc01cbe0e800d9ffbb738398af84388efadec99d1123dea247527c0afd5ce0bffa4c87b4399bd45aad8739015c34d87a5f0dfd6ac991493acfabd7034ad9c3

C:\Users\Admin\Desktop\Payment.exe

MD5 9f9bb9ee4952cb514089910e19eac5c4
SHA1 c57f604e8eca50df40df93a6b0c3d65ab8d3b198
SHA256 0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a
SHA512 8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

C:\Users\Admin\Desktop\Payment.exe

MD5 3a02b00cd0ef8b5e75214128319eef9e
SHA1 ddce633fed2f4d620c73f5c32942f6687da7285c
SHA256 8ea4ebd4a36ec0433abe2c91d1ed5785fd63eb0e3c19706d161562cafd28f84f
SHA512 f74ba3564b2a2c1a6a5ffe9218ffeb2d4860ab07acc187dbf8de9eb2f6290eeea73a6789d07465fc6287acfa67e75c9a924ca895a708205d740442ac0160c9fd

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.Fuck you

MD5 c636a07477a11b9d7f16630a19a3cda6
SHA1 c29cf8d773ef1e317c6ea89fd8474c91ddf3fc5c
SHA256 5c1d397d14fecb955315e2ceba5cc7e6025556374577c8bcffed5c670a92907d
SHA512 f22e162d0b8a52fa6faeb91070cdba82de385c85a3571cfda5a5dd4f533f06940b158ea021649251b44ab2c900e531f629151136520209b7078b2482c26b6187

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.Fuck you

MD5 2eec9db222794adac142c4b8f6752ca2
SHA1 2a5a0bba79c89f05e21383fd37f6283294fbe673
SHA256 2203487e586a54746a1b819161d51fbba388af44bb22e67537591f8e6adc2ca6
SHA512 5e8b561d320502b33cdf3e0e27a9bb09abf2e591d2fe58193f1b7211ed6180855dfa64ec6b3b3fbe16f6944a3ea3a41069a0b16c53ca4169946e046c7f6597a0

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.Fuck you

MD5 cefa484ab0dfc86ab1f11b77eb0e2b52
SHA1 4cfbb072d83d0dfffab83592ed2fba1becfb3a17
SHA256 3ab48112bad28776fbdd3bcae44063de147c8f71bfc2813e7011ea0f3713f522
SHA512 45be0467b20966c1fbc31a86ad0a62b33b8544740f1ef2e57e4f0f206360ec8c0a96f4e34017ec9351135ed8c251da1fd3e72fd11e346962a793334d0e505863