d418ca84ca4bb7db72d2b00f8d6225a57909e02f712c7b0e2d9cefb2e18d0737

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

max time kernel
1800s
max time network
1160s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
Size

1.9MB
MD5

d28e88e6e9ad654f81909e605f3398c1
SHA1

84726882c606eec6b7ed7d0ba1d9acdd13390e45
SHA256

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c
SHA512

3e971529338ef0576ce40679b33fb763b2e1f3e7c16255b922434baf486d6569ee1e0770959ba7763b9759d89bf55b149d54546bdfa7299c41fd2c5d302ecaf7
SSDEEP

24576:tnxLSUXY7WSIGgjvvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZDv1xim+y6HLOO3

Score

9^/10

discovery exploit persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (8637) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4040 takeown.exe
3508 icacls.exe
3304 takeown.exe
3632 icacls.exe
Deletes itself 1 IoCs

Processes:

Termite.exe

pid process

1380 Termite.exe
Executes dropped EXE 2 IoCs

Processes:

Termite.exePayment.exe

pid process

1380 Termite.exe
4680 Payment.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4040 takeown.exe
3508 icacls.exe
3304 takeown.exe
3632 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4040	takeown.exe
3508	icacls.exe
3304	takeown.exe
3632	icacls.exe

pid	process
4040	takeown.exe
3508	icacls.exe
3304	takeown.exe
3632	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Termite.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe"	Termite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe"	Termite.exe

Drops file in System32 directory 2 IoCs

Processes:

Termite.exe

description ioc process

File created C:\Windows\system32\mswsock.dll Termite.exe
File created C:\Windows\SysWOW64\mswsock.dll Termite.exe

description	ioc	process
File created	C:\Windows\system32\mswsock.dll	Termite.exe
File created	C:\Windows\SysWOW64\mswsock.dll	Termite.exe

Drops file in Program Files directory 64 IoCs

Processes:

Termite.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\LogoDev.png.DATA.Fuck you	Termite.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.Format.ps1xml.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-lightunplated.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bn-IN.pak.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TabTip32.exe.mui.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\ui-strings.js.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-150.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-unplated.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-400.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\bulletin_board_construction.js.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-lightunplated.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\ui-strings.js.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-100.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_hi.json.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-400.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-lightunplated.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\9px.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppPowerPoint32x32.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-200.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-256.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-400.png.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.css.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-100.png.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxManifest.xml.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-100_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\SuccessDot.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-white.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100.png.Fuck you	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCWhite.png.Fuck you	Termite.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.Fuck you	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.Fuck you	Termite.exe

Drops file in Windows directory 2 IoCs

Processes:

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exeTermite.exe

description	ioc	process
File created	C:\Windows\Termite.exe	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
File opened for modification	C:\Windows\Termite.exe	Termite.exe

Modifies registry class 11 IoCs

Processes:

Payment.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Fuck you\ = "Fuck you"	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\	Payment.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\EditFlags = "2"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Fuck you\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\""	Payment.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Termite.exePayment.exe

pid	process
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe

pid process

1448 38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4040 takeown.exe
Token: SeTakeOwnershipPrivilege 3304 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4040	takeown.exe
Token: SeTakeOwnershipPrivilege	3304	takeown.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exeTermite.exePayment.exe

pid	process
1448	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
1448	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
1380	Termite.exe
1380	Termite.exe
4680	Payment.exe
4680	Payment.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exeTermite.exe

description	pid	process	target process
PID 1448 wrote to memory of 1380	1448	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe	Termite.exe
PID 1448 wrote to memory of 1380	1448	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe	Termite.exe
PID 1448 wrote to memory of 1380	1448	38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe	Termite.exe
PID 1380 wrote to memory of 4040	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 4040	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 4040	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 3508	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 3508	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 3508	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 3304	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 3304	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 3304	1380	Termite.exe	takeown.exe
PID 1380 wrote to memory of 3632	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 3632	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 3632	1380	Termite.exe	icacls.exe
PID 1380 wrote to memory of 4680	1380	Termite.exe	Payment.exe
PID 1380 wrote to memory of 4680	1380	Termite.exe	Payment.exe
PID 1380 wrote to memory of 4680	1380	Termite.exe	Payment.exe

C:\Users\Admin\AppData\Local\Temp\38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe
"C:\Users\Admin\AppData\Local\Temp\38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\Termite.exe
  C:\Windows\Termite.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysNative\mswsock.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\mswsock.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3632
- - C:\Users\Admin\Desktop\Payment.exe
    C:\Users\Admin\Desktop\Payment.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.Fuck you

Filesize
729B

MD5
0056438ee6c09ad3b2795dd90277149e

SHA1
ea37a563c988f1daa8e1ac43f315540bf6eae54e

SHA256
4e3090ad56153902e4af60f6e6b6af06ea2946e95f5b903d1d31d1e4271f63d0

SHA512
e735c10f523be049631536fd95cb25c09d22517858072ea07da50947663fd2d689e05922598c46881bd2559588991747f09213e106427538887701dfdb0647e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.Fuck you

Filesize
697B

MD5
9661ce260a80389cb25b8b0ad16eddeb

SHA1
c84872b0a2414198fe6b2cf0204e2c992087cc22

SHA256
c3c6f4c1d2348b6ab7d19e0b1f4f429d99cc0c904367c5df17ac819793067815

SHA512
4c407c9d0f45d9ecc3f74e795ec6f03953c919ce5c01fa48b1cf270b2203383c82e81ba38fd296d79f55ba2708601dc5ae3f4361eabf6421343a76252449d50f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.Fuck you

Filesize
1KB

MD5
baa7ef3d5fd3dca7f7de59a59aa516da

SHA1
c6e4b3a770d79985a3f5d5bacfe70d1f2ca8b06d

SHA256
e52ff0d33a1a96b908b05684b742879c30541636b94bb02977b7abf791fabaf8

SHA512
13077ed5b2dae30bcbe8aef813ef03c5ce0d10c882e7af2108c7c568ee3564ac250c451b0bcdc7dde6293ec50c5be5b9b9dc0da29ac9a8c60321854f0efbf535

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.Fuck you

Filesize
465B

MD5
972537e9421422b578e153ea93ee3280

SHA1
20e79b6697a24f579e2007024a8060b1d9641487

SHA256
dc9785ddbe5cc31aed3b3c6df2014dec4f5c6fba250384042cf3cd1fa7add402

SHA512
a95b909fa7e5d349e55eb86e83039d0c2241f0527fcb77e523de44c52f679e57bc14bbbae42b5e9937bbe70ea85207ce8126e615f7075b966e560e4449e30be7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.Fuck you

Filesize
625B

MD5
871d64271d96f3e83fc764165eada5d6

SHA1
bd34fa50bafcfcc83075df08f42e713ac758780f

SHA256
13a8668890a6354e472dcfc2ce43f2f37b6384f984e73bd47039ea9f7f05b173

SHA512
cb23182c84bde8b0225c2d78913c0ff3aee280e54f6db6147a3609905cca10a95a9262eae80f414b33a133564513b11fee68eaf7351885801806078008c448c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.Fuck you

Filesize
401B

MD5
5cb567c7613f7e15b2ddc0613746a124

SHA1
69bb38f44f03524f0eaaaa618a5bcccd7c32a133

SHA256
585d9d722f87afca4bfcfebd820c1ff5cfbc82afa331f1b95dd0c82768e7dc8f

SHA512
55e8510d4ba5ba1412ac53cf9ed48988257441aeff6d4db2ac241dfc27cd2f39c339af609be2f302b28eeab5ab4beb583827fc3bf4cc0dcebe6a3a96590cc8c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.Fuck you

Filesize
569B

MD5
25f07cb98dea34412da78b5f6d04198d

SHA1
eb64768f320fde6658208080f6ecf4247588cdac

SHA256
f7138192a283ac028f2f0c222e4d3d51d81d1a9828a5400c4534bcd8857921d5

SHA512
b09cb1c15a8e1f9916c4066e298cb710ae6830d5c7fde1427def2a9512a190941b0ed1dfa46a41347ca7a764b9de2b3cfee9797f9f0fd1fe7be4636ec4835746

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.Fuck you

Filesize
401B

MD5
9125008836c022b479e52d291df18aa3

SHA1
d6d3de702630e0e90b5d975697c143352e511ca8

SHA256
1e93b56a2f4ccbc2dafc0fdad848e569527185a3c2dc34d38dc5ddfbcfe7f3fe

SHA512
75e7b05a33c8004cf8e61a8a57f63c2bc224799441cf4fb820097cfa7f243216557c2e8dd45886018b6a698cd646499777159346525bf7eb1846169cc8ab578d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.Fuck you

Filesize
569B

MD5
d519001b0d819f0e5b24a818cc67e4b5

SHA1
bfdd76d091258756bffc786106adb05bebe006b2

SHA256
e531ed1601091fb904ee1f608c612db526a2ac70a3a206b629b7802d6dafe0a9

SHA512
343d971a9386db23929dac1c959aed1c457c4e7596eb00e4bfbdd3189892dcc14ee86a8534c884ee4d9e6ba4698241d01656f32408f22df30e87d4e180d81649

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.Fuck you

Filesize
401B

MD5
535eb47c593767820ab1864735209588

SHA1
acee1b9118ebd8ac9d4759749ac2a66c0bf66094

SHA256
1a4d63750396bdb58b73f919ae4d037514d935e46ffbff2d4d2eec3c20564e9c

SHA512
bd83803827b5928ea2a9d153b923705004c894b424170bcf9198037ed2702fe8f2c4c013224e723ae608ddbfbbc3582c1833ddb136c41dad74e844260cbddb1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.Fuck you

Filesize
569B

MD5
30b6c1fbca6218bdb04604a10236c355

SHA1
469dc5653d15b6e5da40eed96d697f5fd1eaf103

SHA256
fe73a8cc4040fce3ec311c0c615ee87b79d3eb9fe8686c2c2c3d79a50414ffdf

SHA512
f11b5820a3ee728b3dcdb807491f7cacb388777b760d5177b43e51893b3e6a9ce551b6f50cd5e31c3070fedbc49f5d26194e6f0927056fc443efe3e0f2c88e8e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.Fuck you

Filesize
7KB

MD5
2411004999c97328c1db6e4cac03c1a0

SHA1
a3ef026564913d366799fef2d70902568bcf467b

SHA256
0025cde32b8557a9b9ae2f5f5649b92c14702d97e01ca2049b8fb49d5252b974

SHA512
d20f3cf1b907a61d7015aac55a4abbdf00fc152310917aa8236ddb374afaa2733a29bac47ca1a5790e38a2abefd1eccb7cfccbe523675410b3e83428506d1112

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.Fuck you

Filesize
7KB

MD5
c2dd1b2f24fc657307ad085cabe961a0

SHA1
2624b892fc2812c98f36ef98a17c883c72bf6b57

SHA256
1df1efbd83eac1656b386a3331662c98556c8ae8cf9ace2e56e431858468cb42

SHA512
d9aa9215ac2a2c374d77cb030bfaefa16d0408ee838994ba7bf01eaa761391a01c88d9f778eb5ba51653a356cb71d9f497b64aee5b8d913c08925f64cd071fc5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.Fuck you

Filesize
15KB

MD5
85bf26bf7e78f8679ca8cfc9b3b8d739

SHA1
6e80e564d5d1d258bbb4a5ed27ae9f47e476f559

SHA256
17cace23ae33b63f56faa0747bb70d4f648135b0294dd93458ddcaa855d96eef

SHA512
655d2b34fb1d9afba68cc9484a53ae0b464348bc46af04977ee9259bf877d840dfcb1d3b77ff96afaa48b96eecbb06cdcb9e8e60003aa0edd2ff74552439e851

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.Fuck you

Filesize
8KB

MD5
2acf65ed27f0cf5024f14f093468d4b1

SHA1
59e12a7e8f239e1a8c1246babdf17a1e131d2e81

SHA256
41f5e5488921335cb3025d04932c2e6bdce944fda1654c53aec2109465772246

SHA512
962ed1546d19d2b0785552a63cc8a1f1d21ad7cc80bafb44c7ded414e9b3a24fe7dbab1a60071c68c874c3a945a29047b9510af204b02b494928e8c6b9f69ab0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.Fuck you

Filesize
17KB

MD5
e87c5acaa31d59dd5379f32a4a1063f5

SHA1
b9a658e7b401713cd57d511eba236916f6ddd040

SHA256
cf2185cac5e99759d8ef5559a06b9afcb3a6dc7778df36875c6870a4246ce92c

SHA512
16d0a5e817335bc4431e74b0d7da8753724fd6e4c434371d4106cdfd47f95b0fdabf96b416d16aa71cddc0c45da98de42ba5d008b228d890a0d1f8a1327429d4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.Fuck you

Filesize
193B

MD5
5220fb38adfb4f9780a916092dd21139

SHA1
45d4a543d826648bfa78e8b83e4d5fa7df0130c6

SHA256
6cc556db1d6f41b8c265be5d1d147abc140e33f2d831a64df7c4139490def536

SHA512
38275812893b6c958891f5408cecdaaebca44a73c032a476947f1d94576a2a0dec2e17c9cb72ee018185d30b5f964d972322294986ee3f48f154a320d5bea7e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.Fuck you

Filesize
721B

MD5
0f3ac73278710b304325144fa6f4066d

SHA1
7a26fa5ae693707971a9f63a9a79d4b2efd6d38f

SHA256
e367e352f8d044c60e6c615d9fde16972a923d25e8109c7fb7f047a3ff87b1bb

SHA512
fa8bae121d654843b599280b50a683b17d5099968464c092ce76eac01d3049fedb7916f921c95681210a9afb0a0f4a22ccfbc3a5e61628958e05bb4cccbf3fd1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.Fuck you

Filesize
8KB

MD5
5aab23c2e8c3563900756ffd6ced7bfe

SHA1
b37446acb90daf57a797b5542bdc0346e190dcd3

SHA256
789ffaa6241fd40ffbba5f3cb372a0f1b74b0935cff03f9dd9d962be96a6992a

SHA512
5476ad29a4386ed89161f262734e217c9cb5238748a65bf86987eb4df7ddbe07e8ca663a1cf66477905f01baf5fbeb00f9d9ebc6f8d26113251c27adb1a80cf8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.Fuck you

Filesize
19KB

MD5
bf06f96bc4683bee6e16b37190d7e025

SHA1
2e5f9fb0c426abb02ca01064536ee858ba3537c0

SHA256
27265fe87860a17ed45c8b36794fce9d9976af3c580a337d3c9accf80ae723f6

SHA512
a5b399b88d91110c63a82ccd34329837b7e2f9730f886df8d161e9416a3442006b090449d98699cf1452681ae267735c09559280076916cb56384116f47b3949

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.Fuck you

Filesize
841B

MD5
5de61e629047d09f9705bec5fa6ef1ae

SHA1
d1ca2abc8188c80bbb3e65a3b19ae65de59fee4b

SHA256
fc674b1939b9a36fc593df22d6ddd081aec3a9c1ff17e1d5565710874d3489f1

SHA512
0cd3db19e4efc95b04e03ea80061f705c16287c45e9faf7757f8964088e5313b2bc2e1c95e1174e6f5cf40019dbfbb38d716a23d1b8ff2e13072e8e2b8669d42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.Fuck you

Filesize
1KB

MD5
3a50e1244cd404510fdbd96eaeac22c1

SHA1
8b25c0ef0ab322fe56bfde5b5e71659644cf0e13

SHA256
8ed8c693299f87a4c3c1a10676b4abb2611779a5df85a12defd97d08b2628b57

SHA512
c73d3f8c8e7adcbb61147c4c0abf3a1ce44099a60a0c59ae7efe76391d29a2c33776c6aaa7efe64b4704e62335d394fb950774233611021ad0bc6ad728ec4004

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.Fuck you

Filesize
1KB

MD5
48455bce5c481f851e5c83d5656653e0

SHA1
71ba37fa3f2849d81e0517142b173836f7ff6a77

SHA256
4b1e54c37c2299779f4a61fae27154f1697fd384bbd3a2e0a0edc8f33597b93e

SHA512
80a02ee6921dcd347b5a4b1ca80d8bdd57800b0f6b5a6716e8894225e0ab546dfa14f4c6791e8dc9c13be4a26ab8a125fffb6440ba9d1b16ce2032b6dab25045

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.Fuck you

Filesize
817B

MD5
d75a9bb2e1d97d6c9f373096307a0d0e

SHA1
0216a776dad61c40141fbff37ac34ec34629810b

SHA256
56f7195376d6dedcf9c0a6f40ba4dcde7f5cd5566d3fe14d0efb7da3c6d4c885

SHA512
cf7a043f517ecb5789c09cc02f6929a884d89ff21c09fd8c1f8cdbef8a394b65dfc1d74f5d61dddd1ceeac29a21665968912ae9575d88b176ced1bc6bf385f36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.Fuck you

Filesize
2KB

MD5
059e4cd0eb3277ac528f80918f18abdf

SHA1
b7a13391dd802b2e32631afacb002ab10cfacff9

SHA256
fc780b16dbfe6eba48ae0c0bef589fe112f8cdd534e8ae295329e50d5996f28a

SHA512
b04401dbca719f52d6667f4e40ac5e9f1e4cdceb559373092fda57a047554e4656a9b0f98ee367836cb8c30eadcf34c0cd32ba6b22eeb7b12ec598cf9965a9ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.Fuck you

Filesize
2KB

MD5
4357f7d7022392c3e59888d4a9b6889f

SHA1
334e4b205b4f4f36f254f0181bb62c22cdc74cf0

SHA256
077a12607347458f67a66b9e635e1cbb8c36e42f894bba277a867d7800545cb8

SHA512
eff2aa14af04b1688db6368eab6ba6dfc1ca5f865baa4c3d8eebe4007c6f0f34406358af313dfbe719cf80f7b367dbf48e99cb86a6004f66cb956e681d359a24

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.Fuck you

Filesize
4KB

MD5
a83ed059fcd2e7e8554a0c876d653924

SHA1
2f686148b30e70d50f79eeb53010b0c3615d2f2a

SHA256
b93ebf5fe2cab81b6e4ff5d72e95b7b35033d6445b88c558af71eb6ab970072b

SHA512
1a8e6e1cb5ae5a3da9e429b915710143b5ab2c846fd51954a061cad6279d12cb114c38c2e3dc882054a9cd6bd462d8c5b3091335ba9a898c8712771a19239aaf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.Fuck you

Filesize
305B

MD5
aca5a3ce6129e099a30eb0eb606eb884

SHA1
dcde4a715204be1ede1423e502154bb8b7a2ab93

SHA256
bff67703bf78f99fcb91021903a967073d7fdb569bef48d025539763b9f17d06

SHA512
e9d969f4eb438bd4cd780c7e7ceb83d36170003484b171697d2f613d05369e70ddbe3a7de3237df848c9e86327fb717d74765607a5a2e9ffa0a2a3b16d53a37e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.Fuck you

Filesize
401B

MD5
fc8d4b740c4dd8390be4267adfc4fef6

SHA1
1856ae7080b2a63fa3b81378ed4ca30f727a5b71

SHA256
f11d9c82eb30920655a1bec5c8d1f2b3f68589e2b7138dafffab9c332893330d

SHA512
fb6f1198bfe23ecd3f3bb2e2fd467f83143f820d30cfd5171e3fbc69a7bcf2c4c95bc84ba2a59a63dc0c264c70a5f1cee0e6343439a8dbffec91e879441581f4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.Fuck you

Filesize
1017B

MD5
c9a9e12e2fbb6807a01d8dbf2a8fe0f2

SHA1
d8a1903447138c7e622160654c0bb9d64a61f39d

SHA256
f39f51bcc82a10d66468508305aeb3468ed3ff6ed8ffeb927265bf92557ecb2a

SHA512
e89b59c7d724379cad1bd4534fd163ded404c125eaeb2695966d3608efb2274c3fd75d82f76c73e8bad6408da3f6c3fbc1818e0abce0c7bc8a06a3dfca7fd711

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.Fuck you

Filesize
1KB

MD5
c4b76c42d86cc25e9973176dea632407

SHA1
3f5f13252a4c547526af7b56493d2177f657e3fe

SHA256
771f344aef157e285c60fbb97b2d59c2187b855939eed5d5d4dcf5e437973973

SHA512
9ccbc9c5ee7330e605802a41e11d88aa26ead3a6cc640eea0e332a51df67cabf81007cefa1b384ba572acb9786e856261ebca353cfaf987527ea0402e3db5ca0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.Fuck you

Filesize
2KB

MD5
f00a56dd14541b2fc82b66861b65686a

SHA1
f3b88f78bd6261a220ba109a9a6db80029e720d5

SHA256
7e9e0b1d9643be0011a629316eb8ad1e22f56b8ddc504092e29990705e178c6d

SHA512
24216076ac1dcdf8ad1dcba336470bbf694b79125723556726f4d5bcfe1e253a268345631d239c0aa8c3ad0b3a2061f2d2d40eceb745ef329961292b6419c0a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.Fuck you

Filesize
857B

MD5
a120e2f473995527657b6f1cf492725f

SHA1
f2098b8665aa5b4e6505631e362ce16fd2b7c7a6

SHA256
3065b2eebecaafe1998fbff6b2914cb165a6dbe8d058d850285ed53d4041ebf8

SHA512
edccb0c54474fba01aa0750ca653da7d9b4ac43463b66e2db857bfe1a7a48ab30e7c7dd83589df867578f68996ecc5e344ed001d9db0f5913f59ce8472bcbe6c

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Fuck you

Filesize
32KB

MD5
a0e31d6ce09b0d23eb5411ba5c8383a5

SHA1
0e09dfae5b2064479141aa6befc0fbbcf52f330d

SHA256
c038d65f3d88c7bee7b90ca791164b9c9494c92935127f6eb051daef7ed3ebff

SHA512
7b77cdeb247dec24087520343ad89356e65ef53497cbe8f30e140a6b1de616e2f540efe27b38ca07b10d3c677b131839b2472cbdc9ffc786f5ce1fe15649b25a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1.Fuck you

Filesize
257B

MD5
9bb3f698cfa4187522f853a9eb390b25

SHA1
79a627a38ed56f0402d85a68dffc3f62b8bd59b6

SHA256
a466483366103297a8b5a25b566d6fe1e5473fd9ef4cde989ca4c9641ca9b886

SHA512
d2b2a0ba70e9eac669f1e7308e0af3afa2b0800e962bc3824c42751d6ace130d52f226f8e7190baa0c430bfbc099a008310d1f9c255efd852860732c6a9d124d

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.Fuck you

Filesize
169B

MD5
c636a07477a11b9d7f16630a19a3cda6

SHA1
c29cf8d773ef1e317c6ea89fd8474c91ddf3fc5c

SHA256
5c1d397d14fecb955315e2ceba5cc7e6025556374577c8bcffed5c670a92907d

SHA512
f22e162d0b8a52fa6faeb91070cdba82de385c85a3571cfda5a5dd4f533f06940b158ea021649251b44ab2c900e531f629151136520209b7078b2482c26b6187

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.Fuck you

Filesize
129B

MD5
2eec9db222794adac142c4b8f6752ca2

SHA1
2a5a0bba79c89f05e21383fd37f6283294fbe673

SHA256
2203487e586a54746a1b819161d51fbba388af44bb22e67537591f8e6adc2ca6

SHA512
5e8b561d320502b33cdf3e0e27a9bb09abf2e591d2fe58193f1b7211ed6180855dfa64ec6b3b3fbe16f6944a3ea3a41069a0b16c53ca4169946e046c7f6597a0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.Fuck you

Filesize
129B

MD5
cefa484ab0dfc86ab1f11b77eb0e2b52

SHA1
4cfbb072d83d0dfffab83592ed2fba1becfb3a17

SHA256
3ab48112bad28776fbdd3bcae44063de147c8f71bfc2813e7011ea0f3713f522

SHA512
45be0467b20966c1fbc31a86ad0a62b33b8544740f1ef2e57e4f0f206360ec8c0a96f4e34017ec9351135ed8c251da1fd3e72fd11e346962a793334d0e505863

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM.Fuck you

Filesize
9B

MD5
8e7399dc89c087a7a9765b72667e777a

SHA1
7b92bfaebcbd31ed338ced9ef0c5d1f734d82e0e

SHA256
5c816f0a996de607ea63d9ff65f9e559a6f18591baca2f85f12563f0c8336c36

SHA512
8d9558cb1fce883f0e54248cbcac1655e07b5e93de4b54d32a9b3571fcbf81ec9d2d04999dd01dfc2012f188151aec396f03f08366a5d706f7f6671f784b6a52

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.Fuck you

Filesize
126KB

MD5
72ca9fee5463c2bd659d3db885682942

SHA1
50effd260b7e29eb651f633854740b77f98824da

SHA256
37662f12636069774745f9e3c0502c16792ec21299b126ff8debe99e9d426174

SHA512
8d6adfcf7e9c897f1cb001ea20627160bb010f2165790eae8eedb5f652a1b786cf650f33088591f2815b10f06a6b635c121b6694654b9543b7e48b620a26a4de

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.Fuck you

Filesize
28KB

MD5
7ddb3bba5fef1481080d4d1ee8e51cc3

SHA1
05a5102556e96e8ee437d2422396f8109c2e7723

SHA256
ec6bd88dbafcec985d91db43009b9e9bdc9eee34fe243e0ee3f0f57d3c68cfb8

SHA512
fb3c174c870204cfeada7caf60fb683703a9dbe70e96cb77e282544511703043376d07bc56c354a68c97cbd0923b3ea64f9cf30cfcf6715703ef8f294a777a56

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.Fuck you

Filesize
1KB

MD5
95cdbce34d501e245114e35e968cdc74

SHA1
2f05aec351f0d9c929d459661cae91ac78987cdd

SHA256
9bf88f04cf681d973f39b04e89a5ca8aebd6a6b586cd3d79bfe490c8ef383ee1

SHA512
07ad5c5ed2c6ad6567f59cbb7c8c20925a674eb8c38bbab8806670ab2e2684f4d7f0e7308ee09d826d9862a05265c4a659457455f7431e306eb11020c5013717

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.Fuck you

Filesize
52KB

MD5
6ac9d4735e2b77c2b55e47587b4d2303

SHA1
feb0d79fe49b1e803bfbffe8f197a3431842405c

SHA256
2f54e9bd5d3b1950db33b3de5e9b7a6d85cb8c10244c86c5b6d22bfaf6ca391c

SHA512
17f6385ffc3bd9c7fed3185fab4b8ff4defc0d06af14731214da9db77c584a48eec08785e7112e4f10c1095771f9004c6d4ab6579f27c55d60cdbb250ad1d0b5

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Fuck you

Filesize
148KB

MD5
d9838a736619bf237726cfb934f205da

SHA1
de579826cb09b06e448728c797e06ad5bc9788f4

SHA256
ea8113fd03d08155a78248d915ce719dd29331e2f979b41b3634132c09830e20

SHA512
6240e027056e1f86aa52b094ec41401c51fb87939a072f60ff239937e708a4c5056b7e1cfc02ac3ee28c24970ae3904435a138ba80e100b54bfc50ae32ec9bb1

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Fuck you

Filesize
140KB

MD5
01f100b261d2c29875872ee11b6eebc9

SHA1
794fa99900f9d5ac1968502cfc6cf4a0adc76c96

SHA256
63e0e381a1d9910dae0297d16b27d0e8c189b3bb4d23fb2c37406214d29ca03a

SHA512
fa3fc70ecedfb731031f48a21e0262921c5f7e72983a70b53ad500800c18276040beed98d5f98dfc7901652c9e894e96dafed3c8c8115c3922b9e809e35f5ff6

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.Fuck you

Filesize
180KB

MD5
9bc0e4fe1ccce38608d7d64ea850303e

SHA1
39929aab5e69d2396f6900e80e5976c469096b2c

SHA256
6486afdfe5a34aedbc23bf55e35a32b06c91fd02050b75f492207eafb218ba75

SHA512
8264c51f4544f64a3d39fc5a110b903d7e7da1c0d96101f5548284c377ba1d3cfbc5d7054f4a442b8d4aa5cb96095d631a5af96abfb5aab807e2e1eb2da1f035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.Fuck you

Filesize
33B

MD5
80a8dea9bf458cb5757670833ed6b805

SHA1
c63820c149a798e5c20f5635cc16b9e424051717

SHA256
d9ce74a489fc7beb7c47ce5276defd947e2c8422edda053de36666861e267f4e

SHA512
ded9cb72f4f059315bc017fc2e90ac0e1243e4b727779fc2f87efe1f7a755d0b861c463c8bd00b67588346ae69f8d20e94c5151eb561d93b0d369a7a11ff5127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.Fuck you

Filesize
57B

MD5
33df026747176af42464e2e5215be107

SHA1
6402c734b98b0d4a4f413e418dbe5e02fa20952d

SHA256
24940c2aa5c3807913696b05de8d796a600a142fac53d4f1a463e18ee3738d0f

SHA512
c3a3d290157867981e8bfd5c9f6fd66d7c583a143d446cb77eba361a233fd80b83242b934fd9ab90c47c3c0a0f832d46be1220d89bb02692813a04d9cfbc9db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.Fuck you

Filesize
41B

MD5
2db0c6fd94b218976bf447ca2ca756a6

SHA1
abc6d05f68d162448d23523d556f7915882b55ba

SHA256
5e42a230f114765064f1e2e9e2a3647ea9a78a296dcf2f185838287ab459708e

SHA512
a84232d35bc4cfd8a98a6493039c6adef92fc1d42053410c8b40eb7ef583c96ec1fa9207a58d076db200c1bc9aaa049f9a02a89191eb07c4a51f4cf9bf7a826d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.Fuck you

Filesize
8KB

MD5
abb3192098a75c4466a7bbb91b751f74

SHA1
5c8e759d3f1908e0137b1d1f77944990bc9d4f7d

SHA256
3d10f60581582056791ada9cb000c5627312f4c33ea0bf09a34bc0d61e0b35f6

SHA512
dd0ac5ccf21024a63c777d201a82ad4df2ca23e1f211e812356bab38a6622fb29ad67d2bcdb75e015ac51826e29296bc0524c9489b710d984fab5f93ba38fb39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0.Fuck you

Filesize
8KB

MD5
3198ecebc1fd109df9f5cf8077dca94d

SHA1
ddd7e0864b02a39eb9f1fc6ddb9bc4aabf626cfa

SHA256
02cdb297e75113b4301b26c8a9bd486995e7a4f32eb744da40b2d4205c312731

SHA512
77830fbd47c553af186f61685f9c52354949a2cbfbe70898f3fb20acf518f9c38030c40f26b77359f01643a8616cae5e47a48d2cb894cb2dce3321a38d358ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.Fuck you

Filesize
264KB

MD5
ab1ece69507fcccae809519ff0d296aa

SHA1
d46511adb729bd64d6414f755e75f73d84f8267d

SHA256
037c28a59d237c1b4c7f4c0c58f5d9f26eb4e0afa995810dc46efe6d5cd31753

SHA512
f82ddb63b74b8abd110f48514d313d2c8fa557969d57df4228f2afdaca2635c34e3c79ffc5e06947655a2d7bbcab47db90b4280fe80548caf4b443cbd0923e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3.Fuck you

Filesize
8KB

MD5
68bdc38cc76b9f445f73d04842cf42eb

SHA1
deabb17e29253f4712c4834f90f5649099d11158

SHA256
28cc4ce224fab2b328dc6352016fb16665f5e1789febf5a8e62b16ddd13bd81c

SHA512
2829b0c3d2a4f2b8f9787f22c3e144a9bf716fa8e79f3b126fe5027eec6306d51be553c984e7dd7ea77571e891b9071ceecc989061b9b6f1e03304f9c6679505

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.Fuck you

Filesize
36KB

MD5
8408d26c7227c93374f3c0ba4283bb14

SHA1
af45faa0316d1941af68d97734a8901dc1546ad8

SHA256
f164c31410476b9a03a6ff0263c72856d645604390ac2471984f8acad8880448

SHA512
c5d6067369432341be42781457298d81c00a93b095f837cdd2295f0997a78b6636f8c6d06012798bc407c64876ce1726d2840c3c97b81dcf0fa47955d4d9d7f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.Fuck you

Filesize
36KB

MD5
e2ddc832e47383c691e2e21bb3afa701

SHA1
a376ed3a44b7f5ac7f8d318b6000abbb98887b28

SHA256
ef491ed070daeec99ee1dbc84cc16ff2f7a701cba39e262b625a3f792c2d2162

SHA512
86b281dad4351f664157a641f4c4519784a9b49ed24c32c3f878ae1344f9721543bb889de0c9099a04c5ed8715c2c8ffffd8e723db63f5b1d8da5f965d5d0a77

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{88c63169-aaf0-42db-8bc6-b34a88954cf5}\0.1.filtertrie.intermediate.txt.Fuck you

Filesize
25B

MD5
50bac427f8f76e10c58f5be4ec0f4228

SHA1
7d152fbfbe6c7c546ea37588d88cc69f9580f03a

SHA256
072a6494d415c5f1345c566f96cc56ae87da05388d9aaa156b3a25973480eb44

SHA512
5940808fce808409d350d02648f2b33e1c1fcef7488e6c33917ef85dcede0f01a8553ec4fcd5a0daa92b7aabcf3f216be3807b8034713b16e2a263260f082a12

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{88c63169-aaf0-42db-8bc6-b34a88954cf5}\0.2.filtertrie.intermediate.txt.Fuck you

Filesize
25B

MD5
1b34076cd1db65bac174662724364495

SHA1
ef28bce113b7fae2010891e1a83701e613603e7d

SHA256
309322eeb2b69004674cbf9810626bce2a7bbc5db65e5be5e179e2e74dbc6393

SHA512
799c4e0182f048ccf953de977cb881e8e787edca9b312e0b0f9d03865b5c7376ef35a328ff8d65c245e799e9f31219d23f20791314034dc30eaebb72b5d792a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.Fuck you

Filesize
32KB

MD5
e271c878cf3dfec591da5942d1fe3fdc

SHA1
ef7d573d6439f3ec961ae3d30ee3173c0e307f5d

SHA256
19c23bc5b53b1467664c4f3747c2971bc3b4cb9d210b54779785e75dfc7c8076

SHA512
2adffd130b76291015452214adffdb38e0ee145da3f335c1e6cd47d80fb06e097f28ab695d69e86dd2513b30872c682dea0969fe116d95fb47cdaf8d9343b675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Fuck you

Filesize
48KB

MD5
08521dd5b6b72484c8c05c82c981303f

SHA1
5fd2a77375dcdda344ae54f24d6d5f0cd9ce444a

SHA256
593144ed4d2b327c6155454304f60f13f19b76af7cbfefc387105f44bb836b1a

SHA512
84d809b93cc56fefd9a928de82c69f15e21ae3dfa7b4fe4178a06a5ec982985c1c196da3b9f38e478f095febdebedc7c82dedc36b94a3de2ce1ce058d1064a15

Download Submit
C:\Users\Admin\Desktop\Payment.exe

Filesize
1.1MB

MD5
9f9bb9ee4952cb514089910e19eac5c4

SHA1
c57f604e8eca50df40df93a6b0c3d65ab8d3b198

SHA256
0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a

SHA512
8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

Download Submit
C:\Windows\Termite.exe

Filesize
1.9MB

MD5
d28e88e6e9ad654f81909e605f3398c1

SHA1
84726882c606eec6b7ed7d0ba1d9acdd13390e45

SHA256
38cd67a044a7da3eea806129a3ae9616cfbe1f49a68997ac932e5214b1719f4c

SHA512
3e971529338ef0576ce40679b33fb763b2e1f3e7c16255b922434baf486d6569ee1e0770959ba7763b9759d89bf55b149d54546bdfa7299c41fd2c5d302ecaf7

Download Submit
memory/1448-407-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download