17e1e290e2c354d5cc4d31ebdfefe46e8fc4e6bc29fc108f1c91311e737a028e

Resubmissions

21-11-2024 10:58

241121-m3b1ss1pez 9

30-08-2024 00:41

240830-a2ap5a1akp 9

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
Size

1.9MB
MD5

842421d3e233f6a1577892b49ef8971e
SHA1

ef3eb5d43855b9cc77edd967b57540623466d993
SHA256

17e1e290e2c354d5cc4d31ebdfefe46e8fc4e6bc29fc108f1c91311e737a028e
SHA512

1372880857a28260530cf57ca900f9685ebcbeb06c49f4d1fb47c4e3892c366cf44b79947ff00d6bab5471aaa67e785590e2c7b841b601f7e933441742a93df7
SSDEEP

24576:tnxLSUXY7WSIGgjXvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZzv1xim+y6HLOO3

Score

9^/10

credential_access discovery exploit persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (8624) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4028 takeown.exe
2288 icacls.exe
4412 takeown.exe
1308 icacls.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Deletes itself 1 IoCs

Processes:

Termite.exe

pid process

1444 Termite.exe
Executes dropped EXE 2 IoCs

Processes:

Termite.exePayment.exe

pid process

1444 Termite.exe
2876 Payment.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1308 icacls.exe
4028 takeown.exe
2288 icacls.exe
4412 takeown.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4028	takeown.exe
2288	icacls.exe
4412	takeown.exe
1308	icacls.exe

pid	process
1308	icacls.exe
4028	takeown.exe
2288	icacls.exe
4412	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Termite.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Termite.exe = "C:\\Windows\\Termite.exe"	Termite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment.exe = "C:\\Users\\Admin\\Desktop\\Payment.exe"	Termite.exe

Drops file in System32 directory 2 IoCs

Processes:

Termite.exe

description ioc process

File created C:\Windows\system32\mswsock.dll Termite.exe
File created C:\Windows\SysWOW64\mswsock.dll Termite.exe

description	ioc	process
File created	C:\Windows\system32\mswsock.dll	Termite.exe
File created	C:\Windows\SysWOW64\mswsock.dll	Termite.exe

Drops file in Program Files directory 64 IoCs

Processes:

Termite.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\Mixer_logo_half-White_RGB.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-125.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-400.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30_altform-unplated.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_unshare_18.svg.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\accuweather.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x150.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-150.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-400.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-150.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Social.DATA.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-200.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\160.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-100.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-100.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-150.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_altform-unplated_contrast-black.png.kqdwindows7ssb	Termite.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-black.png.kqdwindows7ssb	Termite.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exeTermite.exe

description	ioc	process
File created	C:\Windows\Termite.exe	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
File opened for modification	C:\Windows\Termite.exe	Termite.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

icacls.exePayment.exe2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exeTermite.exetakeown.exeicacls.exetakeown.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Termite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Modifies registry class 11 IoCs

Processes:

Payment.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\Payment.exe,0"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kqdwindows7ssb	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kqdwindows7ssb\ = "kqdwindows7ssb"	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\Shell\Open\Command	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\Shell	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\Shell\Open	Payment.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\EditFlags = "2"	Payment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\Payment.exe\" \"%1\""	Payment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kqdwindows7ssb\DefaultIcon	Payment.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Termite.exePayment.exe

pid	process
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe
1444	Termite.exe
1444	Termite.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe

pid process

3832 2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4412 takeown.exe
Token: SeTakeOwnershipPrivilege 4028 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4412	takeown.exe
Token: SeTakeOwnershipPrivilege	4028	takeown.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exeTermite.exePayment.exe

pid	process
3832	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
3832	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
1444	Termite.exe
1444	Termite.exe
2876	Payment.exe
2876	Payment.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exeTermite.exe

description	pid	process	target process
PID 3832 wrote to memory of 1444	3832	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe	Termite.exe
PID 3832 wrote to memory of 1444	3832	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe	Termite.exe
PID 3832 wrote to memory of 1444	3832	2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe	Termite.exe
PID 1444 wrote to memory of 4412	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 4412	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 4412	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 1308	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 1308	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 1308	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 4028	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 4028	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 4028	1444	Termite.exe	takeown.exe
PID 1444 wrote to memory of 2288	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 2288	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 2288	1444	Termite.exe	icacls.exe
PID 1444 wrote to memory of 2876	1444	Termite.exe	Payment.exe
PID 1444 wrote to memory of 2876	1444	Termite.exe	Payment.exe
PID 1444 wrote to memory of 2876	1444	Termite.exe	Payment.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-30_842421d3e233f6a1577892b49ef8971e_termite.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\Termite.exe
  C:\Windows\Termite.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysNative\mswsock.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\SysNative\mswsock.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\mswsock.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\SysWOW64\mswsock.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Users\Admin\Desktop\Payment.exe
    C:\Users\Admin\Desktop\Payment.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.kqdwindows7ssb

Filesize
735B

MD5
6b867dd5b6e26dca95579f51adfc8be8

SHA1
c7e27392804e3fb88dcdc2282e7fb97731ae77d8

SHA256
0fe3f3b9efeaa88fac0dac2c3785b6f0bd04c815d108dfa1abc96ed56380ba6b

SHA512
4b27af6952bf0de03a590549a611ea233844799d043562e5c1b104da4b0062aafaf6bb5677cb04ff9423dc0522d81a4e866e9053a9fdb742557382ec001deca6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.kqdwindows7ssb

Filesize
703B

MD5
606b962101dd3cc336ff7ccd3e9daab4

SHA1
9f71f9a61f504eca0d1f60dcd63d0b8643ee3e4f

SHA256
b1a10b6e5f61525d0e1627dfdd1c19aeb801ae2f281246f2318e13dccd5e7b32

SHA512
330f9c778144aca5779ef500851ce10c4edf975b8deb34a03f2e150779191d3491cae058223f81fdecff1b9a8ed990d4e88c12f3a9853b690cf5257f04521f16

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.kqdwindows7ssb

Filesize
1KB

MD5
21c9444936565e77b6b78650f613eb50

SHA1
fafae29e99ee50498ecc25056f3cebd49f624193

SHA256
63dce63f5c6c133ccb29e739ab14cbeb8bb423c1afbc8773715aaeaf02315a44

SHA512
718caaafc665a4a2865f9c5c9b2bec4aa28487eb52cc33b36317d92c94d0684ff138cc61032b78b908253e4639410b934c993760884d921735b7a3d8be0d802a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.kqdwindows7ssb

Filesize
471B

MD5
e674b70c24dd94b5c40957c698ef311d

SHA1
2ee446b0df7ad369eb16524c0f56de930323327f

SHA256
c47d352fffc2bca150fdf086f07645038ae93ac897f7f2dec06933be5514b172

SHA512
081b1009d680f21e84dae3965e0c404c21fd554cdac19664e71c9a06abcda2bb24fa3dc043a85d50b75cb56ea5e488692bbab79286bce749bf6d3808603111fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.kqdwindows7ssb

Filesize
631B

MD5
62a44bf3a22d4f98dff597bf7e80fdc2

SHA1
868b64e1dd11a45fea89d6f1959b4a84d95b0d66

SHA256
07c0cfed4b3f9af533d40e13d593d817891367a8a429e94943c8448f941c911e

SHA512
a013ca22ab71c4543184660b7afd6e528778831e9d334fb5ee81b9fbca0f1b5689d49e5a727f20a448a29e8294ff7c3f9b51bd629ad8f4743b74e0ae801a4ea4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.kqdwindows7ssb

Filesize
407B

MD5
44019f0df5cf96319d2ff4f0fc10ef49

SHA1
b270d104fa957c07fbc1e49b0ba52fd52d1efb9b

SHA256
620fdb4f237211fc1149a413dbe27853f23dd8af6f16f25223a727b61e0868cf

SHA512
7dd350856456ffbe4ec28447472035bdbb5356cbaab7cc762dfad6755cb4ea0e245af3298b4a41db9182b40664d1197f028e4c0bd5ee65c5ba4ddd223ae13b93

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.kqdwindows7ssb

Filesize
575B

MD5
678881cec249e4e8396adf04dcf7faff

SHA1
4e7adafd91c0749c8ed374e4d6d5b94f4059aa78

SHA256
eab38f27616c01e21f3425008adbc2a25863f0bee5a8583c166d953344cd4785

SHA512
907a26c4f089e200273cab66df0fd59e7e9a00901b19ab97a5257e819fc4b5d8bbf54bc2f64aa0dda1ab96070fcd6851c66418f947307805fdc2660f42d7dc1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.kqdwindows7ssb

Filesize
407B

MD5
a598d53def9220932b631ac97cbea8ab

SHA1
fa9b523c4fec085f1eafb86cf1faff5b6db47c19

SHA256
1a5894d801750add0341249e13de861055a0788c691d92105e2dffc0c9c1df7a

SHA512
c0b5467d71a847b8bfedbd2a6d2dde0c1b4807bd00eafc3c3017e6b864c26f3cbb2ad78cfbe335f31d1999888639f44dc3d742e523788a0e99f4424175286be9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.kqdwindows7ssb

Filesize
575B

MD5
4734d86d03d79c44ec664a7327ad4f9c

SHA1
96fe2758ad671c3d007711d11e4a27c82e4f5386

SHA256
c7063d93dfb672b10fabc1044f6da828470369aba706e65caddd3ac016db5f34

SHA512
bb191df5df269241de1aac67c55c196dc4c9b4d7a04dde7a713f342c6f11a334b3e8cb91c34c79337e939fe43ab3dfad90aa5d417656fa36551941a879aa34e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.kqdwindows7ssb

Filesize
407B

MD5
e5538f4ebcc4f8a881f5107a134c9501

SHA1
6b0331e9ed2c318a9328adc516429190cf9ef9e7

SHA256
6194b42460aaa20fe60d9c3781bac2b14b0e1b1a86288288e9d29d21bb7a032f

SHA512
fc91cec61716c59d32632b56b01316e1c49013d6ffb51972af413ce4e0cd7827dfe3ff05dd83ae9e278f569a5a0d9d45781a14b2a464b1f78d4e7838582f8904

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.kqdwindows7ssb

Filesize
575B

MD5
8532f3b0a1affdd2ee0308c42910b095

SHA1
003f7fb26364e07f02812b540fda889cead56dea

SHA256
5f121fd766e54290fc2c2dcc5a53a957261514f22a50f44cd8b1ab26b276ea75

SHA512
be7421336b3d3f78f9f61defecc6505f5b60bf5c26563c3653ff0138f5db0d657eb484db1f691e32674c562cbc3248d6d21bf0250aef169992034fa1e03af0dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.kqdwindows7ssb

Filesize
7KB

MD5
f6e6fb215972950dde86d13ecc6bbb20

SHA1
a60d2f778912f6570ac1fe3d85291cb2177d589f

SHA256
d13e7da42805d8157177879717b673b9675c5e468ed713f2053e25d91d6bf59c

SHA512
6864d1274567fdc1b8bd49cd28e1adfa80ca99aab5d52b70b956933a9d5eedefac3c0932f7887c031564421f2132a85e3234ea8263c5391966c792c85ac8f872

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.kqdwindows7ssb

Filesize
7KB

MD5
a0baefb4e8c3c5fd623a610df326a082

SHA1
39528e464fe5c788a37285e2278ed0971d4bf5dc

SHA256
d35ba4ca3dc1fedef078e61efb435fd3aedc3361b0b191ef395b58fcb5024a78

SHA512
a5ca9eee7c552c800dbc3a8b8df549de61c6997132d2d0839ff2f2b1f1089651e9dc1dd5babb766270b54396003337d93659ebb124446b42191320d7a711b410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.kqdwindows7ssb

Filesize
15KB

MD5
bcb2d890920f1b677be08eebf50e8e71

SHA1
4b7475fb1d3d0609804f3b1250d90d09eb230fb0

SHA256
1e8e9ed334c0f62a6ea0a53f72189179c333e8c0142d0bd2dd5e89c5acc4c039

SHA512
d31977ef2d81a16ade68e3b3c66d5d304db96e4e1c37601597b4ec5931dde91770010817408946ac34023bbcb966f518d68e58579686a39b5e4a3e647cd797e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.kqdwindows7ssb

Filesize
8KB

MD5
21a7448b7474da99c75adf661fdc81cc

SHA1
549a640c94469ea70310bb1decf013c4ee07330a

SHA256
3ba5c796d18ef28f912ebd6956bf227f91545d9202fbd46693829954e05beece

SHA512
9e8f1bd3bccb20f8db9895069762d9d4112452b803fc90c7d94e50044ea699756411214e2cbda67643180009d3e48dc7541f7916194eaf46fe0178b2d4888802

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.kqdwindows7ssb

Filesize
17KB

MD5
4a51a22b8fb25b29a0c02c25eb23a7a2

SHA1
808ca01718136b6490a427b8b7dcf25fcd3d1364

SHA256
39a66aceeed8b2a3a284a52c7f2d509ec8b0994d021f7f56a4644f98a81bae4d

SHA512
45bc81d88a4f366eeecab7037c4e8cc22761530689c7e4c854a0f05567185dc68dc343402c803b45aff7207308f90644883659972bc8c5f6fee1f8598a65656d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.kqdwindows7ssb

Filesize
199B

MD5
431caec4970003588c38e73928b871cb

SHA1
0e14fa434ee5da7e88779dfc429ccd65f76a99f5

SHA256
2ec216b63576eb4689fc1f7d00cbb07e92f5119b78b4fe6de2d7bf185f6ec8b3

SHA512
650b6293d86dab4bc6f9ada4ef6385556d4a234493bf98ed61dd1a6d7d58c9f92b0c4bcae90e64bad7ae722926c766f24af23604a0f0d5655a0adcfbb9845ce3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.kqdwindows7ssb

Filesize
727B

MD5
57781b580888b3491bf0f347d3b20c92

SHA1
d06a693d34a09418a2f7607c185a316865d090a3

SHA256
e8a8da0fe2ac92d0cbb672af325c4f9c2dee1db88730237a463afe9635c22600

SHA512
2532f269ebf17ce222dbd6dd1efc33bd6ad21242508422b5e0d3149574244902d4b13eb6a48fc97f03cac617cc619dde511e13ba6de0e7ceaf9d5084ffc329d4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.kqdwindows7ssb

Filesize
8KB

MD5
37a38f2b1ed34ecee9d2db5517433e5d

SHA1
123c0b003f662dc4f5616722e61e772e2443397e

SHA256
ee89c69d0ba54d82925f36d7d2be82e78c246cf4f88c39abb321f9e0115695cf

SHA512
de7ab615d60ca4c15ab291ba16e55e2d3fc692b1e914c8f7ad0809d0039b53d00645c7fc2d3274375accc0b8c4a50123317ec49057536691e3553a9fa00b914d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.kqdwindows7ssb

Filesize
19KB

MD5
34a7edce9c88030df0f28891b658c6a9

SHA1
c693388febb3d38776815218bf667e546bc6c2a5

SHA256
608f0aa39367a85ecfff81d767b5a828e08f3ff17544209311521e85ba4ada84

SHA512
1137f1fd4c9e2029c48d59f30623093c08f7fb74a6581aeb7e81b2ddd54b0c3e91fdd30da5afa84176642b23950aad9251b3b021e9511509386e186987e21b8e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.kqdwindows7ssb

Filesize
847B

MD5
adf3c882ca9b3dd10ca3e847e282cb4c

SHA1
372f95cfac82fca48a352e4bfb6cf42084885f16

SHA256
134d3ffc685978475208626f75d633ac6ac2c20b62e613b123256232684e51ac

SHA512
fd0bbb6d557ee55ebf7769577ef236f71418e1fa2ef911f28cb620e85143b26d36537a707360037f22d0a442ff7aff5ebc48b66632be47a001269d5047c18257

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.kqdwindows7ssb

Filesize
1KB

MD5
118653197588addf564394cd29ce329d

SHA1
acf358069055163816f67f522e66cf30fac1e7f9

SHA256
c3cd5ebeefbe0afdf412f5e4b4f40cdf5bf47b124630fd73a95fc234ec2ef0f3

SHA512
feb1c57e1840bdc5b9667aeb771244c0171bfee27c9acd59d93ba53a1924f521a9baa2ca814dfc467dd2551f008697424795f08afc860de36afc6ab7529e9668

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.kqdwindows7ssb

Filesize
1KB

MD5
41bb3119b6fe8360e689dd3e5de8affe

SHA1
7ec87d8efc4ba4357579d37825705b573c8fd7ba

SHA256
cc80d250cdd2a71f1b65a345068db4f14503006f00e6c4381cc3c0976766ca30

SHA512
dc15bdd0e53cbbe5223c1f796dd03bb2168caad18e798da9a5fa9d80c6c1a0eea6421bf9aab73f91b4f81b9ee0168d4f38a7acbcf36396d0e8485b368790ec78

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.kqdwindows7ssb

Filesize
823B

MD5
b6c2929680e4ed9bf736d1ad43aeed2f

SHA1
b183ad333241ba83d83a13ba397bdbe2d45eca6e

SHA256
a42d50c79b3dacd3a472f4065347db42716ea93abfbf0dd144e01076dd628571

SHA512
1c789b74c55d3c2a9cec7101db56689f75b2e49c9792b7612c1d29b55e88fa279b082a1984c9df0cda94ff97778d18a2b9715ef19208aa2969580fd656dcfbcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.kqdwindows7ssb

Filesize
2KB

MD5
54f6115cefba38d7e630f9e0efbd307b

SHA1
8a9fe5f04ec3b4754127201e52d6c34da567125f

SHA256
961488e2a4b1e1fbcf169a2a83864aae9ce82f5f665813f3f2730ef797642b35

SHA512
b14ecbc5207497ef4e3ab4409c79d8ca7fec40bb80691b9fbba6f887b35ef66f8572bce139becf79e70f0fd18378b6edac4e6afe32b528f24e38734cf6b2d6ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.kqdwindows7ssb

Filesize
2KB

MD5
4aa2cafeedf28886fe1eece4b8085257

SHA1
1c57af0f7168ea35b4728181c44fdb5bd81471a9

SHA256
c0956c59bc47d4cc9ef7f7d8d18b05c1480f4490ea7715ae89e625acc9a5d0be

SHA512
5ba3774fe5865adb44d1f98d889e0e41ec0aee90a3ed83ceeaf0d41c9dff78c5dc5bba8eac03e09e67387c0b64a638d56e44179404cd553ee17fbda17a672dde

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.kqdwindows7ssb

Filesize
4KB

MD5
232fef6a29e4c92e1c2c4422e47be2b8

SHA1
8357ba2b240e2e47008a2c4e255b894be903b57c

SHA256
ec6592e9043f73eb443e314a6b4375130ba686d254b8562e35aaab10d1cfa635

SHA512
e9e77365ee59e8e93772fb76c00b185c93bd5c36e34ab0ab168350e94242a25c8a5471ad5266e7a144d9942fcb5eda6dbbf57339ed2c9ec8435eb6b3e3074fb1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.kqdwindows7ssb

Filesize
311B

MD5
517d544cf43d5accdae4cb3cf61d4557

SHA1
fee54dd5dc0ee232edf5fd481b1d7cff3943e9f2

SHA256
032d47ff0731327f3d129f6394de31c22456e0222a4ae945c6fafe6b76764cb8

SHA512
1c5e845acae7e0d06af3b25682519532dfc03bc9d05a5d5b44af7123c405f6af7e5234274f87f52d7158006f790df52fa1ed53b072cccf2d0c728c1b3f996542

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.kqdwindows7ssb

Filesize
407B

MD5
d020600cc296a840bcf69c824a394f8f

SHA1
c410094e466cd2e30a18274d13f0dcf4b9acc8e8

SHA256
2b31dcc7af972db2bdad32549e7ae4c005d204e45b9c9641c91e826caa90bed0

SHA512
cf60c026db87b61fb5c2418af892c4f545698622c58ed6a5bdc0f5eb1e7c9c2d7a74e6b78168fa0f5a4412b37a4bf9851682a2bfb834b66935227b1398a41545

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.kqdwindows7ssb

Filesize
1023B

MD5
36d97a5f5edacd4bb4507e6ea893213b

SHA1
2f7345691ca171f9c35af58cdc854164fbc665ae

SHA256
e8454394bb4eca477660f12eb8e28bd6fb7756c85bcdd598e20a0340d4a79ea6

SHA512
0d6c73da1979141a1fcb8a3e31dbc16a7880f201f9631a736304f9aed89c6a253d3944d009571097bf531068f4bc284fa56b0616fae06c602178559fe4c4e6bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.kqdwindows7ssb

Filesize
1KB

MD5
18c4b17216b066d40b17f968a2c64378

SHA1
5c0d8a966d7ddb455596b10bd7acef13dd35303e

SHA256
9ba1e56b5e3c6d4cec4d3d5e9bdf0b81079e265f152979a12c841177cb3a5ae4

SHA512
6038bc9ee4324002470d5503ab09bb64ea58ee0cc2839c28166e2365cf927eb4706f0da805b671dd9ed79ba4000d154af34dadcddb24c5407929c235b358751d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.kqdwindows7ssb

Filesize
2KB

MD5
ab7b2bf8b6647146759841b92482db6e

SHA1
d2436cd999c8fa18d63181d7777591e0ff66bebe

SHA256
dbc74758864983e244d61a0f16a83449c0b4c45aae1c6b17bf9215ebdd452744

SHA512
5fbf622629f764c43cdd3907c98daec08fa3f4a4596ee5804daef2ef97443e8950be719154b860f68dba9d9da88285739aef6470116bf38b6cf0ffce623fddd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.kqdwindows7ssb

Filesize
863B

MD5
d35fda53b6f803dfcfe3b7465e56c715

SHA1
6a47678b19548e0fecef660b6b5f44117676d8fb

SHA256
72899affcf49e761de89e66770bac322bd20da0aeb85884742e7cb44d19810e0

SHA512
12d4128845cd492aae0406845d7c6a5be5275762d504eab91a82a480858f752dd68633163cea741c913827ea541b901a31f80ac384843aae5c716f27353dfd36

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.kqdwindows7ssb

Filesize
32KB

MD5
c7eee6b4e7a7ad2a413a0c479ef70e56

SHA1
9c870979f8857376aa735a73a1fc828765bf5da8

SHA256
9d6e1f9bbcbf036060ef9dbd131871fb765824d403789554a2bd9096500a9ad5

SHA512
b5c3dd43550444f12759594c37a2f2e35314259762701e6edebb5889d417bf7d9ee2ae4205831da57430ca027ab5e1c4ceeb957d02b97fdf7f7b018972745796

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1.kqdwindows7ssb

Filesize
263B

MD5
17d966040e76c3dc50ebc8c3e229e326

SHA1
42580f1037cfb2f43a2807a7128fb26a25e34e7b

SHA256
161706426eea0a8620f8aba0e5e4658ea2db9419101c7e362e6c47993d430b8c

SHA512
520b2b68122f199c50cf01c6c4e8e28fed0e47b7a587a8d3a5a0080db98954c872d968c6d98ad25a238720ce3840833048eddee23ce7b14d9c1b196634dc8655

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.kqdwindows7ssb

Filesize
175B

MD5
169bb76283332ff06c935f9735a74198

SHA1
dfe1275c66458e785fd1cf891f59fd086986a1cb

SHA256
717f7de609ba32a650b184e8f26c45ac27bcfe01348f4768a8c6c591f658bae9

SHA512
958c542f79c6004bb88689d6c547d103cf3d3d3399ca5871ef6823e0fa81fa7df2c566d2b1994af5c378ab6fc49f2b634f651d85cd495e5c8effbdec4b445f52

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.kqdwindows7ssb

Filesize
135B

MD5
5c7e0c0ca0403cc5b4f92143cd92ad24

SHA1
23b13e91dabe1ecbb59d1d4c5ef1b19859d79508

SHA256
d9d54d1a3d8ffa70deaced42c7c367cc6cf599eddec907d7fe6e1dc638968b36

SHA512
09075d15ae6bdfef52a9bc1351fdf210c7b0bb0220afead636dbeed95c4aa21661d6cb8b63390d0ecb4eb09ca62bc6fa442143db49c9dbe9649a0a9afa1f67a0

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.kqdwindows7ssb

Filesize
135B

MD5
65882e0d2db802bbaf61ad5f6cce303d

SHA1
af095525c57a32243421c20085fd0e74e330dde6

SHA256
bae054ad728c6e10be8d16f1f543f6081bb47735ce93db538ae7786943beb8e3

SHA512
902cfb664aad1ce786f1be3236e1fb7403fea5b34d3fcef27c21fbf1c056f8d4d0714beedc3910c972248d0afdf0e5daf8db0fb77203c151fe0165112403bea1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM.kqdwindows7ssb

Filesize
15B

MD5
db35c90203a3a68ebbbf6bd6138116c8

SHA1
a78031f3b6c76d5128bd6c21b42134d93d11599a

SHA256
5e31549a9131247f379d40dd9dd081dad5a2755411eec1863876173046cc34f4

SHA512
a0f227390cf85297d0ffdb4407414c844d3b8c95862a2703953aa4d3ba6052e088437b0819130230e3105d59344d05f47dbd5b1c4b95473a20d09acdb967b6b8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.kqdwindows7ssb

Filesize
126KB

MD5
1793184b267331d7e7b0f293d2130e26

SHA1
d2b2f8fca79546e9b16ec5c1502705b6b5ccfb27

SHA256
f4844df38a0922eccc7a56d5696ef46a17756fe674a3859104c57aacae6a3e9a

SHA512
1c510f50a2de875071132b961ffb8dae80c473b66d405ac5272d8dcce67ce2a6c3df7ceba8b5733d3c0afd9168000f42b555d049e8b5010d9c2cff147449b75d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.kqdwindows7ssb

Filesize
28KB

MD5
49b2afa827db5099afeeafb4b1c6f6b1

SHA1
f1a843b6a82c22baa5a74994b8c05a0b488c56f8

SHA256
1643b86c51107e38b1b138c74e0a5e102dcef7e55b046e2b588ae8e47d02c1d8

SHA512
c2ba225bf3cd5f5c914d879d39374be3e76de94c37a23e2501d9f9757c9ee0d0560feb963545d7c544de16fb8f5d99e86f96c6278615721579131b58df6d9c5e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml.kqdwindows7ssb

Filesize
1KB

MD5
c5d15c9183f9e195341f7167caa3ebcd

SHA1
ea95fa4179979bc31da0e3db034ec19d4aecd610

SHA256
6609a6b9fcabfeb61d8ebc52d163cb50f6bff569d31e2828ba5c5c99134e1b43

SHA512
f81e1d8113363e317ea2bdb809dd2e13bbc594598f8ffc34895da901a90a2d847a85932dd40972e61d8d56d1e5e95ebd5c92cd2024487cdb679fe190f55405cc

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.kqdwindows7ssb

Filesize
52KB

MD5
628c375468410fa3693c8f887842aca5

SHA1
0c2ad1e1ec766d6be42f45abfabada2917a2c297

SHA256
fdafd6d976fb6ae45c9cb07bef7aeb1df5a38e9a1bdf61281486569275d7a76d

SHA512
5624944f847c8c7441016b386b2a9cf559edee4491e6cab0e8eb6e71083bf618b60fd543949f0c197e13696d936643f886a16eb213121d9ea75e653c28647c6e

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.kqdwindows7ssb

Filesize
148KB

MD5
92831e0ef3534614b1a67fb1d19b50cf

SHA1
33f72677139e42af8d77838c3af5a56bd4509ee9

SHA256
6381a292974877004737a0e39073bc0559d37a01a8318046ce87509e11bf52eb

SHA512
ba8dc14292793d331ab716def4ad5a0bc3b2494bf29f4e7219aec30330d0d681f77fee40f96a1b352bc6f6b2aac2dac7c044f9a6f2441b2c159b903f34e613a5

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.kqdwindows7ssb

Filesize
140KB

MD5
55616b809908677857f11eb04a3b4f32

SHA1
add61af66ca5a923046e6847b85a8fd0e93a0a1c

SHA256
be504eff5cda93fbee16d22e256c831332f154ce027fe39f1792e51f02a95bc3

SHA512
c5ceafaed999b6dbac175bcad21ef7f8fde8149d19b1d52e684fdf311da0318d8aa1b77049b6385670a306e5b59075939065d7b81b24a29f1f10f435e0ebfde7

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.kqdwindows7ssb

Filesize
180KB

MD5
927d8445a6ca0d6fc459b57576ab3e4c

SHA1
8601fbc986b857c9e25f587e40b4488dbac80036

SHA256
c0f2e559357d392cb735030394229036484bed63eb1cba07c72cd843981f9533

SHA512
114e523cfeb475d68b1e72a6b2696fa6f526a9748c3de82e10671fd6bc7452e6b689278f2e5a43a062eae6d07c0204d63315b2c096ca85c63c6cb321db65846c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.kqdwindows7ssb

Filesize
39B

MD5
1e69599e54498a088db8f63ea488574c

SHA1
fb95ca95044581ee07e547c6440b856c10a1b76a

SHA256
9d09545cd34e6c3776e58326eb16cf0d8f2b757c44a0c6c87db388645c148e39

SHA512
05dc61d072614d9aa6e0b43f24833e83f1b2f274cacb17cc5fa9db2cff9c8c0ee381bbd292687d49492a30895f112a6ee5ce5648a99852baa96acf65a50449f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.kqdwindows7ssb

Filesize
63B

MD5
2fa3dc0bfa8266242654ff21c310565b

SHA1
374a4eeb5348e0b38ee5cb760f5372f96e025877

SHA256
31fd2ba8f93065aed63425774d0f7494810aa716726ec0e298eed19465dcee9d

SHA512
ae69e0416de7aa492a05a61b0994411a7248f46e777d96a2f12afa0403781140d079dd47e58f4a9cca9af47688c67f5042f2ddc3f038d6ab6bc72d6eef209449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.kqdwindows7ssb

Filesize
47B

MD5
6c74d18d705d060bd64483326e978e75

SHA1
e1f4cc30b802cc34d63c42ea9fddb30565743be2

SHA256
2979e5eda2e3789623a5d92c67d90b9ce6b81161fdf212ec2480425d2464bbee

SHA512
b074bbd06a1d4b5a1a78a276da2eb89669d10d095cdc4e6bc481fb7e69c6f2d375ac1c24b8ecce4cd0607b45882fab17197063598c43e2406b06e9380d8ad039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0.kqdwindows7ssb

Filesize
8KB

MD5
13fb73c89a25fa10e6721f77dd1234f1

SHA1
f69a1b99c416563c54e6fef44d6dcddd9bf0689f

SHA256
392c2b0df09bffc0c3a34c161d436348cca76848024b967152e735f9e7f49625

SHA512
800a45e28101c0e781729b86e96af9f3c48a42df910e5780fb5811aee5d9c4e2ec06fc22bec0813ab3d7f329fac641b1975d5c22e434e4e9a705be0674f177c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.kqdwindows7ssb

Filesize
264KB

MD5
bb749810bc8a9fef797a9d7db0457630

SHA1
95b93787e0b941ff1f1fb63164b293e2a637c894

SHA256
3c6bde4965cf79e205244271e5a9a232e08a92a4a0e4126db6c34e8833d75636

SHA512
af4620d0ca6d9f4ae881e9707c0373c892a6e041336a67ffa1c25ee333f9649ee5ad23b2b3495c55b8238cbc63186c527ccc08d010a4d4715a6837fc0c5034d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2.kqdwindows7ssb

Filesize
8KB

MD5
6dbf74dea913bafa135ad12e6918f85f

SHA1
d224d0802a377efcc98137511f13a2c6084f3450

SHA256
70a8ef447998887b77f9019619a44bf06ce57e572d4ece01207258bcb562768c

SHA512
0cc08261bd63565981066a3ea0bd300a43717df0ab60d29e254c8b74288328ac22dfe3f7d1301325f6a92251b970e9f89145be827d820479feb8f20d8c261e1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3.kqdwindows7ssb

Filesize
8KB

MD5
4b0f62551d18bdd913b8de5edffee8a1

SHA1
5e0824f607ce816a51b79156e2dbb5538462ddff

SHA256
d3ad59ba5a6a23c41b93254af7436274284a208e22194a7530926b115f8cda08

SHA512
8f6d314465834e9f9878d3af0f378346cd338c5d0efd4912e7dce9a68fa631ca3fd3d8d563858271b65e589df3dca5cd307dbe1a9721a1310f960bddc83f471e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.kqdwindows7ssb

Filesize
36KB

MD5
d7f5893ec0639c11ea08285607b212f3

SHA1
51742c6ace0bdee137ef699e5a0e926e4d996134

SHA256
28e9368122225adc10575fec56780670606577a325fc8f076db19a5747c741ed

SHA512
f1a87df6c593d264f16bf6b1d3c66e77f768c2f65d1c8ef6cc419757706b8767a2ae94ebbac4c669607e142fe88addcda99544a1c075069e1c2e1ce81c2456ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.kqdwindows7ssb

Filesize
36KB

MD5
20d10e20ecccbfbe622517efd0e41fef

SHA1
d415331d0061225c1530c855664072b21ccd6a68

SHA256
cabae85d036748ee3a4298349e13683a3ad2d815284db5aaa8544919e0ff601a

SHA512
59953664efeb5c5a22a576ae50cbce36bd44eb99fd83bd6f20d86d216de690392392ac0a659f04a64e03eabdcb1186e56644a3a1a1e629425aaa5ac44aa7f228

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.kqdwindows7ssb

Filesize
32KB

MD5
71a2b625ca9876be58babd2e57e1a63b

SHA1
7deb923242d4eb0373b5062daac24c7ccd194660

SHA256
ce7315ac7a69217935924db271c032542ccebc67c16283e264fc2fd9b2aff9f0

SHA512
65a92450b77c0df0f75e2fa7a57b6d662139d669e02e3df9fa6cf463099748bc8b8653b068a31afa65b6c2955ca6fd8fdd4fbdda7beaf0d67e7064b9d7666bec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.kqdwindows7ssb

Filesize
48KB

MD5
9840c0da1ed6176bb9100f2fb93a589d

SHA1
52d30eaa9c091407f4bef77157e77c0774cbdd67

SHA256
9a15e6a26556291ad76f1c6242a366ebd81717287801e522c14e1c3f93f2922c

SHA512
630d3699475dd8b189c13b500b4c5e0c45b8f333e06e53b912ba53c42d4494299c38db9ea1a6da669fab19e916d1eda009136638abd5398437acb014258609b5

Download Submit
C:\Users\Admin\Desktop\Payment.exe

Filesize
1.1MB

MD5
9f9bb9ee4952cb514089910e19eac5c4

SHA1
c57f604e8eca50df40df93a6b0c3d65ab8d3b198

SHA256
0c9844f11b7b57547891b3cec86bd3468734a990768dd9f7a9a72cf6a908b17a

SHA512
8661c46618d0f8454a278d6a4e1b85fd9c9656c2e59feb6851087bfcdb53bba5015ce023cf6d0504dc899ae6fbbd4f413b45228eb2c8eb6965912cb32482d14f

Download Submit
C:\Windows\Termite.exe

Filesize
1.9MB

MD5
842421d3e233f6a1577892b49ef8971e

SHA1
ef3eb5d43855b9cc77edd967b57540623466d993

SHA256
17e1e290e2c354d5cc4d31ebdfefe46e8fc4e6bc29fc108f1c91311e737a028e

SHA512
1372880857a28260530cf57ca900f9685ebcbeb06c49f4d1fb47c4e3892c366cf44b79947ff00d6bab5471aaa67e785590e2c7b841b601f7e933441742a93df7

Download Submit
memory/3832-171-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download