0d9fcb8894240750cb5e4222ea78572aba6618eb5297c2069588ceb979d52d8b

Resubmissions

13-07-2024 09:54

240713-lxcvgawdmn 10

13-07-2024 09:52

240713-lv46yawdkj 10

13-07-2024 09:46

240713-lrz3tayajc 10

Analysis

max time kernel
1800s
max time network
1132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
Size

1.9MB
MD5

93d4eb996675019ed856d0b8c5c46515
SHA1

a9f67e260a098a55252f0eba7b9333c1cf5b8374
SHA256

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde
SHA512

518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91
SSDEEP

24576:tnxLSUXY7WSIGgjlvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZZv1xim+y6HLOO3

Score

9^/10

discovery exploit persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (8720) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1448 takeown.exe
932 icacls.exe
3412 takeown.exe
1844 icacls.exe
Deletes itself 1 IoCs

Processes:

Termite.exe

pid process

904 Termite.exe
Executes dropped EXE 2 IoCs

Processes:

Termite.exePayment.exe

pid process

904 Termite.exe
2916 Payment.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1448 takeown.exe
932 icacls.exe
3412 takeown.exe
1844 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1448	takeown.exe
932	icacls.exe
3412	takeown.exe
1844	icacls.exe

pid	process
1448	takeown.exe
932	icacls.exe
3412	takeown.exe
1844	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Termite.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe"	Termite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe"	Termite.exe

Drops file in System32 directory 2 IoCs

Processes:

Termite.exe

description ioc process

File created C:\Windows\SysWOW64\mswsock.dll Termite.exe
File created C:\Windows\system32\mswsock.dll Termite.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mswsock.dll	Termite.exe
File created	C:\Windows\system32\mswsock.dll	Termite.exe

Drops file in Program Files directory 64 IoCs

Processes:

Termite.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-unplated_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Planet.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated_contrast-white.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\prompts_en-US_TTS.lua.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\call_failure_illustration.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_uk.json.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.fukc	Termite.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-125.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png.fukc	Termite.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxt.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-150.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-100.png.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\9.rsrc.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js.fukc	Termite.exe
File created	C:\Program Files\VideoLAN\VLC\COPYING.txt.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-36_altform-lightunplated.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\IDPValueAssets\GameDVRValueProp.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-100.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-400.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\TwoWayBlendPage.xbf.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Large.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-tool-view.js.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fukc	Termite.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.schema.mfl.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-200.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-100.png.fukc	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png.fukc	Termite.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-100.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png.fukc	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png.fukc	Termite.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.fukc	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.fukc	Termite.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.fukc	Termite.exe

Drops file in Windows directory 2 IoCs

Processes:

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exeTermite.exe

description	ioc	process
File created	C:\Windows\Termite.exe	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
File opened for modification	C:\Windows\Termite.exe	Termite.exe

Modifies registry class 11 IoCs

Processes:

Payment.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\	Payment.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\EditFlags = "2"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\Shell\Open\Command	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\Shell\Open	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fukc	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fukc\ = "fukc"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\Shell	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\""	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fukc\DefaultIcon	Payment.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Termite.exePayment.exe

pid	process
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe

pid process

5060 daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1448 takeown.exe
Token: SeTakeOwnershipPrivilege 3412 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1448	takeown.exe
Token: SeTakeOwnershipPrivilege	3412	takeown.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exeTermite.exePayment.exe

pid	process
5060	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
5060	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
904	Termite.exe
904	Termite.exe
2916	Payment.exe
2916	Payment.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exeTermite.exe

description	pid	process	target process
PID 5060 wrote to memory of 904	5060	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe	Termite.exe
PID 5060 wrote to memory of 904	5060	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe	Termite.exe
PID 5060 wrote to memory of 904	5060	daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe	Termite.exe
PID 904 wrote to memory of 1448	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 1448	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 1448	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 932	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 932	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 932	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 3412	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 3412	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 3412	904	Termite.exe	takeown.exe
PID 904 wrote to memory of 1844	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 1844	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 1844	904	Termite.exe	icacls.exe
PID 904 wrote to memory of 2916	904	Termite.exe	Payment.exe
PID 904 wrote to memory of 2916	904	Termite.exe	Payment.exe
PID 904 wrote to memory of 2916	904	Termite.exe	Payment.exe

C:\Users\Admin\AppData\Local\Temp\daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe
"C:\Users\Admin\AppData\Local\Temp\daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\Termite.exe
C:\Windows\Termite.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysNative\mswsock.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:932

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\mswsock.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1844

C:\Users\Admin\Desktop\Payment.exe
C:\Users\Admin\Desktop\Payment.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fukc

Filesize
725B

MD5
c5740853261f9d3fae369cfbddca2262

SHA1
580e27ee3a276e46bd67e82f5c8702e4ccd2ed4f

SHA256
1e706112001b4ec57dfad1f39aae1181dc673438bbf501be0fea58bfc767f0eb

SHA512
f1eceb2879ddfd20147f318053af222b7204bf13b35f64bc7d98ab38389f094a392377adc5ba34664604c69012789ccfe7f790227efac03bcd7911412df6ad8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.fukc

Filesize
693B

MD5
f4ab748feacd3a63f91c244ab32d636b

SHA1
cfd9d45f5c9e388caba8ce031a3ebeaf3335c47b

SHA256
7b995b4525bf8d17afdb6e3536990e808ab3cb5dde937b2c0e2a977c238c537d

SHA512
da474270f962f0fc7112763047dde1bc5edfe015e778a00512da10ea04160e8662a9263593027db7f5895e0041358d7a1e7325a924ea061232c9e90376eb5682

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.fukc

Filesize
1KB

MD5
70afd4536da522bb2126910653971735

SHA1
f51b9a902162e1d7bde4d76420ab65a6cc35be2c

SHA256
9288e6a53d3ae99e60d6cb6729f09adf117312e25dfdd0a86fd2ada2f3580b0b

SHA512
421709bf1857729f89bf5f1760e82c4c6dffa9cea982a2de348cdeec954a62cee664c438ba08e1edee4d2156d90bd6caf3215b7b4bcb90b1186a47ebfd0a9675

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fukc

Filesize
461B

MD5
691f24b74d8093259737b3e1beb0af88

SHA1
cdec65a5abcc33dceaf3e7b7a60dea55b7b582e9

SHA256
3144dbf2c48290b2db02c620714dffa8fb7161df3efe4f651e885b735c984547

SHA512
a4decd4d0fc8dc07994375eb549d389060e2006072f74a6877dc43a9ea798949cf4bcefc4bc6476b65b5d17290e8718d16735d4e281e07dd7c9b4b0262299336

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fukc

Filesize
621B

MD5
148829eec1a10508d699ecdbe2d91b7a

SHA1
e4246cd0f04b6eda39051e0b7c26afb17250d568

SHA256
c744add53912a9391830075c240077bf608df166b26bfce8dfeb0be7877edb92

SHA512
01cff343ae5c3bd780509dcfc4918af50e1cbd1bc9d4913490ff21996fd56d8c78a38bc1d0800759b7086c5194ec31f7cbe9e0516c0efd263ccf6d3a22368b5f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fukc

Filesize
397B

MD5
70585bb2481fd590a5785f0e68fd2e72

SHA1
ef305e6cf15cbe4f14d724e01d1783a2425362a5

SHA256
3dc4c38a68fe305898568a54adf1f8fae53264e25da50f6d0f65f70aefee1348

SHA512
b1112a9b33ad8cb57c137bfeae49859dbc85f338ad3900a0ce285693f2f80aac6a61e51088e78b30b24268dc55e3bab940b5a6c8dabca5071795137ad3f2978d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fukc

Filesize
565B

MD5
6ef192f0766ac79deff19bac1a26a7b8

SHA1
a3eeb18e3cb21c2084982ab7da1392248dbb201b

SHA256
5b1a27afb1ad2e2f4f19879b8c57076038f0e1bb7a5ee6eda866a2907f0b6cf8

SHA512
1bcc5aec02c6de9325bbfb12964ba4e827624b22e1273350f5c17dcb9718e3f92d8f3d06c2f0f4a956fd16987f063afc5d29aa027a9a5c39dc28c54bbee0575a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fukc

Filesize
397B

MD5
588b0b681a977600e76ff0fa39a0229f

SHA1
d418d43c05cabc4bea3f66483f2a1425b5eb4126

SHA256
b5ce2db12a3de8e1f28608420cf5b031a029bf5eb42d87ae544ab107f90573d0

SHA512
b7fe41342c2a8f8260fdf52794f7b2d20816b648c266bcc5960803c3899358bc18d8237ff17b18d0883e52f8ab8f4b71eef2b8595049f60087e9a353027c4946

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fukc

Filesize
565B

MD5
6347a4b23ec83994d3062ed92168edcc

SHA1
89388837f1d4efb3d13d5ee2cc9136d6647f57f3

SHA256
d9e0803b1cee928b46b62ab8242c54560b40efa28cc4ca36a81242caf82ce4b6

SHA512
c27432ea789cb16aa9f37ebd06937bf4639e6667ee2c84eedc5665e2cdb094690081301ca3b1ebb95caaad5fa29662285258140ef3f06910c847a441b5a9fcaa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fukc

Filesize
397B

MD5
26c74098ceb32cfdeb5dbbaec54ebda0

SHA1
83d8cbe98665e55c0f872388039d118e27c2c48f

SHA256
5605d70efa9be45fdd049b3b97e8199fc52c09185875de28433f3367d3e41b50

SHA512
60a112883d880e74b5bb874d5ef1da45b94495e1c3cafcedc2660c24261ffe646cc4ffd898947e301993d8ef57e240710768d91981c64080a3d8e7fedf501b89

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fukc

Filesize
565B

MD5
2c38e04636f17f1a10a9e12dae1e9704

SHA1
247face853210cf741d8a1e7f5136d93788e7f58

SHA256
bc41b1d24f25752b5b1c915edb59223544651416f683dd2c0fd40dc54915f208

SHA512
67ddfc16d91462423fe51bad00a8ebd5cade8054848c73e5c0eac702e6794bc7b34d40da2077f1fa00e1582e558adcb4dcee9ab882db2bf42e8d1afce009b960

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.fukc

Filesize
7KB

MD5
a5b3ca2ca03d65e79cab37c60b0dab8c

SHA1
0d9adb003d8d006bfbd4fc55995e6e464a289221

SHA256
2a5531ffd4481503b18f42fe32914ee533e0406eeedfbd5d04bf4b579032ced8

SHA512
0f3681476233f670cd49388fc5689797f62c1197f920c4d92d1591a13b612890a70dcf95fa9f9017d2db9de001e34006b709a03c5247daf51eeea19cf833f823

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.fukc

Filesize
7KB

MD5
f3dfe1fc4f3b1566e1a046b3ebe8306f

SHA1
ec819e612d64e4638f572b9fa15788af18ed9230

SHA256
31edff64e457bb52fedff20abcccefbda8a0339292d898fef5e008b9c5d637bd

SHA512
d2ada3d6c5f03424b23e5930de8e196dac7d324471d606ff2c20594cb012590eaebddec2e3bb4e3e7b7797ec19b883d088b6c4c12da156b4da142dd40b488e60

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.fukc

Filesize
15KB

MD5
748a7a106ba0eaba6487f4dab4471a2a

SHA1
25b3f6b6ad834b9b4059010dd549c565a01feebe

SHA256
49781c2e7f23a8754677aae30745dbb6b7c914ee5d39a722aba8eb64bb3474a8

SHA512
4501fceae36cf2615d8b7d303996c9c1ee66bfbb5698fab034c416644917221071da552d396c98a9fd9a2d3fc23480377a0c8ed4ea8be679aa48c66cf4b870ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.fukc

Filesize
8KB

MD5
8a4f8db5355fdd6a73659ced40a0ba55

SHA1
92e77df10343705603f644386aea45298550cc9c

SHA256
a3b8f713bfbca4dfc72ba022a388f8747c7048361369a2688295c63af207fadd

SHA512
b26a3486d923a4f8675c3ad6e96d73eafcd0b5dbfe041120c23368b674bec490cbe3d31854e146d5b9560b98944233c5e8927d6727095aeef80d97f41d072a8a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.fukc

Filesize
17KB

MD5
f16cd2923c5bdc03e6f6e2f7ce882210

SHA1
e9189ecea2ac5c6bc7467973fbe1b577baa6d4f1

SHA256
fa296e41cdb643dde784b9e241d495a73be22167a38a65db3e079b1dc775abd7

SHA512
4d1bdafc6a95410ec65ff94b1624302bc7908dab235cb8ce85802e23d5ad65f5687600912b37833a4a630464b2d03a923c4d13b728b88eb5cd6de3f5de4c1ce9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.fukc

Filesize
189B

MD5
e9838d1c6b734948bc78020b14205229

SHA1
1bb96b8d025bc51202c61345384c42bc1037280d

SHA256
fc469414725a890693537bd78f11a23cb3e9666947474841efe5e01bde8649cf

SHA512
27563ed5a801551e6ca046d4e883e7d5ac865932e17ddd5f97d1cf4185fc2f2a23a5810609eae980a7cb6eaf1aed8d78cddf7392ec76f414c4ca7340ecdcd3ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.fukc

Filesize
717B

MD5
d5d6158baa4afcc69c80408eca402569

SHA1
698182f51530f9eab07d05f66118a6919d05b1cc

SHA256
9d0dcb3cd5253d741d7202b5332ff535e996e8e9e3f567fe9e88379bb1205d3e

SHA512
c3f86b97d4549e3922140cee6eeb6f775809d5584b3242dc640acc425e03c2938b85d33cf4bb47ecc0d4103ab80f2e5d45f6e2b235e992220de016e03159f5ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.fukc

Filesize
8KB

MD5
90e14e1e99f498e1234ea28de6dfa65b

SHA1
d9fed4b80871b3a35d2d95568e9ea0740704b440

SHA256
95ccfbd7dc3fabd392c7693cbd52313881733a0a599ed251335632bce31b1dbb

SHA512
f7a3a5df37bfae9a01be7b60d08814af9462344a5ddd8bbdaf78854d084f9cffb9b635ea5c2538d561cc566b09d5a110776fe416b2058b5dda31973fed513251

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.fukc

Filesize
19KB

MD5
feafd8c0c5c31143e8876dd9e9134f24

SHA1
341751a6b017de61c8957ae5ebc606f14dba9bf6

SHA256
b44de9e7bc542e488b2e26c6e9f197b9285529530957133882c8cbf56e1d1654

SHA512
75903ea985eec31704c4d70c256d3971ccc01b95d7b0bf7433e9aed4c0dd51b6fa84f955ff3c39a4e743db3a3eb94ed5307774d790703c29ba59787923f325cf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fukc

Filesize
837B

MD5
9488606efe972b5103858e4c0dbc060d

SHA1
bf6525e822362f9244fe5ae93979094c2ba5bc98

SHA256
602c5acb84b8b859b0bbc0ef5c0d6daae042e6d50924647d469dc691c3ea15dc

SHA512
3fe2bb570b3e058ddd2c15f7aca94e5e6c1252476be4618fd4ef7acbe5cf809f288f37ed743bb4d66c66713e923dd9c5d0345f86736b96bbc49950bdc081ff09

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fukc

Filesize
1KB

MD5
a4012f40d041c70b932714d6b8338976

SHA1
5f67dffbede401dd3c21dfe5132963f707051489

SHA256
347be072a60e696112177c689d0772ea665544d3111045e5d7528ce7124108e0

SHA512
e8dcc65e11500169d0180ebbf73abd824d4c28d4172b28057c6bf27d05bee8958ce49c97585c3ddb9000f2c80dd64eb3d55f06a1822994ad8a80d7b30094be85

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fukc

Filesize
1KB

MD5
5d369f8841485ba75cfcf43b687981c1

SHA1
3fad836a2b9a575876652ce51a885626ed67d591

SHA256
5fb49b5207cd9d2580f1b822038f61c1f26de988d0d4269ad1d533ac257b844f

SHA512
6478df6f57c6657d7e31273e6289301fd72931c3be8934db3c16854e43ea625b55cc9489202327e41d2de4dc9104ead0f2fae839b64c728e3c8c9cf265130d2e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.fukc

Filesize
813B

MD5
9fa8f3776b5fb2bc426cbb875b7829d8

SHA1
8aba1558374ed70274b65c2ec814352141ecf156

SHA256
2cd1c8db09626ece1cc7a77a93c36d570d6348603fc63b5f70bfdbe589470c24

SHA512
48d6668cb4a80b98ead125890884847f483ba0ebdef8cfd0e0d3115168b878b0df89ce78bee1a6c6fb0d25e00745cf67fbda269b49c793a51a540255a8420f26

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fukc

Filesize
2KB

MD5
4611ca6bf4899f093f786fdff4feb81c

SHA1
f7a6dacb785640d90b8d6b53545391899be5df28

SHA256
e146eb30fa2e094e29df9dcf951c51669ffe0286872bdbd828e1cfea09619120

SHA512
76ab6eab0594db5ecc7a63b2600b639b196c6a6ffb6a81b27346e9c548babd245794edceee3d3dd656a7f16ce84a6927fc8ccb8809e852fd0d6e71e1ca89a8b6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fukc

Filesize
2KB

MD5
1a8beda19bb93f0e2d3dca43665314c4

SHA1
4ad30b9ac02ea952608787fa1b630c0d53551751

SHA256
ef6965070b77d03c499a20ef5c5be9701e650424a2a860892471ff2e696c95d5

SHA512
d972adca23a83e0aa6da6065f5146f194b70b47ee64f38eaab9c1fd438c70a3410c0b7a75aa45f301abd396a4ae0e88c3a15410f49245255eb8d0f6af571f42c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fukc

Filesize
4KB

MD5
0db9b37adb0b298ff3caaead9f84b599

SHA1
45c3922b550006049e3c8487b1dd010325414309

SHA256
a69fee9f02f01aba9f30a80fab805dedff785a47b565d98085726be26ea9da3a

SHA512
7d047b6cb739c58884c15e8588560213c9931bfa919bdbc155bd846d44ee8359fa7a2a94c82590ff9fb494e38219d7f15ae66baef7e03a2d79f781b57673058c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fukc

Filesize
301B

MD5
21d232d085f8d90f273a61182de701fa

SHA1
66c39290c8205c663f4a02e10e4c33759c195dde

SHA256
796ce392c1488dd68041566d46c62e4a3c8fa08c327fd03206480ac4c8ffc52a

SHA512
b63a460c0b5f45d10a2889a2f3617914e2e08c884aa0790c203e4f081a44806e1019783e1b40cc33606a14838ce9c052afeb75036f6252c42b6d32efd9e05cd8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fukc

Filesize
397B

MD5
ba1766fe5eb4fb7a86749408fa3ceccc

SHA1
1ee33b3bfe082bc2ff20d2b6d8ec65cafdf6a37d

SHA256
9893f9e0a5f78884684ee462ea3b06ccb53cd56fdc75d0ba0b017ae4f105e6a1

SHA512
5ab0ffdbf7cec91003df761532d3c57e3e6969f5cb3525f17cb6d2179545da83f0ac60177a7eb86cc35acbb5c09da9b940aea96274bebb6c7ca4970bfad05439

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fukc

Filesize
1013B

MD5
5a1ce811ee39a1022c8aabaefa48ec63

SHA1
a1fcf7d8047df67a9fbe28c0857e973d1e310f60

SHA256
1124652f429c800da1022ad319d0ff695191137db24536d8231f033164dde9f3

SHA512
5b7f7c4e98cd659cd46fd12eb5876d302968f0c7b37d2b7e9297ca8e20b3a290576cf5bbd861356d3bc203f7a3c98a9ec45bfb6fc801a509f7378d86d8d208ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fukc

Filesize
1KB

MD5
dd97d475de0b8193ca9800254040a54c

SHA1
d1cf8bdc34d1e109fb92e53bd06c9bdeb6b3898a

SHA256
6abbace4815e3e9a027d258c8586cef38d22964fba339ba0dce87fafc6730425

SHA512
a6e652ea2f5f7b3f5a47f6129287b16a77e562c8c1e8b8f098d39465ef93f038d38c921a1909b4641e2780b0002723213e36f25a01bf3e73a4954941f36e4220

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fukc

Filesize
2KB

MD5
e452912ef726f7d46cb0997df21378d9

SHA1
530380f4febd1fe8d220b6f6af15a344416cd90e

SHA256
7b4dc05fe3eff9794a57f0357e43b04860de17fd90066e24c8b6a64330069a49

SHA512
3c495f817099d27e48026025a59f53361a45224400318c19ed6fd6614bd64bd62cbdcc1b61fb6c70b1544420d67ef97cf6689c6f7e8057c93d2fe14070aee1e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fukc

Filesize
853B

MD5
3a445f083757e6ee0ccb2b17c9f06ce9

SHA1
53991eef1581dee191e77f9e0ffdabb72071393a

SHA256
c2f003426229c5a5bdad11d4096886032149de6f662947fbea54cf01d515f168

SHA512
5a4b644057f02a7139be39f9870f00ddeb9386e8dde1f174740f415e4d3b939bd0863baa79aa0bc3866307e6d6bf74c18fdc06b2b6be1d075036ca25711ae316

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fukc

Filesize
32KB

MD5
b29610ade4c2b8ad9899337b3c04c509

SHA1
0e612a8659cedc0fa8a029c97be884e21a9710d1

SHA256
9b06bf6e2b39b2ef3872a8b3a884fb124ae27ceac426a8c51dff6ac218363ca1

SHA512
45934e4a8afadbe82862613b689d920ecda1e62331b63235e3d9e0f53afa9b258015b981d2c9460af611fa39b90bcffcb1582772075b4f1a1e051d7257190f6b

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1.fukc

Filesize
253B

MD5
be84a97a6694f7471aa72f46a4b55fa3

SHA1
50a09554b339e7df3542c274fb27fddeffe8bde1

SHA256
746aaaae6d57f47caa2ad122c050fc52da4329b6f4aaf6632897ce741b67711e

SHA512
5ea31a212396d5ae4b73a2fef482cedb40b9359b18b97f22e139bb4e1d393382fc8a3fef13705cf5f3687d9ed755a767fc59ef646637c24a97f7b0b8e038cbb1

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.fukc

Filesize
165B

MD5
1ccddcf854c5c393f4c67a4efa6603f7

SHA1
f582deef652fa2565cc1b632a111fda7914cc9b6

SHA256
6a2f49cdaea2adae9bdb97b01badc5125174372df6e55330b4875f5d4079236a

SHA512
99183f82d4058e28e4b58d2f8d64f2d57dfa8a6bac52a1de7d84482df9708bbd3201f59864eb746508d383125d5378d3e4eb59e269aa141981c8b4a39913fef5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.fukc

Filesize
125B

MD5
550c5ed1ecce4c2f820ca9116c0e616f

SHA1
2a1470033b25e2ba68d990b73bf5d6cc3acecc6f

SHA256
89e7f57ab1b76c84dfc8f200e6bfa8eed00041c3b71a1d8eb0fc18db7e306bd1

SHA512
42f251d87ff1cfd0bde1ad69fb6816ee9032cff3b07d83a0dd14fb22e14c3515322a5743e82a30663ddfcfb48acb3736b86d3c568c5c6fa3590e9a5346294749

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.fukc

Filesize
125B

MD5
3b2da1e257151c37c808a1a1e0c48420

SHA1
02f47d290d6896fed5896ae09b886426708f2079

SHA256
450a2da783e13d4c837ecacc5fdaf37acc2099b719d7f4a6f183fe89d3b533c8

SHA512
e181ab63bd7deffe9dd644a668a0b1f72f004342b28d4436880bf396e775ab06ab353243d7c09ca1c4459e736a01411e86126e84bcb2361ee8d354d003df907a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM.fukc

Filesize
5B

MD5
4c41f4e01f6db13dc769cae667b053b3

SHA1
f56156c545865f52cb19dd20f050979b0b87967e

SHA256
9c33b19efe224ff2eb5d391584254aef535893cd3e077d86726fb7585b5c1914

SHA512
1ffbd4e008bb0099dbc17036d03e6a4ff6f9f90f3c8b0ba7bdd451e367f583febf3c543b824558865211c121a871279a8949661b52e052825b16012ef5febcb5

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.fukc

Filesize
126KB

MD5
7f6ecad2bd5760774f44ef7a61c5dccc

SHA1
bebb90f4a7747e2a07436ba70c021f39c8d7437c

SHA256
9a3cb6de4a639e1cdd75cf13397325cffa19e80a8c8fe39782b7290628713cd4

SHA512
2b64f39f6b2a4b6b47375efdbd9370b34c449b851ac8443858a27b760792e527476c27e3c2f6e4637eff6b155d1ae58e8a3c0e08e50a400953de2310e947dc15

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.fukc

Filesize
28KB

MD5
73882b7b8c4fa9a5a877aee290d48ca5

SHA1
3a7e0546a6aa8c7177a71c1dd9a465b1fa9a2cd1

SHA256
3275bfbe1a6391ea5dbeb328999b08cbabcbdba8ef931b2c401f2773c195f059

SHA512
b8f913d2064d80267b84e11f526f09eaea49d74701797c59d18e30898a3c8a67be8999994f066f4885eb751e709f3991ea0e950c39aa7b0d5bec7b7eefbb04e6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.fukc

Filesize
1KB

MD5
1fd63a74b015e64ebfa9858c4dcc56eb

SHA1
ba42261fe02345af8de2052ececc73c75baf9bd2

SHA256
c3d326a3a45a9bc1efb8f2c75b95e5350b8f46666350c2f2a2fc610253c5a430

SHA512
4f49659e4885f9d1e19459f64609fff9ca4c0f3eaefc9fe449fdaa3475f61ec7c00f59cf97c7d0baa31d5e464e5a9e5d653511e114a05e72a10d696dd311efbc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.fukc

Filesize
52KB

MD5
203d1a6c4329683274f859fca37b7a8e

SHA1
93f21868372451abcaa0a0fb5ff361761ff477d4

SHA256
c3841c193211811a99dd47eddbb1ec83d078311ba99e288df86e27fcdec1ee64

SHA512
ae471c1845e2385466b221b2dd9e5d5ae9d7939224e919ab9fae4b4bd05ba80b4623b8fbb3a7bf565dd05ccff6d62758ab9d093cea30d117049106149c862525

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.fukc

Filesize
148KB

MD5
8d50f8b323242322a453d0b8cca89ffa

SHA1
528540fee770605345422d4488eec14930a9e005

SHA256
f6641fcf1731756d7004aa4c4cadf3fe6b7f9d2c1fea0c9628dba00ad7928f11

SHA512
99b5cc34f761e46f5a6684056352da31593b6c608496800756b0de9ba45bf3d6c05f3c10e037f6a4f622850abf38373a76f4f2137e125d345ab0677e91e488a8

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.fukc

Filesize
140KB

MD5
a2d19f50847e8a8994a261fe87d50245

SHA1
ef1bd86eb00b7f39f668479251be3f6059f8e258

SHA256
a30ee40e884d90396342343e56035ed8a39235f8ded4a7291c09f48c92818c2b

SHA512
f61e745c4dde8e25f9e57c1a78f94033c345ce30e56e6598acb28c76ae7ee6169d71cebceae9c32489828f9ca80d4969af7410760f2c251ffaf6b203fc7c3cb9

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.fukc

Filesize
180KB

MD5
9a8bc674c5fda69d731f5aaef6d919a4

SHA1
3f98be347b5c1ef1c76987c4604d529e856d9cf3

SHA256
b030910ce6ff8f95d7de7d8f99a322ec213b3dcd68b27960b3345413d814cd3a

SHA512
30c20bb1d8b2cf9dc2d1ebfcd294330bbd7dc093558dd2cda4a99b3721e45ca2eabb292569c8f8980e6994be4600874145b95cc2c2bd3e3d49a36bd4a44b6062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.fukc

Filesize
29B

MD5
d8c2f88f105470f31b978b35dd33e343

SHA1
9432778a8efe22c52fe03bdbb45b92f85ee2c081

SHA256
4ed4f727ebb3f035b34372a0767d866783e44ab896edb54ab70c632212342847

SHA512
800baa0a551595ab61bffcd9361f4b7109796d0ab8b1f127fe7a0a089a4458f6e38305de83ff2dc0a3e9a3a923c4eb7660fd1a1e46bd022ac10dad7e88e0305a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.fukc

Filesize
53B

MD5
481aa0f676ab74944d3ce2749606c9d9

SHA1
e8cfef9a5b6dc89fa9c04ea8691abd3aaeff5020

SHA256
82c78419e72c4b04a838a195bda4813d5726070fa095c3712ca551c79c32bb3a

SHA512
4683b7abdf741e0e97b6ed497d7b0d6a18998aced8d7d419a487edce0d496ba5781d4b17ea9a8da848b9f31d2151e29377382c3ca82f789ebadf836d831fd619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.fukc

Filesize
37B

MD5
322f5f001a7623d796fe745fb3962b87

SHA1
e9ed93117974384ca1e5bc174239c26668350a75

SHA256
57e91876e6acf04d26b3a99064c5817911e202dbeb115ab5cddff40d52f84234

SHA512
b86efbbad67cc5b68f0e18f9ea282ead8c7a997fbae8698bfbf0fefcf8e741d138778f203073d16de6568644a8e983ee77586ec56ccc0375880b513014551c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.fukc

Filesize
8KB

MD5
77924cb5deac090dd74c803716aac570

SHA1
8a31626460641eefd7bbfc929e6cb52ef0115acb

SHA256
2f654f5822029aa9c29b30d49bada39c6f1c4b8fbb6178a49eeb2e0c2398bcb4

SHA512
2c0e15b3d7a4d359cd974d91556839a36b7781b1514bd4c1f419ebe850edf9793b959a62682115f24c1dcf13859748e60c6aca8fafc654a0ffab68001bf6b9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0.fukc

Filesize
8KB

MD5
8b1204f5622006140ca6f3fb639ef25a

SHA1
98d1f3d708db3f0fbebe33dfb0f8bb028ab37262

SHA256
30328ca45a73129a2874a02d3ac8c250767f92fada8f7719049a3c7384adce6e

SHA512
6e19bc7a6726f705f9e4eacbbaebd772090697155270539e234ac6d950cf7b44a9659af903825c9ab19723f6397b0b92f9aca3805153d7ef7eb8e96550e66b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.fukc

Filesize
264KB

MD5
d87d980b2e65aab85551ca5a8ad0961a

SHA1
5b0bdd8be447caecfa792a8e176b6123febcd5c2

SHA256
ad90f8702432499eec523cdd6a3fc52dba6a1bf92d28a470001886f4d5c7d998

SHA512
8c2c482e25beac4fb1fbf63d8bdef73b6c222e96317ce230fb2125bf63216e4850b359c5d018af239a501ba74724c2d4726609072be08f960ff37b8581087ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3.fukc

Filesize
8KB

MD5
177488736a54df939951457ae59df630

SHA1
f223f730459d4f17bb78a0a3c69e037899a0d840

SHA256
cd69abedf80cd243c037f9173a7b4d7f7cdb19d32b4d5ec37adbf2df1e7f78b0

SHA512
627ac16f308354929617ca755eba7028a9918e57e70a9c64bd1da4afb989ead60b54b003e4f6e85fe3339f2a5a2890a4c594e937dc8242a22c48fadf9bc1bfab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.fukc

Filesize
36KB

MD5
accc52c1b9919b878523ed354bb17aad

SHA1
6d4bec3be406fd36b5087ecc4d2e82e01598aeda

SHA256
ca59156549a8e26a58d4121393da33e0bc2f7827439cb840181bc3c2818ceea6

SHA512
babab4e55a60126ad6e963df0171738c08173d08f1fae2e6c0900444ae67955128fe1ba338fe0916d3a2d7f1f993800fd45acfa63e630c8d6d1f71acfbafd926

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.fukc

Filesize
36KB

MD5
f1549464f10c35b68e1aa82049e3dba1

SHA1
bf7331b47dc7097db35aa47e12a3187543ce1ab8

SHA256
099f1a6336a5906ad26a191f7289e67b4ad7bd305ae56c905424714225470e31

SHA512
f29d25b9874f417d10489d0a719c0e75b2fa7736266308667d80544d4b67f65ee006a02f75d72c309330ead804faf07e2a61a5b9ac9bdc3ce91af4ab8d0cea76

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d7d49868-a53d-4ce8-8428-52498e74c175}\0.1.filtertrie.intermediate.txt.fukc

Filesize
21B

MD5
30dde3851a9d8f7ed7214f604e4cfd36

SHA1
d15bff66d0946b334e5d1136a2e255d1eea6300d

SHA256
c981aa2327bc07f7d1c46d4be16355da4fb103d255c0cd2718029fc3313a7032

SHA512
04dcb9fba3f48641921b25b6c4aa35b7df0b215f60d2062dd117ac21d1bd575916c31a5d27128d3e61bcdd2550cc756db2f262660e6cc517f7abf6152e384121

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d7d49868-a53d-4ce8-8428-52498e74c175}\0.2.filtertrie.intermediate.txt.fukc

Filesize
21B

MD5
7e11bd0d7d65e9c7eac6236ba2efbba7

SHA1
033d56264fc8cd7accff89c4452b786f27a8cf9b

SHA256
974a8ae00fdd87d34f75e6b4ad37b283c3742bd2f208dee586cf2852d9c3cd27

SHA512
2fe0246b73d85a806a9cc179286456134a54f094044870a25f5f8dafe4202a94c0b4ffaa6bd68288d1fdaa462a48e2122ce0aa529d278530d4cc669f1aeb3f8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.fukc

Filesize
32KB

MD5
2d6c2bfd985a3adb8108f0a42f7e9a9a

SHA1
ec162cb92434cea490bdf18c5d37bcbb77106339

SHA256
ea7e129010feed6cc4e85e42112bbfbdb52b340c55c11a83b0d17ecdfa057814

SHA512
44ad351175430bf0da20a893a1b353aa0909dfa1cbcf4dba440a636ee158408f5d0d1f25e56720ac058c14b7251b591659da66a6da43977ef4b8b32d64aaf077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1l89xtkq.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.fukc

Filesize
48KB

MD5
283136f31a72fd2e9ec68b806b993f8c

SHA1
385e973a8c309384e3f0124ca1814b1dc8910d31

SHA256
0e22fc48f3bac78d7fd546d006517b1fb1608d6296c517f5619fdbdb8f8c1961

SHA512
a754eb45a0a63cda8e12d843ccd572f9f3b4693563606f28062d963ef283cb5d4d9484f6ead380398f23889f2f13f42e5f8411936b1fe4fa3fdb033aa897caa1

Download Submit
C:\Users\Admin\Desktop\Payment.exe

Filesize
1.1MB

MD5
9f9bb9ee4952cb514089910e19eac5c4

SHA1
c57f604e8eca50df40df93a6b0c3d65ab8d3b198

SHA256
0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a

SHA512
8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

Download Submit
C:\Windows\Termite.exe

Filesize
1.9MB

MD5
93d4eb996675019ed856d0b8c5c46515

SHA1
a9f67e260a098a55252f0eba7b9333c1cf5b8374

SHA256
daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde

SHA512
518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91

Download Submit
memory/5060-73-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download