f40b99d2552ecb56d072caa1b94185ae5874b86c2b6d9166f0225ad9be46ada9

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
Size

1.9MB
MD5

760668c1961f3b473cc0046981d4b21e
SHA1

932cee12df51acdc8e9e614e39b0a3d7c1fe6766
SHA256

f40b99d2552ecb56d072caa1b94185ae5874b86c2b6d9166f0225ad9be46ada9
SHA512

1a1b99ba2b70ac159b2219fe6bb13cfe1932d7c82fbd846b776791882d382983f51b019dfa87eb1f2641cf80a36977f00a194b5866264c52c24e953fd81428d4
SSDEEP

24576:tnxLSUXY7WSIGgjxvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZtv1xim+y6HLOO3

Score

9^/10

discovery exploit persistence ransomware

Malware Config

Signatures

Renames multiple (6170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4732 takeown.exe
4536 icacls.exe
3244 takeown.exe
3928 icacls.exe
Executes dropped EXE 2 IoCs

Processes:

Termite.exePayment.exe

pid process

720 Termite.exe
3280 Payment.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4732 takeown.exe
4536 icacls.exe
3244 takeown.exe
3928 icacls.exe

pid	process
4732	takeown.exe
4536	icacls.exe
3244	takeown.exe
3928	icacls.exe

pid	process
4732	takeown.exe
4536	icacls.exe
3244	takeown.exe
3928	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Termite.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe"	Termite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe"	Termite.exe

Drops file in System32 directory 2 IoCs

Processes:

Termite.exe

description ioc process

File created C:\Windows\system32\mswsock.dll Termite.exe
File created C:\Windows\SysWOW64\mswsock.dll Termite.exe

description	ioc	process
File created	C:\Windows\system32\mswsock.dll	Termite.exe
File created	C:\Windows\SysWOW64\mswsock.dll	Termite.exe

Drops file in Program Files directory 64 IoCs

Processes:

Termite.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoPreview.xbf.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircle.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-125.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-125.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\or.pak.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-150.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PlaylistMediumTile.scale-100.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram_Lines.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-100.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-125_contrast-white.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-256_altform-lightunplated.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-64_contrast-white.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-125.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialSticker.mp4.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AdaptiveCards.Rendering.Uwp.winmd.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_DogEar.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_contrast-black.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Shadow.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-fullcolor.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-30_altform-lightunplated.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-100.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_contrast-white.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-200.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Termite.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exeTermite.exe

description	ioc	process
File created	C:\Windows\Termite.exe	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
File opened for modification	C:\Windows\Termite.exe	Termite.exe

Modifies registry class 11 IoCs

Processes:

Payment.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\ = "trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\Shell	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\DefaultIcon	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\Shell\Open	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\""	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\	Payment.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\EditFlags = "2"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465\Shell\Open\Command	Payment.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Termite.exePayment.exe

pid	process
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
3280	Payment.exe
3280	Payment.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
720	Termite.exe
3280	Payment.exe
720	Termite.exe
3280	Payment.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe

pid process

4656 2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4732 takeown.exe
Token: SeTakeOwnershipPrivilege 3244 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	3244	takeown.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exeTermite.exePayment.exe

pid	process
4656	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
4656	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
720	Termite.exe
720	Termite.exe
3280	Payment.exe
3280	Payment.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exeTermite.exe

description	pid	process	target process
PID 4656 wrote to memory of 720	4656	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe	Termite.exe
PID 4656 wrote to memory of 720	4656	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe	Termite.exe
PID 4656 wrote to memory of 720	4656	2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe	Termite.exe
PID 720 wrote to memory of 4732	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 4732	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 4732	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 4536	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 4536	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 4536	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 3244	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 3244	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 3244	720	Termite.exe	takeown.exe
PID 720 wrote to memory of 3928	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 3928	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 3928	720	Termite.exe	icacls.exe
PID 720 wrote to memory of 3280	720	Termite.exe	Payment.exe
PID 720 wrote to memory of 3280	720	Termite.exe	Payment.exe
PID 720 wrote to memory of 3280	720	Termite.exe	Payment.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_760668c1961f3b473cc0046981d4b21e_termite.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\Termite.exe
C:\Windows\Termite.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysNative\mswsock.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\mswsock.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3928

C:\Users\Admin\Desktop\Payment.exe
C:\Users\Admin\Desktop\Payment.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
774B

MD5
26c98d6fc6fd13ca97dab74fd39f2828

SHA1
8b8b1dbebb0ed0ffbd8ceb46a74a62ca476887e4

SHA256
0b58b107b32a9c5f62d011bf4eb349b971e365356b1dc777ea6389e6bc853c37

SHA512
fbf2ee218269cf910d1d7da7dd581d54217d7ef811e8427c8e1dca4a31591eeebf820cdcd57e5890248361860cd6776deb3d42db779c0a12d504c427ac649576

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
742B

MD5
da3db4f0740b238a3f7094a842d34c79

SHA1
1ec58088369cefd6343037f7e78bb429bf415a90

SHA256
a8d9da9b0dbefba2251c4589d0ab49e959816ff89fd70a7908bbd032884e314f

SHA512
f43f71c0ae4a774e7b071d7c8174a0c9abbb9507e41ac36cf33903945b510fba7d0bb8ba96f1b66d5af40a44692704c31e38b4090568d7613b017187cc78663b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
1KB

MD5
b0996bd1156d057205ff69627413306f

SHA1
dae724799cf52d6f5925c4855819e085e92427c4

SHA256
8a613bf29b006aed595bd3462ce0fc61a65d1d9acbcb5d6852ca6f387bf6e708

SHA512
d4262203739f614c5810db106c32eec5f41bfbcb09e0941df8cf331b704e4673d17751219593706bf515ba5517080d21b5ccee94be567ba1e5db061fc2acce6c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
510B

MD5
f14afc1ffe237e6400fce6df131a1d5b

SHA1
ad5c37c3a1f10cb16c5485f67973754971b1c238

SHA256
a31bd000c3d4ff5faebf2b0adbfdcff623432c1f1a7078ca843c191337f407ca

SHA512
1c56dc0467294333ea414904fc1eecaddc7c078f49d7bf42356b62a9d816bc2894f9a804db269cb8d5e801524a57001b128cb40d52507f7e50fa36598b450617

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
670B

MD5
1195c1772e9f7138b82a7349fd0192cf

SHA1
a8edab1109de51f536b7f85f9b31502efc636f8d

SHA256
e976e063974a8b2f5d56b365b424bee12c871fa5c4ab4265db4daadd07ee85b7

SHA512
14a9268178443e3db78b67f4bbae393d2fe8fba906d6ab2e1e9a7bd4326fd18c0de5cf8a1ec6e27a8c8837b0dfb7d95465837684f0e782d382518b8e72011192

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
446B

MD5
3d2a92db98bc06aa8e292b4bd94a3f37

SHA1
d9517987d885ba1541a3f1d558b718325481808d

SHA256
143aea77c55b7753d1e2c4f52187b535fdd60a5fa9bd93d70d636da66afb5c2d

SHA512
91f1e38d1d853adb4915e918de2ca4780165b73700fea70488123120ea1946ae075789866c909d058a43074a3176c1424640586ce569d2ccc273745eb9f4d1a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
614B

MD5
b9a7f99d26a298162648167ca43cd570

SHA1
0685302cd20555422e3912841fd5aeb4e89272b4

SHA256
7654b91ec174eff8fa6a252320ad3aa4c5e2e00e5962057648820ab09bbd8cf5

SHA512
04194c3ef4d4d18505df917f8c8a92a0da156bc4a66a6f7859585b3dcca73df49946062a6fc10d18af8b39fa3ba19878255be92ee45b41eb286d8b1f3eedd1c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
446B

MD5
51e38469cdfc182daf8afb3866b9bb88

SHA1
38346fae250c7caca426684b57455d9191147b6c

SHA256
a41d7e4d4e221bee8e1ef0273d21052bbde86913d2a4ec7d17e72c518c5275fa

SHA512
08b24ea72339dd2451d8879738afa642265f51d5034e493c6c48dc711704ce6fca638dc3a094b595938bb0b4e97074d4be5cd570ac39c28bf4cc26eec9eab572

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
614B

MD5
213755dc4603bf21347d14286c7b08c0

SHA1
f67ed0f5e1711b79abcd32169158203347174eaa

SHA256
f14a7045c31c5516186400917b6902d82d9e9b8e8c74a3584adf5663cb1fca6f

SHA512
6239ea452fc67a1f85d29667dc9fdd9b7266fe4a647276f8ce4c4fc54de7a97005e62053532cfd08308b8972b7971a331e070a0b97749c11114ffb137f36603b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
446B

MD5
5fbe8638aac6d0fe82c273eb0f26d7f9

SHA1
58e26a0850c2dd19b49b520747e52253f07a591d

SHA256
f041151a7e405588a7c14b7f72e2eac1a161ee3444112674c00a5e7dac40f047

SHA512
5ddd43d994d1e239db0c10600be8049316de1b0a071928bd2c0c97ddfe86089d8314ebe5ed39ee8d9ebe94ace784c19c72ebd33575080e906f7b0ad6b23d9262

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
614B

MD5
00fa0a730165a7fdf6e08c64fda24bcc

SHA1
3bd97f6efcc3ddb700d73bbf958091bef3e8072e

SHA256
455774b787d93b9557d5b22b394b671ac4b8c1d4c76685c4b6bc9da816ee2ee0

SHA512
01a467d481d163f9c382895592830310804dfa21bbc84a414517537bc43c79f8f125c998714500c014ee3e281b6015aa2b2e864b213f53815f07291702a7ac0b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
7KB

MD5
bd0a7017eac491a37345670f5bb1e30b

SHA1
dfc6711bf5f87e3578c4faaa40d10e465cccc26d

SHA256
92725408407f8d1d1bdd15325f66f163eae451776fe69ee40afd4e2820c0b9f7

SHA512
f79e51c9021b42f37f81325f46b85e7f2c87dd67e96c7bf422a58f206d105af3df163a2cc4d587854e4e03d4a4251aa6553a41ee3e93ea76deeedb7b0454f59e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
8KB

MD5
e22a16ef8b7651a45abb6697b6b0eddc

SHA1
61e0d21926b9dcf08aeb4c91e1839d8a15093dd7

SHA256
7b9aaa3bebcffc4865d96dfa0c3b10e59b8e9709ec812bd3dc756f6b8a17f522

SHA512
69d84758b91a80964f2976e70b3349a9b520fd5e698fd2a34313b1a73155b2020813b8b5ead50654fa7f05655d0a56f8019d0600f5644c20ee1919838523ac8a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
15KB

MD5
b8e3f431cb29f66990a5a61baa06b74a

SHA1
d1b6ab496500cea61e72c560d64a647ab27e5cea

SHA256
51a7ad1a0c057150e153826ef50cc89764c125bf956d61e9057c48f1a79d3592

SHA512
07ff5634f64829f45a322f19abbccf04168a82f38296a786055acddd3056988270ecf18482a05d1633547b8ccf0d3d56318dd6a80d5a831523dd9185d5aa0391

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
8KB

MD5
174a040d981b3b4478e475cd132f6d0e

SHA1
1896045a21aaf5d0c9e700ce5f98cc6634fdbd4a

SHA256
ef21d51bfd2f9f7377a043dbd13daa62e68e779a5bc08bf5c27b474a95c408cb

SHA512
cd2f4ac71cf6459166112dc9aadc6f41576537d5c5003d6c1d3a7e3e0cad4d6ca65b1aec2403abdea834f16b6d467b0f7f72d6c18b96833cddc457a99f92c45f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
17KB

MD5
d5289fa795b09e01684295d859335be8

SHA1
8af43910c42a7332bc5e703557960be4bb75e462

SHA256
2a71f3d66c96aaeb62e5042be63740681b694b6abd091eaca3a957b5f48db844

SHA512
6620c7c807d0ed1d90f10d26cf574618788b63a62cb53e457cdc977bf9abd04edfc99811b052afae862b34ac242f9399ebdced158c5657e707dfe2149cf6ee17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
238B

MD5
3856d3652923d0b7a64721214e75c387

SHA1
6b6d65cec13ab9efdd7de641dedba78d53e27e4e

SHA256
e2de74858dd0061ade688ba1f8bff06dc0610406127ea834e7fd7b09bb45da35

SHA512
54aee491f7883ab6adbd0a5ea496e92db464eac7b48a56e50ab57ad681b06a6493d1f24f46300096bfeefdbb0dd41bdbbb0af6e657ef6a66ac179c149ed2b7a7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
766B

MD5
76d7416dd5e825924bd16f8bd8d1c5ce

SHA1
3891c6b1090de0190b0577eb6828417b58f7379b

SHA256
4340f1fc0f900cc74515c03c913f12032d34c6570a4680784fd027f3a085c837

SHA512
57f1428b98518142a0ae0203734fb253d72597e9c3c6e765a5a4126b1cd8ee854417116d0d8bde20037992775c2b33be569419d9d32a6c12b743c91e16fa397c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
8KB

MD5
61757fb287d745efa05c4a52eb0ec11b

SHA1
83ab1392b1debdc5fbb6653bdf5337cedea2fd2b

SHA256
d8a46c9e131b1f5fea00cc1a7411852c4ddb05ca62943fd33d95fa84c2a43e38

SHA512
06c438284437f3b241c769ae96f1c475ca1c280352b6e84668eeb4ffb140cfb3b8f3d8d5275ccc5743e2e8062940da416a9d365154c0306939c417172eaaa345

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
19KB

MD5
f0b2659ffea2a0e5f6951043914eddd2

SHA1
6bf8eec222199439f6a1bf46bafc0b332dcf2db1

SHA256
6d39143448f016cda3f8268338008f5e7f1734c48fb60696762df6cd83ceac7e

SHA512
56412abb830f88225ce10b4e591402c389aa91e59f98932da49f3264b4f46a5051119eecdd71802631dd630338f72dfda7a30540e82b433635c05eb7b18b5545

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
886B

MD5
ed3d81e7a8e88d5e6a23d7476075587d

SHA1
56985cc8d615e42bdb0fd3a389f11229c9cdce71

SHA256
2d669f88d79fef8642cee9663d371649315ec3924d2a48a1787a49af889f4e5d

SHA512
babcf5bd908c91b70a8d899c5d59e3e869ba83e7b138bfa52ec870caefe6db6f210875aa050be469f32ac0023b0741ce201cca652e0b8a41f73680c57451717b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
1KB

MD5
8e63c94bcc45e2e2a5702ede75266e91

SHA1
e7e7ce8a099518bde3105d228cf575708d8c809a

SHA256
48fdedde5f6efca1b768e840a7cb6c58512c64a80ae5b02dbd91ff30aeeda03b

SHA512
38f8f148fe498ce1f4b9db4473525fe718c8f6a13067d1c2ca3b55c331dedbb24bef68b0572134935cedcac8cba536b0fdae751a62c55efe813b977de9576e90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
1KB

MD5
cdc3b33bdaed91f408358b69b7a73798

SHA1
a55f324edf21b1d3dc83b241f6a519e628839ce2

SHA256
34fe5cccae85dee81ab26361191d46e5c775518e6fabc3ed10f8952287e446be

SHA512
972b82ad6372508c33df2f9e33514629b6e7009e2d9db1dd97642190bc900cd05fe33a4926c56b032113279e855a0a75d7d1ad1d702aba426cff875e6d5b2d55

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
862B

MD5
72acf829effcb3d5b66f65b6608cc875

SHA1
5d62e081349c20a73df42fddf15970aef6cf6266

SHA256
08aee9a20a4e9f853f999d911e30ae0eb6a0364a9f29c14d93fb211ee8e90870

SHA512
70b105a44f00cb1c7cb358e2bc9feadd860b1361ed8a438c88c2c396e7fc40c71591e9e728e321f8b73ac45b7ee97e6095ea3568636c03d8847133494b459938

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
2KB

MD5
741619436bdf39e51f72a6dc1cab1f53

SHA1
ea20c55a255a1553de26abde9c068c2f9a7eb2ad

SHA256
400e7b715f750ee701eb57861186027795e87715b2f71bc1c44322e7995f123b

SHA512
8d0359fc32d0892ba7cfbf4930d8fb1309358187d532eca4a00444f1f24972e15a308bbfeeca14b2963ee27b00cf521863795604186e8af5cc29478ee07629d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
2KB

MD5
bf2f73009cbc50336b13cf5a9fc07d85

SHA1
cc0c8ce78f318fbf044c207489d178e8ad89f7db

SHA256
a695e8e2ff4dfafa586438cef3a49d560ef39286b1272cb5937f4dfef39550be

SHA512
e83d321327d0e9755b0320e510848364d9f6cb53928372c880e437519b8f3afec599319d7d5f1e71a96fd1f97dcc0d5a4924854a88ba06d07d428350f9a52207

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
4KB

MD5
11e70a2a7affd8dc8822d07819809dca

SHA1
9b4062ad1648f437c2783589031ca96024606eb6

SHA256
0606f6b000f1ff78cf37241073fde45f086eefee5ef01d9872e6059dee2eb9c4

SHA512
770780ff55b83e04c48a3f6082754e57189767311674b26f021eda779f13356b40d0ab6a4c8e12696dd580b961457ceccde1d7c4a9c4ff68cc7e1dfbca524654

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
350B

MD5
398f2eb5cf7f0e3e1763f4990da5270f

SHA1
d6eb074ceb4d63481f6aac5a7f1543698af67538

SHA256
1dd42bfdf18a7f446fa4edecc2f75cbb2d143d76ae0346ac94928cc3cc7948b1

SHA512
1a47561165856c9975a9c1bb34287d6c18417ab5b01c2f8b8ef336d7b8369f4d652b2f8086fb724a1a94f887211629353eba4a671686392c825bec919a80e46e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
446B

MD5
2820154cc318f2a83a82b58aa759b73f

SHA1
69edab0144ab96a01c5af0b71e6c5ada05bb06eb

SHA256
583c7df1c0424afb273a40e59e4b36b638de777a4bd4622d4a9e1d3b8fa57369

SHA512
e15333cb01f9eacdaf6c67ed717228b2eeabe8f4da245169eae043a2329b14668e1d398c1926eb599969124e71f3deecbcf460bc7f4f0842d3fd62a4082a5de2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
1KB

MD5
4be288c27e3c7a4d2101d031836fe0b9

SHA1
13eff69822c39d8d85684bf1f7c35f62ca69dd25

SHA256
42b82987b6147391d4865d1189bcebe103203bee6b3732b493121ec257a0afdd

SHA512
786166797c847a1827973a63f934ef8f3e35372f5a93042a02372d69aec34cf8a09747dd529c5bf93608fa8e724d0c613030f8153fcd33278550883369f24e91

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
1KB

MD5
dc5cfb1c83b51056f30ba82ebd802d7d

SHA1
22a48d726cbfdaa7018196b06d219385195be5a4

SHA256
ecf78bb4b6b4cd7e659d77f3bf35b7aa78d80bce44bd1f4b24eb092c87ec19e3

SHA512
45c849a7c30d34ace9d5073cdf36a7e8132b9f91d2dc5a6d39f7521149a9264a9e0f52cfbbcf90796d9ab270144d8819a31a4af8f7d7e70585fea87b3eda6f6a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
2KB

MD5
24a71d14421b12adb898eaef8b1b9dcc

SHA1
4fe40b14fe44b17f4b0d700f98c78cb672e42a94

SHA256
7e1296ae88287eef27d29dc3b0a54b4137054fd3644fa3a9c8da93c7328f0bae

SHA512
fc495913f8010086e76b76b357d0a5e9dd7ab3af95274fd07edb81165a843b941ccc0e89a75b9f77b944d47b92495fd370917c0abbff10ee72f59aca20f30a1f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
902B

MD5
d2a2bb1275a1d83b1bec7709b476cc4e

SHA1
236067811bb9a7abb56b40fb21914f44156a3d89

SHA256
f3a01122a00db3be4936011ff9843ec9df655cb17f7a89526bb25fc883a812d9

SHA512
766d7baeccd81cb28c0e70e96dc52c9e6174844393e224c6580a91d2be80a4bfe13427fca7877dcf83641058caed78631f7e02a189ebff3e3f4a7ac8a53cb99b

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
33KB

MD5
fe39d4a1b63c13aaca2e50c0ef65c5ef

SHA1
34a0585349a5eeee48cb5fa0b4b34136b92b00ef

SHA256
c269f7aa490ae67e23bbb3bba806b378e127e1d10eaefb93319bbcb292c1f759

SHA512
2c9ad7ad9a64a11dad321c19f744f92faf3f125bb80afe49ad7ad89e98eeafe0d6f0af0557272c154821ead44dcf204fad3f39abda1c171b5de4c76fab702f1c

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
214B

MD5
4cddf649f4f9fa990bc4b7c1f331d3e1

SHA1
a70735b9148d396718454633939d37858f5ce33e

SHA256
dd6799708b5c3fa7a00685a7b43aa742520b40886ffd5d1058ca9cc1d7afb5fc

SHA512
b8b79b09b12c11279064acac33b8c7c51c60ca9990bc7845c1958b1a8c4c4f629607d11d368519b67f72e15e35ee16fe84d29ca9997ecd20ce03ab2ff27445d6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
174B

MD5
89421bedbde5b362bb286457f8d4c3e8

SHA1
5030c1470b8cdb13f28ea6d9e871947c6546c0fc

SHA256
6da97ccd3b82972d58650e1bade3f99628169b472a0a1e19f6cec5ff9f9f03e7

SHA512
4aaa742e31f606e8940c0598069821409b637f3804581b0d2a7661ec033a9b2e1bcdc917da390021bc33561a8b796952fa1c2aa7b4935ae10f4e1bbdc7b09162

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
174B

MD5
ba5d19310850507934732a99516067a1

SHA1
d7a219eeccd42a72679cf164b60ea7e033bc7b99

SHA256
50dbae37472148a1d0fcd1b28cef35576bb138c815797128f54be926c9b13a89

SHA512
32f515a36e3d2e1cf41539976f6bd4bb75e97d9343a58df8123e68c42f9ae7b24833e8b16e99daa470cf0b09a83b114eba1108a1a9377b5b43a1c52445fab0f8

Download Submit
C:\Program Files\MsEdgeCrashpad\metadata.trjhskjdghtsjkkrtgr790503840232497567820-1-4723815465
Filesize
54B

MD5
3df8a1345e483cfb190e98fcbe3d53f8

SHA1
0b2795e034cf36533b53202847e23a11b12c3313

SHA256
9b2ece02a33766dc9ea002a1782f071f2d42b0d0c2f4a3650fb4c9464c194060

SHA512
3dfaedb496282361a5e8d0060cb7a1b69c4b63daa539449ebe90105bd80e8153d4cfeab0eb83d1ff53a31917496c15e5a98a245bb82d967224fa003630bf2e96

Download Submit
C:\Users\Admin\Desktop\Payment.exe
Filesize
1.1MB

MD5
9f9bb9ee4952cb514089910e19eac5c4

SHA1
c57f604e8eca50df40df93a6b0c3d65ab8d3b198

SHA256
0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a

SHA512
8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

Download Submit
C:\Windows\Termite.exe
Filesize
1.9MB

MD5
760668c1961f3b473cc0046981d4b21e

SHA1
932cee12df51acdc8e9e614e39b0a3d7c1fe6766

SHA256
f40b99d2552ecb56d072caa1b94185ae5874b86c2b6d9166f0225ad9be46ada9

SHA512
1a1b99ba2b70ac159b2219fe6bb13cfe1932d7c82fbd846b776791882d382983f51b019dfa87eb1f2641cf80a36977f00a194b5866264c52c24e953fd81428d4

Download Submit
memory/4656-26-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download