Malware Analysis Report

2024-12-07 14:30

Sample ID 241017-cdk73awenf
Target 2024-10-17_98c920685101ef25caae9db5ec186d5f_termite
SHA256 6ae43bb6c38e2b1e4da28ffbb58c169cc65668ecaa5c8a5dd50e26c93005b35c
Tags
credential_access discovery exploit persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6ae43bb6c38e2b1e4da28ffbb58c169cc65668ecaa5c8a5dd50e26c93005b35c

Threat Level: Likely malicious

The file 2024-10-17_98c920685101ef25caae9db5ec186d5f_termite was found to be: Likely malicious.

Malicious Activity Summary

credential_access discovery exploit persistence ransomware spyware stealer

Renames multiple (8462) files with added filename extension

Renames multiple (8684) files with added filename extension

Possible privilege escalation attempt

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Deletes itself

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:57

Reported

2024-10-17 02:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe"

Signatures

Renames multiple (8684) files with added filename extension

ransomware

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe" C:\Windows\Termite.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe" C:\Windows\Termite.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\mswsock.dll C:\Windows\Termite.exe N/A
File created C:\Windows\SysWOW64\mswsock.dll C:\Windows\Termite.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-200.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\or.pak.DATA.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-125.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16_altform-unplated.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16_altform-unplated.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-light.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-200.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Contain.ps1.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-125.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Silhouette.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\VideoLAN\VLC\README.txt.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-400.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_mobile_download_v1.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Termite.exe C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A
File opened for modification C:\Windows\Termite.exe C:\Windows\Termite.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Payment.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Termite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Ò»¹­·âÉñ C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\ C:\Users\Admin\Desktop\Payment.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\EditFlags = "2" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open\Command C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\"" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\DefaultIcon C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Ò»¹­·âÉñ\ = "Ò»¹\u00ad·âÉñ" C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 696 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 696 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 696 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 3408 wrote to memory of 1376 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1376 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1376 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1692 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 1692 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 1692 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 1592 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1592 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1592 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 3408 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 1408 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 3408 wrote to memory of 4212 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 3408 wrote to memory of 4212 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 3408 wrote to memory of 4212 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe"

C:\Windows\Termite.exe

C:\Windows\Termite.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysNative\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F

C:\Users\Admin\Desktop\Payment.exe

C:\Users\Admin\Desktop\Payment.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\Termite.exe

MD5 98c920685101ef25caae9db5ec186d5f
SHA1 81e52674a6e7eec3e729981ee7d9645b2967c485
SHA256 6ae43bb6c38e2b1e4da28ffbb58c169cc65668ecaa5c8a5dd50e26c93005b35c
SHA512 da56143eb84a2b04e9c4c174934e89d7dd2d94e12f41321f87841600a819e9a95bc28dc39fefd39a611c62365a055f2a8e82ebe7c04d55309de61a35ebe20287

memory/696-354-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\Desktop\Payment.exe

MD5 9f9bb9ee4952cb514089910e19eac5c4
SHA1 c57f604e8eca50df40df93a6b0c3d65ab8d3b198
SHA256 0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a
SHA512 8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.Ò»¹­·âÉñ

MD5 c93fe156f2c4bda8f128ea74928bf3c5
SHA1 29af09dccc8317d325eb607b40a37025bc059f33
SHA256 007543559c4c1a083eb8d1218f317d24feb4e761513c20ca4e4b9491f2e69094
SHA512 b99c163a8f8af844765464f2028c7fa016d72403c6dcef0f5b8ffe2ad2dd7a57b9d6f30e22b3cde12ffaff1867adf6dc9f1529833fffd48fd4b896e9f3364643

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.Ò»¹­·âÉñ

MD5 0efed70b594d27689d66eef151a48867
SHA1 7cfa9199b5ff8d2b8980829b6a48d15bc4a05c5c
SHA256 25d42f4f793fe9b7f5fc5562da76d814a237cd8ac97ca8eb1f8146c2f0363d16
SHA512 173336422b53d828b2a81812f86df6268e0e47f66dba0f55b705b57fefcde4800560840edb60a5f054160c7e6d175f1a093ee92aadd46d41247c1f9c40632153

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.Ò»¹­·âÉñ

MD5 c79f56c28ce7a4a5f39d1b35dcac788b
SHA1 32c8d39a5b603acee327b43a6be9bc5f369f0379
SHA256 96c863a03d4f96ab35b84ee8a8162e260b3ba773b319f7bebb564254779c521f
SHA512 42e65f3b57b3468740d0e2bea234b7b1d114592b59b458859cd4e4b55cc4169837285d8fb387c29f7342251c0e76c350d19d743c2ebd628d23dcfda4eb459eef

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM.Ò»¹­·âÉñ

MD5 0ec46763fb5aab2186080dc855c4304a
SHA1 d4aba613dc15227732ae70a41b08375c28767777
SHA256 9fd113095c1a62c75b5c8e08cb2dfec576be1cdf34dd4afe18ca272f76ad9fcd
SHA512 0ae82648eddf323172f8a5da8fd1446224322a50641ca73834e529fc568efe790d66d9d8be6d5a6b17bc2df7c43ccb7dd92ca9b06b5b2a70d237fa8fd07d1cc6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.Ò»¹­·âÉñ

MD5 c6f962afe894a5e050545711f087a9d2
SHA1 ea08c2f084f13a6d67e101acacdc682728bc4b71
SHA256 412f3672daa2813d59ece6326e6ceefa8acf246ba380737b748e44864b69d55a
SHA512 c22fbe21bd44068e297429651006c5440f8829b70879118fe677c9312e7c99b0737aa9aca9d7ed7701dac0942b463b53dbf46240f9674fc816688b8c5149a40e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.Ò»¹­·âÉñ

MD5 b6aafafd8d4a2161a7b8d7e9f8ebb834
SHA1 151fc07474797fbadb405e6593d9e592d4e0b8c1
SHA256 5b75136426ec1bb17e20e241a65449e6926d96b0d8079b31df30e07fd0b340a8
SHA512 53fe45823aa75b34ffaac5746c0aa0842dfcf0fe29823d8b77bb8ad50a17fb4c6b6aa07e9948c5eefb697591ca317c2e92b43b521a28d544a2a67515e51c3102

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.Ò»¹­·âÉñ

MD5 9b1088b3923bfabf181ac36b71c1c07a
SHA1 9046505b12315e69b91d2410be55046155b31948
SHA256 0bc52271ba45cd2630a28d81c88b4af56a5223bdcf726c29eb306b98cc5d450f
SHA512 87e801d8ac6838e188a197d2793195dfcf17afc535d3d2bb59bdf8956638ba9bd2b6dd19488d196b35067743cba52b96b603a5ce61d75b4b1139f9c28599ada5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.Ò»¹­·âÉñ

MD5 e99a48bcd2883210f6a36fc1e4b8b1ee
SHA1 153a98393da430dabdc96ad50438ca8be4fc22df
SHA256 7542e1b723b192f96ef4f2f86f83bcfc5be6bc0643144989e4cb6fc2fa57b798
SHA512 e000b7d3e80eb2d676f0ea5d9ee29af7a09850fd00df23c9625e8a0701eee3686e93fe6c5920e6138041b09d5539042b882e89fb08b8fd30958baabedee6dc78

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.Ò»¹­·âÉñ

MD5 c125fd04f1256953a4668118967baf13
SHA1 57a2196d9e279bedd51a596367c7de7a02e9d7a2
SHA256 b5c7fb6fcc6a0324ef23608ebb428eb665191f6d36d502768f75a8480801258e
SHA512 7a7dfaa7554176852a92c5c06542a5eb5d9f36ca0b396ea3527ffe08fbdbe7d59c63347c05010ce508697d4efd67ae390b587239419f16b65791f912d41a949f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.Ò»¹­·âÉñ

MD5 da26d7cd3a51091e52a62bfb51ad6c16
SHA1 81d318e904d2bc9d672daf71b7c089f00879d30f
SHA256 b472760e622ac585dc379120d8ba19502b19add1eae23c84a891088bdfe49332
SHA512 d639ac6ba4cc3c475e63c73167a87c2e77d04aeb597bc9728dccb20eedc8a227ee2bc3818fe49e07707f473be288979637700deb97b4d77ec908618fdc7c79e6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.Ò»¹­·âÉñ

MD5 22a6c02d39a83089a48f1c1fa04a43ff
SHA1 61552aba5ec65a1e870c6b844113d7f4c6a4e8d9
SHA256 ba5e1eb07e92ea1ad9f6ae2447aaa4a0eb7e882c736b890bfa3441604b86e714
SHA512 4fe1442c520bb506d294f283d8ff648e449e31980c1d6c09e057dd1b044cb01cdc4be300f0d171d0ed794c770efe32cbc86273e8a1c7a0bd770138b9c05018cf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.Ò»¹­·âÉñ

MD5 5da29711b8cb26ca1b19559b04351e0d
SHA1 8bee6801b3414b9edc89aa363be94f7b16350383
SHA256 91d5782029a48fe45d7b5dbf9d6bdfe83cb2f69dfd9886ecbe63da1159ea3899
SHA512 7b48e83083a266d57f015309cdda38651ea88da31382d08b85b401e279887c4757be94b28a61d863920db13118286162e004ded96cd2f762bb7420674cd749d8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.Ò»¹­·âÉñ

MD5 a5b0793c079f0c347bd3c8e26dd42edc
SHA1 c2e59ef8e26f691e72587cfe3605edda2395d095
SHA256 d2de4ae95afb13d76af4cdda4bd1cf5f8e1d92091e21b1aa2f27dccc44eca633
SHA512 d7377ec8942b63de4b5cec55ca3e07b0fbadfa6f183425b6d96f1de0729fbc5cc3498f245098a549a70238649930e8bc561aa9074649a2fd168276a6d585c564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.Ò»¹­·âÉñ

MD5 a28159f64935ef1d43a6606056881bd8
SHA1 764a086353c9cf10713c47fe702d03f983b8bd23
SHA256 090c0488f61ccf3244291e9c8485e3d4741dab70e523bd1f45a45d4118a755a2
SHA512 acf9db7b8a6b08af35651ab21329cc91fd4645c118884b7167c69df1f157c3dbd942edf49a4b7e0ba9454595fe7cb3f86c6205aaaa64966a42abba702bba70f3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.Ò»¹­·âÉñ

MD5 05ddf927d98df8c748dae900361de271
SHA1 382d240eabbcbf0241e0fa0c20b33558f5e8f9e5
SHA256 4cf6860495598aa49b5112ca4dfead03ccdf057a8e431900f91de103c944b0e6
SHA512 85343515515ce657e6113ce9ca51efe4917550d247d558bfd97eaf61c3ec91ff34a89f5535357ad0457719933fe372b7c3471b192944703ac68e777fc2478cbb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.Ò»¹­·âÉñ

MD5 0fcde060cd16bf20bf7c8e95faa9a181
SHA1 0df04490a7bb420a00ed512403aa97e65a2352f9
SHA256 2b50186d24b3caff1cff14f33e7edc3e3632eed09cc4e53ecb7d6dd9b8a21eeb
SHA512 9967ff5b57d156e5a1340088fe4fadccfe168889367a55165e5b478000aafdb45006ff4b6b39c5f35891e2d50fde69e25dcbcb42b34b9b12e2a4613dcee53eed

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.Ò»¹­·âÉñ

MD5 20bb6c4f81d794cb6e6cf1342711e2ba
SHA1 cb2b2a04a5b6c13f09b776cc32ebe8d06661e64d
SHA256 0490b069c48f652c2a5154eaee3a0cee90f4c319fbd8ee1ed331e06e18cae8f7
SHA512 627f84b7a37bad2ac69588256f50bb7aa37a4cd2e9e06ba678c256b0fc4710dfabe600d3fd5e43265e0de0b3c938467da8d663d2422fcca08909561470acdf8e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.Ò»¹­·âÉñ

MD5 29e6275690ba501cf56758850e91becc
SHA1 9a0dcc6c22ada134568175ffc6a211c68ec473a0
SHA256 c62152d404cd561a5f7b36f0c615d6a9d8cd76c6c3bafa9c048f24dd622d0f33
SHA512 a690527cabc96619f039e9db9ad502463bd80199d20f4546fa4fc56b7d0ce6c5b5000c64596299587bbe34b43bfdc8827f932ddee77bbbd0e52ff2318dc80e81

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.Ò»¹­·âÉñ

MD5 3342686df40b08c2cfb26774ebc318ec
SHA1 3425798c14d976ce327a99ba0a23931360d17307
SHA256 143752560676dc1c100743be0460192a20ffdb2075129c195c55f4afa0da1722
SHA512 5280829dcee020672c474577725076c422607aefcf63d30915060d61af9aef408505cdd21461c565573a854f9ce6de60e79f901404b756886c8eba9cfb3c27fa

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.Ò»¹­·âÉñ

MD5 ed6934dd3667eff3308cdc2dbfdfdd78
SHA1 04e0a1baf3326ba11dfe004af98c1d44a11357a1
SHA256 daecdabd12f63ff8dd524cff2ca21d76bec4cfc564a0a5e44df60ad6c194a23f
SHA512 8351744aee9988170ce4933992ff5efc7bf978f016100ca2852e8a52ea51278d3766fed4f4dd1dbc9d01481cacac1556a49b8350723667cc036739d4fc554ea8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.Ò»¹­·âÉñ

MD5 139e0fbf1f253446ee597a9c54d537c7
SHA1 05381c04788d47c6d8a6063aa75a769f60bb69ab
SHA256 74c9110c1c3979c1f1cb60dc2f1f6f98789e56d86e8e0a0ed992289e76a1c572
SHA512 a06f3a1f6ebdeea21f9e76f1aa793de166a938543319efe55b25cafbfe0548582875b9ccad1e63c7c728fe53d99a7482aaa6cf20b6470c407dd4bbedc91b921b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.Ò»¹­·âÉñ

MD5 a4f6e9f18c16512bdf463737f69b87c2
SHA1 0c2cb807b9ca29e2efbdbe0c2219898095c60dd6
SHA256 a3a0bcc4118d9871a2f33751acffc69fdc21318259353c3aa55b10f4b3065dcf
SHA512 d52b489c7ac0c12182cb5dae7bbf64abec133dd0a6ea299b14c14fbfac813610eb469ae1c2a933fb0eb1f10df887afd7d37c38b24de0a05667d6fea0b1840ddd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.Ò»¹­·âÉñ

MD5 47b5d43af7f2876619046cdf6a14a29e
SHA1 152cac7b0d3af02649e3101555ae18f72b61bed3
SHA256 cecc29e25138c665c6f32c27d7c82a8bdef8a9c8beb8d88d29b2266ef2da3e1f
SHA512 7303e3e6be21fa8a24467ebd583e1817545f44faf9d272be92768b47ce1404b5ada58ed4b2ab01097a0b008fdb2b5c81dfd0e568687821b09aab3c63e688c32d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.Ò»¹­·âÉñ

MD5 4eee95a500b36420b130632b48573b5b
SHA1 53ecc8f6a4dcd635f12858bfc017fefaa3ebfc07
SHA256 22292684b127bdb6b0d40b1ba1fb5ce961b577f0bdfe270c118b38e73ac1cccf
SHA512 a2ed8c2b431bf9ae6d2427df991b06021c440a5af361964853ffacc65ca4caa7ee3536eb17236685461d6f2e6735f4797ef2ad240cf6ce0764c2d9b147bf090b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.Ò»¹­·âÉñ

MD5 cb762782b06780c62447e6b2587f0d4d
SHA1 53b0ae209078b8cd046ee2318d6656d77ecbd5d8
SHA256 91d631942c9ddbedfeac07b7b1c047a79a030f83ab427accd54c838b6646dfa6
SHA512 66f056bd24ff04b4b62b7bdab4b6716c60f81fef1a2e83e094821126137cd68c6b884ea15f2d7ca4a0ff967fac76f3fb75724686c93bc122160fe0e3dd782c38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.Ò»¹­·âÉñ

MD5 206f1c1aaa780e9042af51fb1d93bade
SHA1 32d2c51acd787f78782b15d79e1f1a5a02fdaf95
SHA256 1dfb51f9eb6faf74068ae48d2e15988eaa5517219781610f23c79ef83675a258
SHA512 d96ac08088b32327e34b16d3a96b386f5e127024ef1eedd19259fdaffaf1dd0d7a28895e9e8c822d0b519c30611adbeea6243fe231ee26272fe370231b463c2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.Ò»¹­·âÉñ

MD5 ea0fe6b51996c7170d2002fb609e6557
SHA1 226eebb545b7f99d894ceed11205b521177e995b
SHA256 cfd8792ff21fea03e7d38cfb3b4356dc62a834119f11678a3e9d869a504e0cb7
SHA512 fc4dc6f0ac5b0b4327af0651c0227064962a25b3e9a89ee0fb2d6968e330370f7349df2b2583f34f6621a9284888472db28b1a1d0857254a9e340b38a63ce599

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.Ò»¹­·âÉñ

MD5 fbb902fd7d8cc61af177faece59989cd
SHA1 6efd288c11bdd1bca73ab099326cce1fd780b791
SHA256 456fbeccd401c05aac7ba4f20a3eed41df964365a4e4503aef82acedc10ba2fc
SHA512 04c9bd0bb0153e48b8d385cdcb2c70791fd1dbff6d29df546864d9df9f7af2b1f113bb7987709f640093c8c6021d7f621be5d30f43e6910c1c3a6e43e3d02e83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.Ò»¹­·âÉñ

MD5 98729e9c83d0e473010dd9e94069a280
SHA1 ddeb711829fc1144886f4078344d89728d12a433
SHA256 a7138060a4a79f7dab87a70c591d3b6afb932129a470b38bcfef88e573a6a4b9
SHA512 1fa6a9dbbc6900239729b0b621fd7f46425b1a21f22bb38acf7fbae792b7320aaadc11e4fcf577c42472e053a5346ef6259e078e89b887015237d1991ff793b2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.Ò»¹­·âÉñ

MD5 45cd5b32f79463e09e35e5a6bbcba59e
SHA1 de534d6320894fcbd38b0e40a41b2c4baa1eafc7
SHA256 10a13dd1c760c765c0faa30100bd212cbbebdc74623a6a435791c262354bb6a4
SHA512 f8484dd47698b76ba399cb0ffe254d1b3985e2d2fbb5c3996cea22ee1fa6f2faa63726897670cfc201a1cf1c0af480ab8849efe5a92d459312b2b42fd88e505a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.Ò»¹­·âÉñ

MD5 82a70e0d7cd9576c1a4ade9edc02b996
SHA1 5148c3461c18985871e43252544b69c847c5d968
SHA256 1343cd889049dfdf6eb0474f672b18f211d0294b5d4f9a5fb470bc730663fcf5
SHA512 edee7e5497b4db2a408a8b35fcb879cc07a8167bd6babe9f84c26e816ed430376074911b953a10726f0298355fcf8cffd7671832aec1dc6a4f1c91d7536c8bd7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.Ò»¹­·âÉñ

MD5 5bdeb18d35a65692f91d1051f64c23c9
SHA1 065b509fb8d87255d21531170fd371b13f568c4d
SHA256 d4a74ac2f8c1f89a4e8eb72c89291e9a645071fd77a50be48e942e797a172685
SHA512 bc27644087e6f0594daf24de3734490278362cab61c91520a2411b4de8a825093fe5752edd1f0761372d462c88d054d272a1b99963fc85173b8b49cdc02ba5a6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.Ò»¹­·âÉñ

MD5 05958eb7c86b05686ee299305a335b8b
SHA1 8820abd23a33b2b44ff2b6ee63c9e48814529516
SHA256 1c0d77d95a164221c06b275ac97d99a8e7332a23f066df9f194dc68078519a62
SHA512 8e8c935997cc4dad2740c6505e84135f4fdbac56ac9ff7dbe4e343514e23d262fb22f2d57f51cb5a7dfc3f756c7641293bc9aad9ad93a7e3cd99b23df8852e09

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.Ò»¹­·âÉñ

MD5 5913b2197f5e3fe13c7aec587204d0e7
SHA1 d696743f8bb0cdd63c34010fab1c90d465f8e4b8
SHA256 896aa7be715e3112bf88ccdb0f4cc2e116bf5dc38c4179de8635f215aeafc8ee
SHA512 d28936f38b7362e9daa6e002771dd54031d07cc9a6ae56ffb114f544fbde9342f96aba018e33ce0617f1cd04b3bada60e122a62f14726bc61f69bcc43f3a1b45

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.Ò»¹­·âÉñ

MD5 31cdc19e17e2759aae02e35edadb9934
SHA1 020527be38eaeac4e65514ea96c43a07b66f9a44
SHA256 5a3dcf15cfe3ea411c0cf2f2a5c8f0a86faf8711ecb75bfdf154ef8a8e111a59
SHA512 3a0f24974ebc19e81a96e23b90821367a8fcafd77333cfc72bf818e65c559eef89c8592396b0cb830209084af74ca94d83d232a7aa0a84b0d88dc247b181cbef

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.Ò»¹­·âÉñ

MD5 c6fa4eb764e710a2733953432aec8846
SHA1 e10caa94fc398b9ad91a4122535a6b5eda4b23b1
SHA256 5f9a23a3b7c98755b1b41cdb6fec14ac06439a86a3b6bcc154992f2d9bc90bc1
SHA512 cbda6d0e0003ce20f1d651b4938a2aa838a216450083c4d1f75fd9aba4cf006698f2c75d90b4d2d28ba69038275d152b6a01b3d7bcc7f5ac26c54f13363466a7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.Ò»¹­·âÉñ

MD5 5727cc55524a2d4914529d0344c5305e
SHA1 527baccdc3dbe5a68edab6b5b7442464c4bcb969
SHA256 5fb63f4f18181b3d3ceb0c1a9cf75f1723399ceeb3a3ac393898cf380862e6ae
SHA512 4206d49d5e8b4e986f9f76b2362e529481b39d126dc0af7a00042771513afba6f66ad20610e7454bb6132e04d159c5a2472fcb84d0aa73716d3efd521a78f69c

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Ò»¹­·âÉñ

MD5 1ef8c86d933b10c159ce45c06d379113
SHA1 4d102825cb464341d055f595334d5518feb4796f
SHA256 93f4b06edab9da9f83ed3fb263f55eb67a05937ede869dca5b71ab730accc0e6
SHA512 57f7118657a56622aff0ca77aa36b05e730d72128a844036a7274b04c1c13b9469a2a2d3ca327df989856735231eb43703da0a763d196bbc78fdb146939e2423

C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1.Ò»¹­·âÉñ

MD5 b12c31f0df65c8121948480ab533d129
SHA1 eac5040f71f17f8c7bb7480b3334c17d10acf456
SHA256 5a15d45deb04501844252420f989ae4ffc1a1c45f4ee242c24ccd0f857f65f69
SHA512 b5ed9225d26d23e9e1c2e30e771265736d0b190d44d03be3bb497799df6533d5eced778e6940e4adc6ed275f4e6154f7f2f2cb031c61149611b66c2dc307d829

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.Ò»¹­·âÉñ

MD5 da6b76c3b6e4dc8826730767444edd65
SHA1 ed637cb43b60936a91b6f0373873623b3303edbf
SHA256 12ff5f72dfb2c4ead4f9f6543d587f0ca8615bf265100e2957d4df86b6fd8a04
SHA512 216a9cc0ddd8182aeb3fd35f22221b041e14d3094478cb8dd638d8a62175ddd48fdd9b3e075ea3dd54cce372a13891750f5ea88a45091d196171567c509dcea0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.Ò»¹­·âÉñ

MD5 b63b2db3df6da8f07d021f4b7d35cefc
SHA1 68ba45b00c253032074c7ae60d6065cbcca3a96d
SHA256 4a9648de136866782454cfbfcdeaef667ce04287a95cdeb3050d34aeebba5fa4
SHA512 b78b1f107bff7f799b2f1fc7d0d0f119e2592ac06fc1603622fc84ed25f34496067d87f5fce6e3d172eab9a7575ff313854930cdd8e6d247447d258054ab2f78

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.Ò»¹­·âÉñ

MD5 3c55867e1b19a75dbd63cacfa7b1cc3c
SHA1 35b2a366f913686bca670fac5d721ef76d912939
SHA256 0c6bc68c0108801cfe3e8d3b81767e412d2329ad69a2a3f9e9fae75ef74ad342
SHA512 388f0da9667d73d31a13e76d3a056a52ca684e3166685bb88b8b3a2b81619d3187a1dd83e80018529e5d66ffbc4c1c810bbff30ad6524fbacebdf960003a2295

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3.Ò»¹­·âÉñ

MD5 ccf042ada54c2fd9f1c0f3759fd679fc
SHA1 7e2c97511e9bfe7e5891ada6b46a9a28cc3ac25e
SHA256 29d3e4fe3d2e140740f12f2a1d02abd4516c7cea069882d36ccf803116240704
SHA512 8965b7860985c500d7bb6a422687d6351379ac4cdefb613df493c6da6df5759c47f6c5f6026e483859f010a4ff7d22e4e9a915fe348a6d6fcf94a356112a7f3f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2.Ò»¹­·âÉñ

MD5 a5949dbf51e9605f24e2ab97cd830e6a
SHA1 5e8292247b238055675da76aa89110bce93ad4fd
SHA256 10e7501717b5412b2661460deb00e0ac9bce234c6df130ad1d966a145e1c66ac
SHA512 ea7e04b0ae687fe6c33de41c7ea7c6113d1d5f7ce0c076af1bd8f20dc538a89649db582ad4ab673aafb881d69d4af230280a06d273bc61232f6f29f447dc0fa2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.Ò»¹­·âÉñ

MD5 914f2c1b4a4e0ab429886a88a32610cb
SHA1 42262ff2e6cd221bb1547b5f55b167d8f104d68c
SHA256 6f46243dd36339edbe82b7da17628ec435c9362e194740527806a4291b745739
SHA512 0780adbb72e9e539d409eb46a03e09effe2982337bce3ced78f2bfcab46cb56107dd097c72e3c4d5b2148d5d8893252268a9a20ac49157f976cde4a3a069fdd8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0.Ò»¹­·âÉñ

MD5 0feb55ad2348952f57bc350688f630c7
SHA1 1a1944cfa503bc591b9470195864f4a3c71f1daa
SHA256 b2945c96b625780118ee8d4594f1050f7538feae94ea0c89a8f4c1a429da94d1
SHA512 f34ef8b3aa689f6ac2828ed646857cf360371b80e4ba419ffaa530bc3e46fdcbf41b88e55cc4b61a839a2c6fe363e88b606db41697c70c4b8a9dfbd46c350797

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.Ò»¹­·âÉñ

MD5 7aef728077b96ff39f4b7e043966f96a
SHA1 a0fa08f27340579f17605d3d6b6cc09593f0f0ab
SHA256 2d7bd9a753ec52b5085081c43d26b4c842f51127ee612d950ada06d1e5ba230c
SHA512 a90767dbe69005ddc9992ed5e73a8991b1ed6d9d9f72c82ba2847239cd8a1d67ef585121d218803751b4f0f7c9efca696488a8d100709e3d0e1238ba2941df76

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.Ò»¹­·âÉñ

MD5 226322e0bc9016b62aa15c6b99a53f11
SHA1 8794c20fc5a1a111e0f6f125a75731b7d3c9dcf4
SHA256 0dc121bd7c8a15f6901142cd0e325a0a027d76b0670f5ad6f50e799c1d573bb0
SHA512 fd99113f69dfab1b975bc20c96f1a0e622e473cd2a025efec567aabc1adc7121ee412fa3e5f17cc72e1df29a72b77a5c15457e87addf6c429e6fe6ddc57c34e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Ò»¹­·âÉñ

MD5 e28a91e2f3ba7bbd50eef42bcb950cc5
SHA1 23c1553b73ecd521d5b4c642bc984e6e8ab5ed8c
SHA256 c0b0c5f26d98202f5e63587a7057f80b81f2a6703826f945e2e14015b4ca2a4f
SHA512 3f560bbd1c6b7129cdb00211456239aa45af9be4ac4ca1d98d89524da3b25e4c0c937bceb447a65053ce5ccf7667714bfd04a418aede7380a0292c761f8a07a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.Ò»¹­·âÉñ

MD5 7f77d30238130b5e4fca2d95952e94cc
SHA1 d9fd90d750ab3fcbf7c5c9329b1d7492b59df8da
SHA256 3d64e838ed89f2fae93fa691f4d7bb0e274da1f398cdeea64b6cab92fc6224d3
SHA512 f4d5f5c77faaf41baacfc1ccfdb06ff89e83a8df56c730530197e3db83ea94008d0763791d6e894700e7d2c9971f4a0638ae3be101b157ff602687fc61b642f5

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.Ò»¹­·âÉñ

MD5 325754b8af07331617169ad2a954a1b8
SHA1 ad311b40e2a4313c0914bb9425be3efd20839659
SHA256 d1a6e8415bd3b15eb132f81413ed7caa6f3e555d7bc09c4c253ff72514e0ce03
SHA512 9981dc50749e300a3b68e043660111e14348627193a14892d1d20625e1c381f4ce78b9f42cac8fc660e68f035a9acb6b9265ba3cd8e22155de5e279331b57844

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.Ò»¹­·âÉñ

MD5 c7351f5c4ede4c3a5c8bed96f3ebb74a
SHA1 fb0bba8b9959aa54308d70bb00eb8f859628fab6
SHA256 b88dfd503129df17982b6619eebf6ac13f736ccc89647f89c902fef92ed99bc4
SHA512 03b2ea6719060d36739cd0c8386e52c0cadefb4a7f214e8cc31c9d0abb06a73e8b6ef0dce2d1b598f9028b06f0ffaf8bd51c46369e4b2aa152d404664ea89e2d

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.Ò»¹­·âÉñ

MD5 b65cd625cb75504e9acd5eb454e91373
SHA1 eb7b865a5b2ba4bb55eae24c3bdc3a39bfd4389c
SHA256 4cb50464be9db4e73b5b461e7b23c67c9f65429d1b155995ce54aa82b58e4358
SHA512 40b8999c13e5f50db67cef250172f379a335443d12e03f9dae561d90a39be96f47fd1a4cf151592658c6b843c67a4121fa03abd3a9409f70120c2b72d89baee5

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.Ò»¹­·âÉñ

MD5 1cb59bf6af35022db785d4a4f9cb5c53
SHA1 70fd682d3cf97a5e555d382218d55c5b316a0177
SHA256 2718a5ef117786b74f670ff79ed8dfa1ec80f8f5c760fbc4396e27ed2f7416ac
SHA512 9a0a5d6a47240c6c9232824396bad8c2e5ee486ad21a5b0ea2b68a9b3c9db9900139dd9b34d760ccbdfead8632b5555178163d4cde3f3b36cddc4a4230014a88

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Ò»¹­·âÉñ

MD5 e423c23dc63b0f1b94e64d1b5b401c6e
SHA1 c45c63d575ad4f299aaa65a6a44b81230318bffd
SHA256 762ff18bd2ef976f9b84faa9127a63cc98617c9714f24ee23e9101e2f39d89d7
SHA512 15dd935975a1ee5764c5e4b66caaeda2dde05c6d43c93cd04579a2079f9e04b774b6e97a1b3b2c07d6ec18bf9512159db78ed46f06cb24cf3759ea352b694589

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.Ò»¹­·âÉñ

MD5 1527f5bfe9eef4a663c86fd3838b0893
SHA1 f20bb0f89a12763075e7513881d3042e70b6f05f
SHA256 45ca65e3df28d0b25c62cb4d92589d46e66e03238df0317cc3156a1b975767c5
SHA512 085f4ca44895bc14afd984b01a14043f81960b32ff281659361aec4a0a0722936b0140f9951e17cab0be901591d7e42f89fb2cd0858fe9f368baaf3b266c43c1

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Ò»¹­·âÉñ

MD5 888fe49199971d6b672b509f46ad96f3
SHA1 0c039d875ca9bdc0acc7c221f77998e8bae5e780
SHA256 042085b0286a0f9bbff6b2e3cb8ef71598679c4c9f886f130908cf0f7120fa12
SHA512 22ed9bb33718496d6a5d026c81b34c13dcf78c74dec8ee00c6b746562895f3e557f7b7c85eb9e62756ea81bf65b873ba8c45604e2988fd8e07dd0c29be0e091c

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:57

Reported

2024-10-17 02:00

Platform

win7-20241010-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe"

Signatures

Renames multiple (8462) files with added filename extension

ransomware

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Windows\Termite.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe" C:\Windows\Termite.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe" C:\Windows\Termite.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\mswsock.dll C:\Windows\Termite.exe N/A
File created C:\Windows\SysWOW64\mswsock.dll C:\Windows\Termite.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\London.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\VideoLAN\VLC\NEWS.txt.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcfr.dll.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\PREVIEW.GIF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01603_.WMF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15057_.GIF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Java\jre7\lib\security\local_policy.jar.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV.Ò»¹­·âÉñ C:\Windows\Termite.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Termite.exe C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A
File opened for modification C:\Windows\Termite.exe C:\Windows\Termite.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Payment.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Termite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\EditFlags = "2" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\DefaultIcon C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Ò»¹­·âÉñ\ = "Ò»¹\u00ad·âÉñ" C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\ C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open\Command C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open C:\Users\Admin\Desktop\Payment.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\"" C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Ò»¹­·âÉñ C:\Users\Admin\Desktop\Payment.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ò»¹­·âÉñ C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A
N/A N/A C:\Windows\Termite.exe N/A
N/A N/A C:\Users\Admin\Desktop\Payment.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 2808 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 2808 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 2808 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe C:\Windows\Termite.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2920 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2792 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2792 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2792 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2792 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 2936 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2936 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2936 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 2936 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\takeown.exe
PID 2824 wrote to memory of 1860 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 1860 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 1860 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 1860 N/A C:\Windows\Termite.exe C:\Windows\SysWOW64\icacls.exe
PID 2824 wrote to memory of 1684 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2824 wrote to memory of 1684 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2824 wrote to memory of 1684 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe
PID 2824 wrote to memory of 1684 N/A C:\Windows\Termite.exe C:\Users\Admin\Desktop\Payment.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-17_98c920685101ef25caae9db5ec186d5f_termite.exe"

C:\Windows\Termite.exe

C:\Windows\Termite.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysNative\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\mswsock.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F

C:\Users\Admin\Desktop\Payment.exe

C:\Users\Admin\Desktop\Payment.exe

Network

N/A

Files

C:\Windows\Termite.exe

MD5 98c920685101ef25caae9db5ec186d5f
SHA1 81e52674a6e7eec3e729981ee7d9645b2967c485
SHA256 6ae43bb6c38e2b1e4da28ffbb58c169cc65668ecaa5c8a5dd50e26c93005b35c
SHA512 da56143eb84a2b04e9c4c174934e89d7dd2d94e12f41321f87841600a819e9a95bc28dc39fefd39a611c62365a055f2a8e82ebe7c04d55309de61a35ebe20287

memory/2808-35-0x0000000000400000-0x0000000000601000-memory.dmp

\Users\Admin\Desktop\Payment.exe

MD5 9f9bb9ee4952cb514089910e19eac5c4
SHA1 c57f604e8eca50df40df93a6b0c3d65ab8d3b198
SHA256 0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a
SHA512 8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.Ò»¹­·âÉñ

MD5 cdd65f214582bfaa23fc784ecd9ca4e5
SHA1 20476f188d7b342ae0930c1918cbee55677062a0
SHA256 5c8fbfbe423dcb582e82debdba5c53cdc8a72dc13f3038b817821297614943c3
SHA512 0f634b843bcff299ba974f75c8096febd22a8476f8c0da23e3da1d6637f6459ec848114f4f2a0292646a76d90da035a6c3eb848fd5188b4a799721369c2014ad

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.Ò»¹­·âÉñ

MD5 54531e0716b8b2bee0c78e1f9b974076
SHA1 375ae2567d80d499e6a181ca54cf39332c2d79d7
SHA256 2f2b4e270e44313ee394c39edf25362ef32339ec108141e3445f6df7780c8144
SHA512 c154bb14846bbb6e571e0e4989b5fdc1e33f13bb8474355b14d98ee79a411b433fa29652227f9c64bdc2adc9fa1c76273038044531c9ad0045b4cc4e8aab01c6

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.Ò»¹­·âÉñ

MD5 5afaca0eee3bc3aabf7137ee255c5a2f
SHA1 2309e3ade563df4ae5d58bf375aed11de59455b8
SHA256 958b239f60227e865e3a274129257ae95f77d019f48527fd73c661de64b4b24a
SHA512 d259896219a7b3b27004145d26849a9931865c6ad4e8489ce50de3495b5f3d8afeddd68e9f268d930c21aad57ee0c83a64ace1254e299215e8f59eafdda9eb4b

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.Ò»¹­·âÉñ

MD5 06a049a15e3aab06ec0921bc4b5984b1
SHA1 35a99ea822104212f8a1d5cd92dcd0c9781bbdf1
SHA256 6cf591b891d9a326a8d62dc120c735ad11e8e413c46028f18966eef6ce29397a
SHA512 30d832753fefc0a7d3a21f9a822b2e845786223da007596bf24260e42841d4811dc7d3c7d9e8230834e6c79f51abe0f7fd4f8955ee6df3edaf23be441d9fa9d2

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.Ò»¹­·âÉñ

MD5 56f9b320f9958f04f43c9613104be5a1
SHA1 efbd7dcb96d360d4a31a996a6b49ba59a70dc5f0
SHA256 037c26dd9986486af297b1e6be674518f3e291e48be0a2cde517adeb3c2f07f5
SHA512 b73570816160cee1d54b88437b917152f30ed956254a760952c45228cee00aa99ecc6097ac91e11964bdea4d07297cc49765ab5fca52d7916b76c48b85ce92bb

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.Ò»¹­·âÉñ

MD5 dc99615f709eabcdbfdff29cba69f3f3
SHA1 8a69f0486debfae614d0bd06f51f76eac0f8a1a6
SHA256 3eebc4efd1464a104a0eb0513c663626a5e0e8feb7f0652eb4d83b93ba15ff9b
SHA512 5941c188de7ae875c8cfa03c28fb633b7bca8855733c2e51c385682801f630335acd96191d18cf1080c8b23ffda961c0dd1aff12d9e7621f8496f6d08a3bae6d

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.Ò»¹­·âÉñ

MD5 e8c159cf68cad51b4bf04f4d094e4d9e
SHA1 fe905df9092599a6f2c9c67489a6dadfdd7c838b
SHA256 3acdce183c47b1275809dca392a61b210d28643c3020587ad090241001665aa0
SHA512 4e78aea3643fa8337c74465515269ae66b88ecbd6006543b8395c62437b0ec50c0c58ad8e14c9b78a90c5c9553b0662c12ff88e680c3eaf0b64b312745b89ddb

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.Ò»¹­·âÉñ

MD5 be055d27c9d31c40890bfbbc7ba7ac96
SHA1 9d0eed419ee807875d09980a3f4f7d632db5e496
SHA256 a919a003104cb71626103af136066e1b9c5048849a6f39e69552f8de443f2eeb
SHA512 3c8edefa22d95f662c19dc347e0cc222cc0a4c1f8f2f1e7cdb06b29b938e68dce601d088ff7964a396b1c70d0cc310193c4e2e1ba60ef947584fd2557e30f7fa

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.Ò»¹­·âÉñ

MD5 0afae6585ed7aeb739a85c41bdad07b9
SHA1 8fe612b3ad68313de95076e57a7a283ee1fbf787
SHA256 3599d22a9f3e4aff40f621a9d066064a39d5716e78ecae0dddb7b91df0fd0da0
SHA512 17f919279037e471ccdc50493250fcd475b85fc5750a9f45f579387e283071854a8cc3e2e12ac59b7fe1e4aaa868b9e0fe5253970aa60dbc603147ab73149450

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.Ò»¹­·âÉñ

MD5 76f3b4dbfc3a95a42d3910b353e078b8
SHA1 a0a5abcb748b31d0e2d75bff6215d082db43ee5e
SHA256 dbaf84b3125f3f29f5d743bfa64b4bf57d7289b0dfaae9e027f3afe2716f9dc8
SHA512 8dd89f5e7a060b8deb0af4bffaf3a5e6bc847bd465b105ae0a32ef6aab9c913299138233e4b680957ec1a9a43ec7502715a22d082f1e8f8469ed87ebcde05c3c

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.Ò»¹­·âÉñ

MD5 feca5ab2e77a496a2df859fafd8ee08f
SHA1 78d7f8dd4d40350e7577699508c6451f4f1e8699
SHA256 ab812fd58c2faa2ec1a50d634d3d0d6552b1089fdf05a4181e8a4ebdddb80473
SHA512 f738a60dcc52b99e634e7dc3d84e931e3e115aabbb0e262744c88e667341e34d2ecb9118ef891bc8c70207021d8c4215ca7f744f9ae5d2e2263b5b3ea305b608

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.Ò»¹­·âÉñ

MD5 51e40a845d9f148227faf53353a61ae7
SHA1 5e2a1517bb39db667728b9ced527cc7c122bb8d8
SHA256 444e8ad4c22623669cb5957ca0b89f724d1280ba7100ea8f5e20770af6797fd5
SHA512 2e1d4a848758c229cdc11410828a8dc66ad44c97a1e95a50fd331b8fcdf5db7c94f84bb4d04e79fe4460f8c7b78ba11def7fa50c312b302ff793eb5d50c31b05

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.Ò»¹­·âÉñ

MD5 fef677fd7c0a786888f1c85c607adc49
SHA1 fadf164d5e6b17fb5f28404f30862f5cf030e619
SHA256 295cdbe9a897a7c9391c245e3f0464ce758c90b0e9e9a14901f318314dc60215
SHA512 f7702c3796af3be4dada8be15361778d37f00a5c0d50bece2e3366ca54d9c5c692f4a6d7014d76f81d82d56ebbc324074ae5acc4ca53798377416184b54414d9

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.Ò»¹­·âÉñ

MD5 0ec46763fb5aab2186080dc855c4304a
SHA1 d4aba613dc15227732ae70a41b08375c28767777
SHA256 9fd113095c1a62c75b5c8e08cb2dfec576be1cdf34dd4afe18ca272f76ad9fcd
SHA512 0ae82648eddf323172f8a5da8fd1446224322a50641ca73834e529fc568efe790d66d9d8be6d5a6b17bc2df7c43ccb7dd92ca9b06b5b2a70d237fa8fd07d1cc6

C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.Ò»¹­·âÉñ

MD5 c93fe156f2c4bda8f128ea74928bf3c5
SHA1 29af09dccc8317d325eb607b40a37025bc059f33
SHA256 007543559c4c1a083eb8d1218f317d24feb4e761513c20ca4e4b9491f2e69094
SHA512 b99c163a8f8af844765464f2028c7fa016d72403c6dcef0f5b8ffe2ad2dd7a57b9d6f30e22b3cde12ffaff1867adf6dc9f1529833fffd48fd4b896e9f3364643

C:\Program Files\Java\jre7\lib\zi\GMT.Ò»¹­·âÉñ

MD5 7177ac7a806c83ed1b5d94d143750629
SHA1 72460400ffa41bca0f5c6e6d93c19299fcc75983
SHA256 93cf9f9f33502ce966d3e3138f48a5eef8f4e50366cdf14a6c215e568ecc6364
SHA512 801897ca0c5212542d9ca63247233951e2ae5f2eb1bb2af93322b90f99375f7dc5482b9c24942f5854a0594a59d96600a17d273f07acb2bf8229ccfeb0111906

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.Ò»¹­·âÉñ

MD5 68b68fafbb6cc77e945675726bdd8b81
SHA1 f0da7aa0139239d6c8a215b84a7fd4d5f7960284
SHA256 818f8b62683c6f6f8db76fe2f96536c5ecec8c6f0e0c962a5cdcbbf031c439d7
SHA512 0a5c558822de0050877c2464866822a44219a6efdf04656d226e709659ba46d6171ffc9af8264dcf0c85c5c37ca0f485effb912b75ce158447898b75b1d02918

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.Ò»¹­·âÉñ

MD5 8a32bc83c47c57d5effcb0e3b98a23ef
SHA1 dc68340ebf3e6a4bab54bab27d4d12cda66179a8
SHA256 808ce3e8d2a8a89f23a3fd74f11c419664ebf61789e4fd38c3c42e508d7bedc2
SHA512 e09167cb52e27e4b95bc9c1e3111ce4e81cd841f1ae008f99edfb57f42d82a211d3279cd471b57ec3e5a821f6d6b420f4a374f636b99797569c417a8985ccbf0

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.Ò»¹­·âÉñ

MD5 0b57c1435a14c7791f54827e28c1d056
SHA1 b7e8faea0e69fe2d5f5ff722ebe63eea59617dc7
SHA256 00dfd76d57be791f57f782ef5bf2635297b97ec4d68cb8b55369ea2c066c3652
SHA512 9b417bdd1dfb48d54d3195aeb615de225519dcd252575dbae0b0493a5145ecff3761ddd2b8afe969685dae651ba06a293784d5c0a1f43357c41ce5ff6832a88a

C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.Ò»¹­·âÉñ

MD5 8cb0868fb17020b757628920b499adc6
SHA1 1fd314795f2734cc629ba31a05c850cf53af2370
SHA256 6a1c23811a02db96b385d16d31756c0fef2aa33c758c00616e5a0862d813f47a
SHA512 1600e5ae36137de5c4f001f754c600ea750a99923eeb07102661a4197d3462f41986dc02302833c535bd19a3622e7969fbf21612417e0d0088c3803f70f38834

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.Ò»¹­·âÉñ

MD5 202ea567168a6b086777b116fa795050
SHA1 9e008107b3d82ad00814336ed5c4ea32cf8ead47
SHA256 4b3fd187fc4ce8efff5fd2f35e20782f59769d4aa558c20ea46995cd44525918
SHA512 d1c077e66979c11e1f03d42f973a9b0b43697bc34784c6f2611f92838306a0c89c3e97fe5333135120fa8f8b84741084f4c15722e02d518c638c6894fae14798

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.Ò»¹­·âÉñ

MD5 1635dd7952ab7964a4d4406abb8615df
SHA1 db46a1ca3ba9477d2b87aa56cd07d44ca02b5efc
SHA256 5d3fa8520cdf3441c24ceca7ae8af6090f126174bb85603b9f5a8f1028831d35
SHA512 f89b36a97b2500ca0d14bcbf912c7974f9a14fc7263f571f8c96053c5c3f7cb1c87e98081899acd83d575ed49034c5293c0f100d84ff1f9d574802b5dfb3a9f7

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.Ò»¹­·âÉñ

MD5 379063166abdc90579f76c8d4ff2a178
SHA1 2b1f566ce33591a75b1e089e952509b3b803105a
SHA256 b6556bc63c9934e22c87ec6ae0ef574d407b34ce025ca54b55bd70d576ae52cb
SHA512 1732181f4892bdb1f86fc7d0e7692ff626fe9a31a0551a63f456bfa30b1662f9a162986897840bc7e701ef53ea2f90ed419ed7ba84029ca708236cbb6e362d83

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.Ò»¹­·âÉñ

MD5 61bf86d982ba817950927c44d2551b79
SHA1 c5a289ae5c5dd18c5d3ae444fa23c3d2202cc178
SHA256 3c6a6d1c29ed5b135dd75bb4e8284660620f16916454423832e9d76a1510decd
SHA512 6fee5a03e48beafe34e061e8db1feeacd35861c0a11085cf344e87efb2d737a275a10bccc057add5a4c0b8098ea5c4deafc359fcab8d7f7e052170237512584e

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css.Ò»¹­·âÉñ

MD5 b6675ffd9b7fc70a8259c5c8625d9cec
SHA1 fe5fa7ea208876e5d54c7983a23a4693871fa8a4
SHA256 67e0c763f7094e66bd9f2ef8443767841953fe96a45f6716d0dfb14769fcfe7d
SHA512 adb558c06f020a2c2cecb05fee8d39ed85a605966b45c19e0177ccab641ecf33b73d6c3d036ee979d8230561637b6250eab4045d58a201df2f7986e5d21cb2b8

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html.Ò»¹­·âÉñ

MD5 e265dd716f9bcc19271a57a61252a932
SHA1 3a01ab7e28e1a0ab0f875199bb0f35c8d6669e22
SHA256 4f3c602fb02cc33c3e063d98accfe1375c7ffe388c45c2efb467fd410f188707
SHA512 6048eb6345d3c893634d7ab31793d9bd843baed77ae9bd67e65916b4785bc16ebde66cea3a0d1dd0558eb7cc7a3bb4e32eee70a102014b413562cf80b799965e

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html.Ò»¹­·âÉñ

MD5 2055710932cb6c7f799fd50e5ab33859
SHA1 9fb97445d90a0a3feefb1340534a1da7165e7077
SHA256 c1473ae30de349cac71b6819c8c464dcc71cf53af50c1667d5c487d1c1a3fda6
SHA512 7bc4dff3a6457ef8aeefa63ec4bdcbe4471ad0e3e1b4004588b0a68130777527caf669add7eca90ceddb1a98afea9e4a4b386e583f3edfe2c6fcbfd409e28fe9

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.Ò»¹­·âÉñ

MD5 296b3e7b211db2994d0aba71b63c5292
SHA1 194b9a98530660bb2758a63e538bae2b3a43ec93
SHA256 130fd7085f7d8152de7b1cb7b52d56c948f2e2997eeece03d2008773fd950edc
SHA512 221d392eef003f787687fc285420a93c948c590fdb3e55a392093499de64e5a132335d63d78f4180e15d4d7781fa1897009a62141e0125956543cd5848981ce0

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.Ò»¹­·âÉñ

MD5 1fe6aaca8d6ddedb293253d1d36e292b
SHA1 14cc13c15e1a92392b9467feb8364ab5356e6bb3
SHA256 7743322d122f6331bac4af8a801e316d30cc971d7b72c5eab30dd10bb1bcfc10
SHA512 7db8fb69a6a4a342c0e8b32837dde923dafd8f4e629a6b27c1e495d716bb429ba269d8994d806fdc896bfde6b21b605d1aadb0e1f3fb7ebd08320f00e0a870fd

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.Ò»¹­·âÉñ

MD5 47787e684aeded6840e9d8733e06bcd0
SHA1 575f9fd5cee6904e262ee132e2a756840ea6cd85
SHA256 752bbea3e1f00d1b0767229603ebfe9c055230b96b976caf0dd9da9645d4b22e
SHA512 74d07082d6c86280d8766dc69c305401befb5043e8b3dc7ee976551555fb3fc849a635fc1916a9f7a3d6c871e81d7bc200322b2d67431b9519f97cf0b5ea4def

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js.Ò»¹­·âÉñ

MD5 392d5a19136138f5e88116e771ab8fe0
SHA1 77d560afe1cc536df4ca32cab90cef06bfb37f4d
SHA256 1364979fd21ab73a2f935068838477933777243190e11425e15327b86ee656c7
SHA512 bcd5c16f652c3add2afdb6b8f4db33c31073ba23d53a56e025b7206c3e8388511cffaa1f109ccb827c06ebfff2adf6077ef6107dc908cd07209d8a6b2435dc36

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css.Ò»¹­·âÉñ

MD5 177616c346a30c8e46e073465dae3e50
SHA1 018118f423fd25767f9c2b0f8bfe4ae2d91da9f4
SHA256 f69acc859af0966fc8649c29b5d11d51ff6cb34a9c17aad20e1289d27aaaa7ef
SHA512 3914be91d83998183210bd5d391506a58457af7b9ddb5d8c163c865100df5beca59ca26a29ac496cd938e520e25e8326df8c908a424342ffc859f27662d6d628

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.Ò»¹­·âÉñ

MD5 2cd9ca7031669dc966dd33bcbc4e2840
SHA1 da8cff5cd710a48d3b6908dfd1b7e0226f78b1ae
SHA256 31808b40020085c6c2c65fffab82caa5d9e67486950217d98499bde2e10c6172
SHA512 612da3435782738f0a4647e253cb56dea3505bbddb2a8e7070c02f4ca29da20c8695cc4bd75d32d8d0bd97a00f109444359ad73c76548e8fc3eec38c703f94b8

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.Ò»¹­·âÉñ

MD5 678377e51def50c008d6d685fb3c5982
SHA1 81940a88005f1890d53fe4e7b20ef80aeb045205
SHA256 0727625fd1e96c00be4dc3d13669effb9c96fda2bc152a39a73074a4e9ed6e5e
SHA512 5a64870092f9f0244b4ca15a7cb709245960e84c87a6c7a3968ab35d750d9f851a7bdfdadac5aa5eed707e6ac14fe44c4d81c82423d8bfb7a6c3f18561255c5a

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.Ò»¹­·âÉñ

MD5 87b3ac700a21b9e4b4aa38457560397b
SHA1 b691d22e5555095f32794364203a39c70ea5acf2
SHA256 e9039f4369abd18855596b53e1a4d169923c290106ff431af63722ff487e3cde
SHA512 54b7a4cebc0935a9c8974f0dcbb7edab20a86c1dbc77f96322139e2e34bf55b1afac9fde06f0b7d03e0168e779fd854fc8b18b46a1c23c4524279557a559ab9b

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.Ò»¹­·âÉñ

MD5 872e22851b8c834849e7cb884954835a
SHA1 0b53ed387576248027175d57d5388f8961a21f0a
SHA256 1da1199ea668b51f1d626e6c21ec99e0ec887f1a3ba43ce3ebb1638a6693f5b5
SHA512 1181b49683db888fd7c050e74aac910c7b560709ea441324d23d2b2893a7eeb8b18f2fb4f0dd2f8e3a679b9871bfe2978e16d8ee8680a53e7f72b9b7052cd0f8

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.Ò»¹­·âÉñ

MD5 e18c2f94cef9122902920f85274ab505
SHA1 879c3d1c80238cec794632ccb089ed3e48831b6a
SHA256 00e32714f1e4582d96bb89e4e7a20391f836d60489414c909e89475633ce6a7c
SHA512 46c532a3c75c34dff4b7907017122e5fda69747cdd97908064e135c6cda6a628e71580453c2c86b99414d23265a5c69a19d717c3dfa7cf6144bba9b4adcb8e7a

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.Ò»¹­·âÉñ

MD5 8b92f259b4c13eec94ae0b169b526415
SHA1 be961aaea8381c9d208c650cf667e1616e92538a
SHA256 3d9f480b4e39c5fba486253c5e22002f320ebd5800f78e97178af9b34b095ca0
SHA512 546d2b9b35524f62a6f8969894c3f1b6a15ddda2f3114b3d6fa33fea34cc96958ebedc821255e684fa7ff3a9b73a179a4b6fb90f77c3da630cb0485c034fdcf7

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.Ò»¹­·âÉñ

MD5 ac38c8fafe9f9cb53529b043418c41b1
SHA1 7d11fe96f0e82356f66cdf9a54a5bdc4fa2eb576
SHA256 41e20f1d0380a1e8329be0d0fa7875ea8e3f8fea29367d85cc055748785668de
SHA512 851e098cd6ff039f52a339ed39d31fc0ffa78dd216e3027ae99726dbcc1fc692e3b490c66505b84ce6e6490f66da91c17b22cd370361a62bd974a8e2959d53da

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css.Ò»¹­·âÉñ

MD5 394eb0737c497a2539ddd567f96f7969
SHA1 d606d18c532ed7d50c3c2efc0a0649e4f110a99e
SHA256 fff1f8d65dbe815925a8a98efdfa9833b82d418e1f829b3b2d2527b9bf05ebac
SHA512 8e89b08bef38563d8ef2e036455f224391ffdbe5677b2e9ef379f17d56fec8eea28219e9abe860634bf0bd013ef003f05b58674933bf446ca3a61ec87a1a089a

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png.Ò»¹­·âÉñ

MD5 f0d57d66d0183b238ebd264281116c7b
SHA1 97e105c79365b1f238a6a523fb8644bfb592f7a8
SHA256 64c0fa52babdfc9d96b5e238d868481a34585591709eab3e361588bdb62dfd99
SHA512 674ae334f28589223e8f570daefe2551a6564b8125b902e114ad1902d4cbe9db33a07983eb8d187c90a2bde247b6073e748d62661def8f8df38a49da139c352a

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.Ò»¹­·âÉñ

MD5 465a3a9f8fb37d6eb99d99debba59c08
SHA1 995ad27a02487318756ccb19e7b128988e1fca92
SHA256 622c44b1457af995633c1c5eb775966dd8f729f8e848b2a227ca526555c36aae
SHA512 8b12cac26be55e80d1260a9db31f5e7db0515cbcf1ccaaa08cb8899a40aa4442ad3c887d33759679aac41e1c774c30a2cc2fbab8868a296366966daafeb6108d

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.Ò»¹­·âÉñ

MD5 f973a7ada591edb743aa40bbaa27e11c
SHA1 a812a6c8565dc323aa6c8a38fb53bbce7fc01c6a
SHA256 842ddabd833abbe3e3bbc108ec3e1097296ecfda809d9b5ece4ab0574d4117e1
SHA512 1145d33c7bebb42410ba351b4e7302c6dbc2892f4797514a83979420a1752ce4d9224573a5369565d4c8b2375899a75619930b6784a01c01c5c3d64a21382829

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html.Ò»¹­·âÉñ

MD5 3d7a38d3edeaab2effe68b1a9122212d
SHA1 7f7ee1684213bac6a860c6cac7c48f0930212131
SHA256 c5cddab5d22dc2a03dad69c5727ee95ba3b5a95e6d63ca6e2acdca720083e217
SHA512 a5a70102790e2c8e4b93b884d88a3b7d78a70d3ee43a655c76609a4689eabbd676d4cbeefa806d32012854fe0e2dd1300094e34adacaa04eb17ddeaf05b1ef51

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html.Ò»¹­·âÉñ

MD5 f4e69dff166fba71f412bb3f2eb4b4e4
SHA1 4419a62fe2ce413a7efdd9036263f4c6a8caa980
SHA256 f16a6d85f50fcefcd29445e75dbae2719b470377896a2e3f701dcbf1f349d6d5
SHA512 0f11ac7695b951e943b355064a5b008d79feefc432092dfb7c7d4ce5e6434f171f56aab02756e520168273d91798a9005ff372b588a58f2e13ea7a1bde049e7e

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.Ò»¹­·âÉñ

MD5 b21c58a152fd411ad7029901484dfcfc
SHA1 69569de6d2811d25cb6a4642750c381455fad963
SHA256 62b3c87720265577b9bc8fd25fc40d56f88764bdec6274384cb12ea0a17d7809
SHA512 344ce9c53f1003df9a0756f1e780272c387da1f7bc2e5c857ab0a528039a83c5d3c5161440a81c78144fce06e030b7ee420e794df6469b3c035e06f0c3e207ca

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.Ò»¹­·âÉñ

MD5 be8fd14d3eac478f79423b3c7a72ddcd
SHA1 31f5fc4e0fe981ddc8cd7461db0fd0332dfd869d
SHA256 9de74389cc061d8c1a989e8f780eedd946a858f14b17c1f805b02175dfcddf08
SHA512 5708ae21cd4d7faa87e8d861f4797afee5e7e1fa5eae3d7695ca5bb6de5dd0efeca31acee6ecc41a080e544e75d499c0bbebb8ecaf61a9c83063a924b4172d3d

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.Ò»¹­·âÉñ

MD5 6014003b65f3e58236bfa68db30c9275
SHA1 9fb3a3a1294d78e999653e148a11bf96bdc1f045
SHA256 c4dfacb72982ae57daa5d693dbdd44f33c19c20736ab3decce5aac7dc760eb7c
SHA512 fc75eebbe30ed990237620f7ac7088a196122c1be98ae263b86264fa6f46121d556598f16c47ef6e603f55974d9b8f01f940b0cd6effaeb27b6379b340e448a7

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js.Ò»¹­·âÉñ

MD5 7b14ebd5092934fd8d008e3e577cabbd
SHA1 c882be22d0b48c5732fd18c4b2e517b9533c394d
SHA256 d87345956e32b3a7a9dadb28d6086aeb4d8aed476af168a97a2036f868ee62fd
SHA512 fefea96ffa4bfdfa44ae2a1c6abe3fdb38e50f28436e022354ddc2ab4d43c1680ba504e24e6849a78091cf43e6d598ea8d90cbc7fcd8beff071bb83b47cdca97

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.Ò»¹­·âÉñ

MD5 c68865e1f86d1d0637dd0712e4f0b0e6
SHA1 5e229ffac31da25ffc953328a0f4f4bf9fc24c31
SHA256 ea09f7fce77bffe14d517cb2a970f6e85d2ca0e287d4240d00174164fe2ee7f2
SHA512 d591683cee155075fbc3be2400ec35c0a1a9735104e9dd6dc93e13ec5ad739a7fca277e154e7c32676e75809b6d9ce57c414d1d33c2aa38abb324a71aa1c1bf3

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.Ò»¹­·âÉñ

MD5 1e9577bf4556e973c3e956dcef467cad
SHA1 ce2521e1c4a42fb9d0a49575e8ffd26d525f3e39
SHA256 ccca680b22b201534eaece8437cfc2b3a13f5ce5a2a8f600ca98e4108da76c96
SHA512 06ae9761bc18861369bd3570bcd1d7d241244b04f8ad80b151485326b013d685bab692eb84ff5c22cad64cd38db6dcf7bab446d305224346099b396561d86eef

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.Ò»¹­·âÉñ

MD5 3a47236c734cbbda5285cd85b5e22c7e
SHA1 48d042dc785c375578adc6f69296d0d70fc5687f
SHA256 0d936faea1b23a2c7599e8325420ffd63137c3a0b57bcaad838727f0e7db969e
SHA512 5e5dc9bd59d4cf62b48e3e8bc7a89e1f5d9836bae0db64e81a8f172921ece3f49b4fb07433b0c0556d7e77d21d3320f70f7359f24c034692cd9a8cf1f7887d72

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Ò»¹­·âÉñ

MD5 9333bf4227d0d25c7dd2cbeb062ae826
SHA1 59949ec638658bb3f4eb7527b316ba6cac35d5d9
SHA256 8aa0bb0094340697090218746e4eeb0f00d1cce95dc70285fa51b1cdeecc04fb
SHA512 7b415c0679500249193cb6b69099d636fb0b525f11f5c3e4a837bdfe1e376367baf1f0b6df324ca7070e7fbb1222797ca73b366d3952192cb5707b7020d24e90

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.Ò»¹­·âÉñ

MD5 c79f56c28ce7a4a5f39d1b35dcac788b
SHA1 32c8d39a5b603acee327b43a6be9bc5f369f0379
SHA256 96c863a03d4f96ab35b84ee8a8162e260b3ba773b319f7bebb564254779c521f
SHA512 42e65f3b57b3468740d0e2bea234b7b1d114592b59b458859cd4e4b55cc4169837285d8fb387c29f7342251c0e76c350d19d743c2ebd628d23dcfda4eb459eef

C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.Ò»¹­·âÉñ

MD5 0efed70b594d27689d66eef151a48867
SHA1 7cfa9199b5ff8d2b8980829b6a48d15bc4a05c5c
SHA256 25d42f4f793fe9b7f5fc5562da76d814a237cd8ac97ca8eb1f8146c2f0363d16
SHA512 173336422b53d828b2a81812f86df6268e0e47f66dba0f55b705b57fefcde4800560840edb60a5f054160c7e6d175f1a093ee92aadd46d41247c1f9c40632153

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.Ò»¹­·âÉñ

MD5 90157bab8dbacf24997ec486edf96b24
SHA1 dcb92c63dce88a6b3faaa2c0e5812bcb47f0c126
SHA256 cdc4c236abe29753198d059f6d77a1f4ed8e65d5133cec988f2ef14c528b666b
SHA512 21792044c3c36045750dc20681bed0e40dd485753dcc820616e55930b9f7ee26b9faa72ac8a703600146683158e88d0df03ffcefbbb9aaafcea55d984f930f4e

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.Ò»¹­·âÉñ

MD5 cf3cea6fd760a1be3c27a90cd143d9ad
SHA1 ac081e4b513b3516aef3643a3d7724b7ad7b2595
SHA256 2ed620bbb2569a12ed880c2466d2af755921a42b6acabd077c68408781d0e28b
SHA512 3bf0e330eaf5e37045ca1fb38be9af0ac017b75ead59a084b3b454e0e7d712d0af312bfe3851d71c95221ffc599daba668f51ca843f38e897d711525e37c80ba

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.Ò»¹­·âÉñ

MD5 71bf99d4f4e17b9265f43fa1199bec2b
SHA1 4e569079b1432f2f45a9a67a669ed07966f3481a
SHA256 2920bb08df6895d3209d07bc203b58581c5b48c5dac8fb843b5fd2728ca071d4
SHA512 6bad9862769150beb6f9384b031c0750625024702caaa104cd2088d449302cae48a4f2b902c12deb6df774701479e5e22cbce0661458561c584f7a11c46342fa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.Ò»¹­·âÉñ

MD5 0cf1ca68ca3195f9becd4dda156d45cc
SHA1 8b2904b9a4816695d57c0029f834b4ab4f424e05
SHA256 af9358ade8055a11ce74619dfa2d6154a7f1e08200e3d81e51c40bdfa787b1e2
SHA512 89663178457924d415f6945574d516199c16fe9d8335a8832ead0d6f17ee33630c4d8e91e6f587fee3d63abb2ed0bc063a4f592a66d8838c17bc9e491e0986fb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.Ò»¹­·âÉñ

MD5 eb949d90079835e402e0e10060a94eb5
SHA1 25c56a1b5be822251a37331afa478003d397cb5d
SHA256 6baa17a867afd32258c1a79e198af6af64fb9a48ef62b63abe0e3a2cef8a7f8d
SHA512 c3346de5a09600f205975570e35591420ff6ac68c7e6e697d4d9b78c090ad8492a7d3d5e879555469a584e738345298c18d70fe89d07e485733990310aab963a

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.Ò»¹­·âÉñ

MD5 6499aa2c4e079765e71385a0c1cb70f9
SHA1 aea34bbec9eb1ceabf03a0c926c5c917634b534f
SHA256 b548361d6c4297880fbe34506a3a55d434a8b62a2cbe41c53092f8887183c834
SHA512 58269814cdc26398a03bd97bd2e010c900904d367944e60daa0582ce21397477f28544063907996aa18398e9c68d0a4adeb6595808bcceb11d2267ae36755cc8

C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.Ò»¹­·âÉñ

MD5 a4e88b6f01c0a87de841edf983efb8dd
SHA1 9acafe07abc9fad0edf6747d11906e02c1cffa0d
SHA256 cf7f8c720dde8351c4ad69e830c4b9c7c5aa173950b80520df19399530e19a7a
SHA512 14e7d7f9001362eead68a8d8ceb8861026421556720276633448b3bc3d5175201c1a4a018c6275a66b990620b3b5069ec3024f966b6ddc6e46479e5eaf5afcd0

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png.Ò»¹­·âÉñ

MD5 8abb1d5cb91d278667fc749825b1ca63
SHA1 84b3c860d51ce8e147124ccac884ea9c8c50c148
SHA256 7aed234fcfdb794835b7f91c9fa24499c8a6774e41f3de825f8ac39e52e6f5e1
SHA512 f203abb214a2f2c21e0402a1b1b871059da3da5533839a192f33dcc8747df20419bf7b445413ec7167ca5e1f32d96af661217cb5adb5ad5dbca695573f9523e8

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.Ò»¹­·âÉñ

MD5 11ea1212f211d88bbce253437eec4130
SHA1 c3ce89c651d94e25a58683a5a9cf4aaedad901dd
SHA256 0a7da093ea50b7925a8da61c95d107e4e4065197d35717b6b88f993f7687a441
SHA512 5a02f888db5bb2df125a953135112757ea3aeea1d25b029d0f2633025e45e471513012341687352ac477baa55b59ec4919f74c4d006e8ceb19407e2703b64f1a

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png.Ò»¹­·âÉñ

MD5 d51fb5bf3748c66342bbba032312baa4
SHA1 5fcddff9fe860ab56600a16315ad43be2959de76
SHA256 49425ac7fad964484d96dbfdfc26704791159b09f3b9ae0538124df5c03d201a
SHA512 44402e9ffdcd8cfd5fee52aa6ed33bd3cc4823b36cd4f53338ee2588de9925b7f5f1ea20f5b0bc0bad8048d785b60291f5309411d476b81bd08f4b5662c719a8

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png.Ò»¹­·âÉñ

MD5 4f592fcb678042c0c92215d629374be2
SHA1 c786ad5b69395b57d376611cd5e1610f835f9336
SHA256 4e79fb9d9148be408b8354d9c2615d61a93f47ac130310a54267fbd0951846dd
SHA512 a7340d18f405c9f2f23fbdd9d4df7668dc9e57c0dc51fcb1e6ac88f10ec8d53302c0c893f6d84cf029a03afe7f0b28f74d51dcdd39b3cbb3af5cbe514cc66f03

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.Ò»¹­·âÉñ

MD5 76c1dad3332ecf96b0f49ffce46af46f
SHA1 d19bffe2c3125d5f1f4c9d67fa836974e5fcc7c4
SHA256 96c31dcdd12dd62d7955089b914db02f9bb4e91ba750682e1c3ce07ef0866b55
SHA512 e324513e6f8453fff5d5af5df304b535fb0dc18726411b4ff551ac7b9ce4b3ca1f1d9babcd2261201967d3b97c8ef22147359dadc7ed1381ccabfc45138b7b64

C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png.Ò»¹­·âÉñ

MD5 b4e74ce84e123c1176dd59487a3e843b
SHA1 2ccb3827f2447368f47d238316e6716ab714591f
SHA256 c3aa465730f4af3056abe7f73d2f7b093c4e3a29a351f20e0def7b51775e85d7
SHA512 e877b62229f8be3aa84499ffea73984c934d7921d740d7a30df5bfb430b11f0c366171905e2f3c647082d197706442f833a67ffbc253a1ee5dc1e0932a2df225

C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck.Ò»¹­·âÉñ

MD5 106201da205e72e5980ff359021383fd
SHA1 1373866bc685718d386c4386f3a82d42b428acf8
SHA256 80cf922b6ccdf48100b8e0fd2009be5be75d0095d3a1b8ae3ccb2b52e56dbb3f
SHA512 c9419c95be6546d528525d25c391332c43930747d44b2bcfd6b46e9e8ba68b6219dc92446a925c5dfaed55a56c11929748a01d3dd55ed82aa88ec0ed6a5910b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.Ò»¹­·âÉñ

MD5 2f4b08041eb393c42ddf20c855369c34
SHA1 f714d98076aef0904ad9caff050b8041f3bcd1cc
SHA256 93040d895a234f01d5c0f8663967197980ae9866eeefd23d7729253463715355
SHA512 4c3ef38cccdb281b8185d2118d187653617bfb3a5195208953a1b6f5bc72ffb59d9086efcd97401242452d08790bbf4c59e1b1678a5d3f9514a29f1c834156de

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.Ò»¹­·âÉñ

MD5 d1aaeb383ab9cbd5b8fa5d282bb54ed0
SHA1 60f31a1ac0d91d770ca24ece66907c565ed3c008
SHA256 19d4001cd5a390f7bb34b5319edcdc77ff9a5d27662c1ac55d0f113701731311
SHA512 8d0dedf015d4e61fa4d98cdd0eb6751d94f9e9d388a5473b3db2095be865c45ea1654c60400dc441ef62d9ac6930af7d3746d996a9a85713a65d99a7611c49e7

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.Ò»¹­·âÉñ

MD5 5f5fdd6d4960cc429e51b46253b964cf
SHA1 7bcaffe8b70ba7b2181476d80d389857975e0fb6
SHA256 b8ec0534f6cb7f834db0fb0224958fd20b096d202b0d23ebd3db41e97395aa66
SHA512 7df3fcdc57ad13d77e045b3a2f31fe96230295b9e8de4770605af6d898f066d5c24781040f04d4e356244a379d8a6c0532a3983f2964e01ab2e9240f98d47414

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Ò»¹­·âÉñ

MD5 33bf0b230a26b96d1dc748f0f7cf3c8b
SHA1 b3db49177ac4d0cb1bc42a5ee8710757d555ac72
SHA256 674337541aea7b273e480b06f0823c3149d8a148f23a865ab597e0031a6012bf
SHA512 ba178aabfea515e20b18606f111c1650fef14198c4acc3dba3938a11018c847785d2c98cfdf89da4dad583ed23cebcdbfd8bea4d309e0f46ef43aa2c327470b8

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.Ò»¹­·âÉñ

MD5 b65cd625cb75504e9acd5eb454e91373
SHA1 eb7b865a5b2ba4bb55eae24c3bdc3a39bfd4389c
SHA256 4cb50464be9db4e73b5b461e7b23c67c9f65429d1b155995ce54aa82b58e4358
SHA512 40b8999c13e5f50db67cef250172f379a335443d12e03f9dae561d90a39be96f47fd1a4cf151592658c6b843c67a4121fa03abd3a9409f70120c2b72d89baee5

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.Ò»¹­·âÉñ

MD5 1cb59bf6af35022db785d4a4f9cb5c53
SHA1 70fd682d3cf97a5e555d382218d55c5b316a0177
SHA256 2718a5ef117786b74f670ff79ed8dfa1ec80f8f5c760fbc4396e27ed2f7416ac
SHA512 9a0a5d6a47240c6c9232824396bad8c2e5ee486ad21a5b0ea2b68a9b3c9db9900139dd9b34d760ccbdfead8632b5555178163d4cde3f3b36cddc4a4230014a88

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.Ò»¹­·âÉñ

MD5 325754b8af07331617169ad2a954a1b8
SHA1 ad311b40e2a4313c0914bb9425be3efd20839659
SHA256 d1a6e8415bd3b15eb132f81413ed7caa6f3e555d7bc09c4c253ff72514e0ce03
SHA512 9981dc50749e300a3b68e043660111e14348627193a14892d1d20625e1c381f4ce78b9f42cac8fc660e68f035a9acb6b9265ba3cd8e22155de5e279331b57844

C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.Ò»¹­·âÉñ

MD5 c7351f5c4ede4c3a5c8bed96f3ebb74a
SHA1 fb0bba8b9959aa54308d70bb00eb8f859628fab6
SHA256 b88dfd503129df17982b6619eebf6ac13f736ccc89647f89c902fef92ed99bc4
SHA512 03b2ea6719060d36739cd0c8386e52c0cadefb4a7f214e8cc31c9d0abb06a73e8b6ef0dce2d1b598f9028b06f0ffaf8bd51c46369e4b2aa152d404664ea89e2d

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.000.Ò»¹­·âÉñ

MD5 709587aea1113d07d402e471181aa2fe
SHA1 539d59e036418d04f16fe1ae56b0ae5c684b075a
SHA256 c29ee2e41198318c476312550cf8b3201a0bfc3f9d3e4b68baf697e165dcd8e4
SHA512 74863bab3b4afd397deab467b60dd896e4873b8954abc75817ae0ebac79f536146f96a6a2ccdf92eb43a44ed244a70b466cb17da635d748f58ff462df1263992

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Ò»¹­·âÉñ

MD5 e423c23dc63b0f1b94e64d1b5b401c6e
SHA1 c45c63d575ad4f299aaa65a6a44b81230318bffd
SHA256 762ff18bd2ef976f9b84faa9127a63cc98617c9714f24ee23e9101e2f39d89d7
SHA512 15dd935975a1ee5764c5e4b66caaeda2dde05c6d43c93cd04579a2079f9e04b774b6e97a1b3b2c07d6ec18bf9512159db78ed46f06cb24cf3759ea352b694589

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.Ò»¹­·âÉñ

MD5 1527f5bfe9eef4a663c86fd3838b0893
SHA1 f20bb0f89a12763075e7513881d3042e70b6f05f
SHA256 45ca65e3df28d0b25c62cb4d92589d46e66e03238df0317cc3156a1b975767c5
SHA512 085f4ca44895bc14afd984b01a14043f81960b32ff281659361aec4a0a0722936b0140f9951e17cab0be901591d7e42f89fb2cd0858fe9f368baaf3b266c43c1

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.Ò»¹­·âÉñ

MD5 888fe49199971d6b672b509f46ad96f3
SHA1 0c039d875ca9bdc0acc7c221f77998e8bae5e780
SHA256 042085b0286a0f9bbff6b2e3cb8ef71598679c4c9f886f130908cf0f7120fa12
SHA512 22ed9bb33718496d6a5d026c81b34c13dcf78c74dec8ee00c6b746562895f3e557f7b7c85eb9e62756ea81bf65b873ba8c45604e2988fd8e07dd0c29be0e091c