Malware Analysis Report

2024-09-23 06:56

Sample ID 230516-hbekdsab7y
Target 7129291FC3D97377200F8A24AD06930A.exe
SHA256 650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
Tags
azov persistence ransomware spyware stealer wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e

Threat Level: Known bad

The file 7129291FC3D97377200F8A24AD06930A.exe was found to be: Known bad.

Malicious Activity Summary

azov persistence ransomware spyware stealer wiper

Azov

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Opens file in notepad (likely ransom note)

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-05-16 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-16 06:33

Reported

2023-05-16 06:36

Platform

win7-20230220-en

Max time kernel

148s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe"

Signatures

Azov

ransomware wiper azov

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointPing.png => C:\Users\Admin\Pictures\CheckpointPing.png.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\DisableResume.raw => C:\Users\Admin\Pictures\DisableResume.raw.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\PopNew.png => C:\Users\Admin\Pictures\PopNew.png.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendUnregister.raw => C:\Users\Admin\Pictures\SuspendUnregister.raw.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02262_.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00546_.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vienna C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300840.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Matamoros C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240291.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe

"C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RESTORE_FILES.txt

Network

N/A

Files

memory/884-54-0x0000000000110000-0x0000000000115000-memory.dmp

memory/884-55-0x0000000000110000-0x0000000000115000-memory.dmp

C:\Program Files\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

memory/884-294-0x0000000000020000-0x0000000000027000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 ef4c2fcb5bd6e52f15ea312cf207376a
SHA1 1e2fd61e3bbfa38325c6193c4f79cfc60478b817
SHA256 2e1c318b4a7c55b10efc0a1beb00be6f9d6bbf94e38f12d832a3962b94909cea
SHA512 2aa0d2e74f7138c683c09923d5e12c132af5965afee9065b360628108777321f09ba8327b99db3cf3837f7de9700c4067f158d1865946174face5999ea87fd4f

C:\Program Files\7-Zip\7z.exe

MD5 8c9e80869c9fd59c644592b3097e6c2e
SHA1 7d4466af9bb0b2ad67cf29a2849bb7c50e5e94d1
SHA256 926ad04efc69509b4157102396a6f81d6d19a36b7b73832bd0b59fc970563b0e
SHA512 6f199257098aae72427c6c1107c8ccb6ec171e052cb0ebdcd9b82283c0db22f63bfcdac13350670e1f4cf61c3cc7de48d992a55f8191a2044774d2223da6fd28

C:\Program Files\7-Zip\7zFM.exe

MD5 8328aad1214bf48e12b788a95b03747e
SHA1 b786501b48b4e19b1586a52d113e8c6e7e0eba20
SHA256 f3495a395d2d7681689c22dbac4d96f890643b93e3f383961f146e683a756b3f
SHA512 3d15cdacc773d7643e710fbff9d2e18d7b068356826025d2c24fbaec311431756ca8200c142fab40a02ff819e5a4e7156b556fabeb7d89825547a06855a682a8

C:\Program Files\7-Zip\7zG.exe

MD5 4dfb53d94012ba43ba401eb729fbf037
SHA1 ce13e07ed60d64edde9da972fd15ff7c8f2a2503
SHA256 aea96e13b584d6019d41a745297971837536da9c9082774d290809e8dae290a9
SHA512 3afc4a55308952321a7402791fa8f64be2d661b9359f45d0b4278b4caa6e4994ed3b967b8c7d23b32613bc50ed6088187b8cb0528b449fda6256e9ebbdda5ba0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 2fb17e8d1d8b8b877e3e6af1b749234d
SHA1 8e92635c713380bdf0b79a973a3e8758c964090e
SHA256 f235827b5552663ef7451599a8cebf34fc5329bbce45e4bbef1596dafba99c7b
SHA512 b9d14f3742ababab6349d63b935bb84f3d9e82982cc2f93d404ea198aaf2edc0dcca4d495d8720534066b9b188f8d524a17ceb7d6b7f61f17fde49843b2eab94

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 d0190abe8dec4b4f05954aaa32d9ed6e
SHA1 5bab2a4784e49ae30ad3c45eb765734f21936f98
SHA256 a83076dec3088b3575dea365f3c0810dba49c96df2c9d36fa57f8907b041c9c2
SHA512 1828c964e11502b1e7116742ef37f1de8f1546738cf522aa16d0d6bf4520356210f7c4a27d4c333aaa3205b2129f617f2694927bd8ec2d9f8ab93b88f8ca2a53

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 93ac49d3b5d71cd55a3ea567f70f58ff
SHA1 82b5ac402501a3446c1eaa84414b294ee2b74ba4
SHA256 c29f373a1b260973ecd5fd0817a0c783353d5d4185e3ef66e0fbe55851a2868f
SHA512 01e1a7220061c2c27400548f052496ab966133aa67cfc955fec3c52f32ac57844488c4728700821dd554d4db7f881720f2c5e4e8411aa698e138ecefb231233e

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 b77b3f5cc433e0e5a92d01494b79e99c
SHA1 7c17d9d0d109e801daaf5895de4d8cc7b2587a34
SHA256 36afbdd70e754eb8272328c6c4dc486a3d4bcce7c963fd63f5fa5522871f409f
SHA512 fcc5d12da76090b8b752f4a10ebde838ec9bf787f06dd10a61e18715753003746920a5611a53c8fcc61d3c0e8cce41d40a108a0a12cc72d6cfd71a143e33b617

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 d00f764cb8f3ee7a50e5089861d3b9a4
SHA1 48b9e0d9998899b35d7388e94edfc2c0e34c79c7
SHA256 2f0a84bfaa45a4e802146120659884fcc6b4ea59d41eb08196b6c4fbe24479a1
SHA512 1736ef1e3168a807077b27d79417ae4e18b7cc165490dd4fa27ed37047960b3e6a89f983f1e9a658b41148aaab3252721bc21b8e28bcba66a2c7e1c5a51bcbe9

C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe

MD5 bb6737e7a43986d6b408de456d2e2ac0
SHA1 e3350fc50d586d06d0da0c154f9c6b3757dbd9a6
SHA256 c0883dfb807d3700990a3ef0e4cad17303624285129231b1bbfb33127a28f886
SHA512 7963d9af21e778dd38ca21dbf14ac0c859b738ae5bc63c4e563ca556f04041b9eec7d7251945aa6ecd4641acd060b76d4e2331a4fdc285fa3f8b2d537af9fd49

C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe

MD5 610f7000e687f485d5b6d0542461eff8
SHA1 907cfb2dea42c3ac4ba8e394da3637fa02845ac4
SHA256 fb286849987cd8cea572c3c4c2ce34c8bd54ba7c951099d04b904864e344df35
SHA512 03f37064976c81d9c19f58b2269e25957cf9ca6e4bd3b63fa64db73a6fc54c4d09c4fb9857a28425b9384941926aba271051ff53029b0d264b6270a36ccd4473

C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe

MD5 3457b8a643579cc03f538b37d6b35fcb
SHA1 dd34cb472b8c427e27d7f747f8b502080416ffa8
SHA256 c6612407a52394e860ae5866762ed62ef09346c6d5e78360eca89628550a35bd
SHA512 7cff93226e3e1512d140e9a411b08e16b5a45f0e3f7b49bfc7a5dff3fe9bf5bff6e0467156e224cf52c3e4d173797460ec897f912cde4dbae2996ef3d83dd6f8

C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe

MD5 8ca28a98c35eba76e4a7d1d60e454a12
SHA1 fdabdabf601f7018b132999e194e6be1e741ed20
SHA256 9d8de0244435a9379fa703e1a56308088ef2ce9037fce2e0213bc88ae171bff4
SHA512 6b064bdecfd582bab824929ef7b1d378af8055b9fb9cc6a39ae848e922feab62fc256e901a2e955c7fbc6a93ac7e56c3c7fc09863f512a3bdf7d871db3c4a2c5

C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe

MD5 260b54c160488e7a9fcbe9de66e756bd
SHA1 f2d2d8e6cfad9f3c3e2ff5d06d17c5a54a2e893c
SHA256 6c7a38d8646b8bf62d0192e55e6bb1faa7b108ab4e7761065a02962a684e8f81
SHA512 74be5553f97b100cf3eb13deffe68fc3e187cd01c944e3996e6c610b586e84376c58aa087b6b77713a2e87a2896a46635943c898245dff5991cafb496e2ea952

C:\Program Files\Java\jre7\bin\java.exe

MD5 39de38ab367443e21254269463ac9bd2
SHA1 4af870122c71557c8b0f84b66833335d61bd90c0
SHA256 5b67b8f5ca70644a91cba40f178917604727f5d31416d709a9f349df28277c75
SHA512 3e60901273eb7e6bca9292b05ab2f3e967d003eccef8336bceb35c4fbfa0ac38f9ffc5178c8be4fe57d74d7a90348ea5d9337f4cf8e2850a614b66febc33fc10

C:\Program Files\Java\jre7\bin\javaws.exe

MD5 576579bf36f3bfe61c941fae17d02709
SHA1 8a08952c0852ad6a75958ca0bc543a2e5c79d0f3
SHA256 3cd9b0028d7a571ddcef567d3c249296593a00cacf0c456c4ac9793a8e99d439
SHA512 5e2959422b3d6693cd2d0b016f98cc6583a4f7aaf334b72877e8058318ddba54f06a5cda55f23e54f0d0df72e8a3f2296efcef6e9556ab28ffe7ce565b4c09c5

C:\Program Files\Java\jre7\bin\unpack200.exe

MD5 336506123c2673dd9f38febcd177c4fe
SHA1 e5ced0432b315aa300976845ce28e027ea6f3875
SHA256 7a043da793d096c51ad22f70afe5db188bef7ecb05bad85c65b1da76d16094de
SHA512 3b8eea08c3acf19fd6496f7048b753f412f3aa59d144a198791281f45241958160d46ee36e18485a739d97494526136ebd81392cb8a608e778dc02456d64316b

C:\Program Files\Microsoft Games\Chess\Chess.exe

MD5 f40cf55f541f77874edbae1fa98f462e
SHA1 ee91a0c5456f5d65135f47d23c7716fbef75c4ec
SHA256 e9267b8731d14eeab94e21d09975270596b17032641eebb8b12efa98c41a2e14
SHA512 cd5a8123c72f391ea686f86ac5f673e390fcb6427d12b0d7afeaca3585c8e86d62006b27c1c5c19629b3294e729e1230ccb368cc333145658ce92d3e925bd62f

C:\Program Files\Java\jre7\bin\ssvagent.exe

MD5 aabb5d980dedd23437e9e248316ba79e
SHA1 f700fe363f2ae62d3f03b3748fad3ebc2a44c942
SHA256 17cfcb767bd9d15d2eee4bf62bbce8c452778fc8ac4d3a35fe0d411753fac666
SHA512 c537b9f94e04e0d96201692ae8baca5b14b33de467a72321ed21e7c1c199bcc4baadd686235fdf26cccded949a2f5f9be7c3f4f6d89845cd0a724d423e0ffeb1

C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe

MD5 2ad6620cab3f50e29c9de77e5428a878
SHA1 0676aed431bf61c21c70fe1558cc0626a14f1dbc
SHA256 e5a6496f230e2cc0cc21944fd99c9592d94d4812fc32b71613df9f90b1223c45
SHA512 0e6252095c072f326c40ea8e7c080179f26566ea6e8bb155d62aded94020ace9e77dcf031d3c8141505bd084a5484beaf7d32a82f44b6a8239974f7576597013

C:\Program Files\Microsoft Games\Hearts\Hearts.exe

MD5 106f0d123b3b7e059a9652681f9b8df4
SHA1 4c8b7f3b0555eedae1f36daa302acc279ed73e9e
SHA256 e03a7e7af421ddd0dbf93b67cbafb6f54465bcbdb6bd31c208827fb041cc37d4
SHA512 26d150a6b88af86fc8cafb0b167e52be14a36916b70ef4de4d4c1ac2e790110033e912d7530489281b3ad81affe69f0f8dc56a5a255c6a3011506b7cee9ba57c

C:\Program Files\Java\jre7\bin\jp2launcher.exe

MD5 46cdac38814e1d99362a5cdab1f28f56
SHA1 ee3cb114520df712a6b3b35bed53bc8274856c4b
SHA256 63109fff0e5441808e071118907ba8700c8c1456aa85315ed75a9c28b2f54cd1
SHA512 e348245636b7a3d9c8f986468282cf75bd9df896c55e1534745ae918660c68dac6cbd13e6c3e7eebac48fe33bfdecff79872a7ca727809aa6ae181d0bbdcb802

C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe

MD5 0a166e660e87e210797fec6d641fbbdd
SHA1 82d7c8834221cda6617b671406619f233bed012e
SHA256 cd0b2bf3b8ddfe6c56827a508e8b93e1152233a7cb6d95c49336efa941d8d947
SHA512 ca52dc35e6ab4096de861444fa2e5582b93e5bcb29112986039eadbe9a218cd57920f0b13688b91e1fba4294cdddb75abc35a2be76e5186ef434ba4d485f0e67

C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe

MD5 c00a2f5779b2f1b6e7205d7ffb5a9016
SHA1 c2bb8fb7ce718438171c430d4e3a6b6abfa8d60f
SHA256 9c13231170d7605f149b695243cdb52f4c64070eca15c15eda9105bb6a3445bf
SHA512 6291b1ec06c9e44a942e11d3efe0cadf3da2c0e0d4cfa8caf8450340ba04fab6bd72092eb0b13825f09da69c563c6ae700561ed9eb928975a5c3d58f89905661

C:\Program Files\Java\jre7\bin\javaw.exe

MD5 a2425843189b2b5be829755bc4e49441
SHA1 ea7aef6ba2263498863d7364792b90935130adf8
SHA256 0131ba9d4437b7a6e3441ab357ad359d56a2d93de9c9734f7047e58532c6b685
SHA512 785915f116e21e4e49da7f650e0e47470a7eb5ceb0c36c53a05db9d8013a683a2d9686502a2573f81fa869e4d8882b98eadc63501ee728c17bd58d43dcf4ff88

C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe

MD5 0c659a8f3c7968d974a24462f55abf43
SHA1 6beef8006903e9cf717338224460059bec31a4d4
SHA256 ce3ba30d029bf96f3b0dd6ca059e1a437810510744ebaaedd8454e4abd5943f9
SHA512 de32b69a7f98489eef6a9cf5fc7cd40e57fc5607321d8b73afbe8532c182dfe47e7ba1e5afa6341efe6a6b00d5d13a5c415042b20966648fd9788a703ee64975

C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe

MD5 dc621524d1e21fc74750312edace6a9d
SHA1 ec18958cf2565de6d847ef62fe37eb0f33968264
SHA256 5080b7b708714f32222171ad7447f6cd55f62938eec7c2b8e4a1c5b4b1e8205b
SHA512 10346db3d697935a6b008a9839bf63711cbcedfcb33e9c2a2a787b131db4e702af81a9cffccd509a0f41c4a5d84f40be57373bcc1a0357a0ac5eb02cf59bef6e

C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe

MD5 d330bfffb7261bb98c07d6dcd99246f6
SHA1 bdc807b0b01804ee34e3b3dd27818c6cc939c959
SHA256 4aef683f82a1c4174f2d9a89fba19bb70af001d000c32f8c07d7bd4490fbc0a9
SHA512 c1633ac0067ffe52539f39446941d69a49f23fdc27ed9d365a07870fd0a1bb9e3d584ed71c66f30e2c02e691071d0f22b033297de4b6fbdff8635f9998730ae3

C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe

MD5 66013f5b50cc2d685eaa7582a84ade3d
SHA1 9453ec3f14767b3d19fdafdfa9c765954fa799fa
SHA256 d5b6413f22d7fbd73bcef1901c51ad441e911d9fc66f9e2924d72c9a68ded4fd
SHA512 0173403e4b41fc32996adb322b0ad09bc6794a83e0428775d4aa15274cd44b6b93795f663d60b37d30257c206fce26247e0cd16b3fa20c529959b1adfd651114

C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe

MD5 2c8f47f0a281cd0b01dd2ac186736bd1
SHA1 3864306efeec2d71f1d4d016c16c6a979daf63a4
SHA256 680f69b43582cbe96002e24d123d4a1692d26067efc41239ecfc7b606d54644b
SHA512 77712f08389873ab78b4aaaf829fc76cbb53f5b2b0e4de9e8554eb4a4f660d75255010f4ebdc2cbb185553d39aba33453336367c90be5a70eb7d2ffcda45ea8d

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

MD5 6d7a37c11dff47e3b7909732273ee3bd
SHA1 dff1b0cd5161875a479ec1c05c36ef8d455b3a2b
SHA256 ada8853f8063666385f1515d19f6b48fa99eb7397c9de6deaa8e2370e9c795a8
SHA512 710a29c9fcc335b188414ff613eee3b72b18aa6694565beae28fe7449a97cbdbb09daca366bd51172cf634f19ac6754f4b84e1e1c37053462374197e8d32942c

C:\Program Files\Mozilla Firefox\firefox.exe

MD5 f1e4d1fbb34efa9fe644751fa171fb0a
SHA1 f3ea9ed7cec265d1b2e879238689e3b68502ef2c
SHA256 4c1f1750315a7f40f715d8d57b205b099cb0ff700719652a4239aaa6b15dcb0d
SHA512 a329fb8d539c90e308dc3587ad1802c4c7496de213d2598d7613e5cc17bb7d1f77ffc2dc05b344f827c55e672fd5ec2ea773d2866c7f3f2f3c394e5b883567fb

C:\Program Files\Mozilla Firefox\crashreporter.exe

MD5 875854a95bb30daf09893b050c8a3f0c
SHA1 e1fc013fa5be882caf0785dd677d0a7e84132528
SHA256 44821ed24373c774ef0e21883ecb48ba0ef2fc3a1290ff16637b0487b094877d
SHA512 9e48417999a293526030189624eba9822d2489334ba7f1a36f092dd763bd09d258bfd37263f323d2db13552952143ab614dbad4a5ceb6a94e047780fad37996b

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

MD5 e880c73ce48d4428a26662c2f8a8bcc4
SHA1 41541f19775fc0d7808af2b74d0d2ccdaef37c68
SHA256 fabf0d4140a429cbf7f5219a0ad54a24daceea20e593c4ea257b8360ce6dfc86
SHA512 951670bfccf7fc16aae80cc957f143569574d1a369b6da2693b73526c97d11cd98661f821d6272da79d727c6da0cc060d0cd8a4b210eb24e6528da7e8164c32c

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

MD5 3484f9b7e85a78f1aac87daeb67d5dc5
SHA1 aa9a729febbed34deec74d5de8a2a57ab061f3d3
SHA256 fa0480891d60192b81d864e9183e8325254ca962e89d0d857767bc1bffe55ac2
SHA512 86a2126cf1cc43f4550caa997d16c0d0b33875b77c14766a47a7d229dd6a6111e04547a1798a40cd8d0706cc063227d1c4301002c5624a18ffe4d851d33218c1

C:\Program Files\Mozilla Firefox\plugin-container.exe

MD5 8c18fa48278218d2643255b7edcea322
SHA1 0211f66422e1d7694c20cd60241310f2155f22ee
SHA256 b10270913660515ccf2d9f3f072898b470bf807ea28b6ad3bea38c2f1c17cff9
SHA512 041e5d4b970100ea241190d52a95ce25e844552f94edd44616ffc7c3f4552f4afb4fe6881fdf6c0dfb908d7cee48acfe6b48efcc8e1b41a105654de27717f4ad

C:\Program Files\Mozilla Firefox\updater.exe

MD5 6e1789858db19b9d7fd695f61133b7df
SHA1 9396d3d993b519874294a98ecf6052e79c27335f
SHA256 63c961763b218d89652360349e5a1aee5a70467eece9b272f29c17922ce78403
SHA512 c5e09b2514976348202b1aaa60772991aa24229c8accd80dadb6de4559fde2dfcacdefc2e5ce04ab133f529d07044100c08a2921ed2a15b27b5a7089e67bb90b

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 95d42f8eea6fa1086bacd15b6e23e3be
SHA1 a9883cc6c1eca2113795e9f8a619aa1b9f04575f
SHA256 37a4ba7774625c15ff7f2f6655bd8085810875248227db5e9df9b02b1e67a068
SHA512 d61d62c7c5411ffbb4992c8500886bac9b2119de5ce902fc04cdaa3c5b29d1aa967251246182648cb0bd27001a84213fc5f4896b0b2b7fd382eea67a3f199286

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 71a75b94310fffbd67fc2fa6ab6a5f70
SHA1 f9d584af85f1deab2ec6af3c617172eb806faa76
SHA256 382f86635b616aa645b7c227ba205c12aa3019ded8a5c912d4b261af307f0b3f
SHA512 cffd69b4459dd98d6fd3746f0ee60a3081abdc16bc65d4c3a19d2822a0e9d0eb8567236e69e8cea96d83fb266273455a26abb87eef624a9f949ba5d9883e5f8f

C:\Program Files\Mozilla Firefox\pingsender.exe

MD5 795d565964bdea66deb6ed717b255fcd
SHA1 acb25be5c6fe2d6b2c023d32d3014c09df9336c8
SHA256 6931d86b15a27be8ea162322d6758fcf75129de179fc66a82f8164c742d249f1
SHA512 1fec9af0ef95efa3a034c2dee36fa3569cfb51881724a14465af5473ebae685a5d3ae213a7a4bf0792ab33e1503566733a4231e0286dd626a9463e76eb3d2b2c

C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe

MD5 dafc6874a5caeaef174d077d87872df2
SHA1 4d2443710fae275aee6fe9eda0d15de057598a2a
SHA256 8681678189491fd8042204542333cd03240cf1eaa82ebb56fa59570bd5b97360
SHA512 bffdbb9e62f2ad1f960f29cadea309a6434963731d20a5bb83fd591ca562a9e378e27be10c16a08f85c5e3bd3ecbd622c72c98de40efb65105077957f36c37a3

C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe

MD5 5a4dfd39536fb2acf383812dc7e96142
SHA1 8dcd5dd233b312c1caf15851899005187847ea1d
SHA256 9cadab00e53ef04a1ca21231e6eee83a2b591d2f535465acb1b6877b2ce65dc9
SHA512 13a72fb855021a2325a41ff28d341a2fdc4130d27393b4419e5a6b7ca59b0a41fb67df8c94e5e0c9dfd34266d0a36b71e1ca91699ff704a6b857c5035446919e

C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

MD5 34a69fe8ce802aa3283c23a5dd49698a
SHA1 b882816dbb849308c355c54e2d0ceaa1c1e0bd9a
SHA256 94725a71081bf2f36fba19314514ee52c7301af87743899b67c9ae651b03bf9e
SHA512 4346f97b4ca68ce82c2c58b3c4becbc7bc221004915870b97bc333e755473d2162e731e2387ab2e9df3a6ac1c40d21f48995befe6c3a03d2b8f7cb490b2274cd

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF

MD5 d3250cab9d444832ec49593f36e75e54
SHA1 40acbc4f55c6bf2020872c5236fef4d5cb32fe85
SHA256 97835c5c8432608972bfc2396a400372641ae081b0c393de775646cf82258c8b
SHA512 2463986754e982488bd42d5cb9bbb28813990f18eb62309eb18d236dfecfea0329fa8023eaafca941a431aa74189351125ddcd7a86025f91037cd719013dc13b

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF

MD5 a780fb9e541cc9eb063ea9d6d21f0df3
SHA1 c6b624647235074d74879c434ee4c4a093505c60
SHA256 68a0d4eede398b10b8796ee5f926079f3345c1b165d6f1e9bdf9b05020a186b3
SHA512 d13a38f02215b39b9cab60472fbef12cf7dd78750199d7f872983b62223238c660f374bbc38790cbafee94ce42f91a0d429dd819ad8838b451a42c235da91a1d

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF

MD5 2a86d47d936b5ffb23a72807150a0dca
SHA1 42d7334e275854f9d01c0ecf7af9aef7a3c765df
SHA256 953ee2103a24d27cc6a62ab999caf83c147064be00e38f80b9e82e4e25da170b
SHA512 fc0f9a8421ef13272da534d0fa6d6a7c7af55cfbfb25e514bb5bb9de3ae50fd2c76a066b67e025f281176e33bde42bfa08f56ba59228f5b3086474285793e099

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF

MD5 fa993ad253320035592daddae929db0d
SHA1 0c3cf71bb5854aa1e6fcef88edb2c5dfd7dac6df
SHA256 f8f80a068036f3600b44e99612eb33ff061c0fcec7ca55cf3050763fba4499ed
SHA512 b89303ef3556fb10745b782e25313a48e6453dffaf6213fe171e1cf0c3d83d2fdf909de616c8ef772792e3a4347505879db89faf0d973a2d34d3033ca152b6a5

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF

MD5 e1da40b2b89869dda444378f0663b029
SHA1 3a533a4bc1cd89941a6ef7af97fdded4399e5d21
SHA256 5876aca04d4add1a5b5acca09f8d4bfbf366b4ec32a1ab21e89cadf7f69f27ea
SHA512 978c5fa4cb57b9ad807e9ba880be764bb66a242ef85345e36af66e858c098c6793ef166dc01cfa8127dd4a82b1da9ce64684169a073ec9e3357e99d7e0550dc8

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF

MD5 4b24f2806499781c651aeec5c3364c70
SHA1 3bcc124e8b19769c5e8ab8af4bfc561f2a3414a8
SHA256 bd66c3630c3b658cfe001858b9c134914321246e68c76e7bb4e32e6555ee43f3
SHA512 d864e19ab21a3231ce4311db56f4464b89cfc9588f45222028a7e749e457fdc01429a7e2e62924c644db987ff9b70a98c9c8ea0c39b4a9089cc1848ec7c6d8e9

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF

MD5 9b65d3b7059584a19a18e972b9d4b37d
SHA1 b096d400cccce20ead570c9f4b954b99a52f1e73
SHA256 8286e3bd597bc6428da845b4de9144ce45dee96330edbfcf6fc1fa7b8a87d146
SHA512 6ee5babc2b0be435a9b78152ed7ff4169357c84126aa1726e4edf73980c8ab4f42ddebcc134757d18ec95d577d10208f89c886cbf119910574072ba9df124f36

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF

MD5 74f7a0e850990da226b019d15db25459
SHA1 887b41424d57aed212ee86ebae39483a9067ea67
SHA256 2214386f3b7ab9292340165caefd209465e54df4f3956bc7ce380aec7ff2eef3
SHA512 2129176c4ec479a955329c4214f037e548c4ed7fbfd8753d4da66322846c92ae08301736189bb1ee533b7e9657dceff368b21167156f2b14b85c5109d56a42b1

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF

MD5 45f353c1d78b4d238e754a68033e89b2
SHA1 76fe0644ecbf3069b8f32bc22b8c3e57c4624abb
SHA256 92af714b56f496fd6bf01883494fb255f7b97c2bdd853d8edd2a0bb48fd8bff2
SHA512 cb6e8bbedeb73e789cd8cd5d1796760903c3f2afeb43dab9657e85cd8f64159e030002c56e84f509be48d48c7b1d5e42d592f76abfab0e60769070cde602ceac

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF

MD5 5973b686b62824c54fa3c8cc4424864e
SHA1 8d939aabdfa1b7dded76194d4eaf7f813c92b020
SHA256 f4ad69505d36122da3a7a81ba186137d43469429d1b92ae8bb58792f640393f8
SHA512 6c58b753006bb471b53d4d250512682d088002badce0e344f5b36ae2c2dcfa67d4ef7c5002844137479e66e278b4fb5e25e0e577542c4b28f20bab89c9ab72c2

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

MD5 91d6339d24907644592dd6dd0d1d45b4
SHA1 32c3b3adb877cf8cce9116eec329fd2c913865ca
SHA256 bac31e1b67db57cdc585a40a23bec65780cfa6ec3ce4b23360465c11a05b7f2b
SHA512 3b77f3fa333b682a01cf897b88cab99c881577853b266a37235a649e6a27834ab7fcbe941a02d497315ab9efd27bd343a71ab35f8c25dc5715640c754148153a

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF

MD5 37165b7a47bd5cc30c3b41ce197a3c48
SHA1 ef313cb927357a5806efbebdb10ebc58b4c40c55
SHA256 5987982b81a6d431d1fa0ad80dd2e4fa003b4da3b56ec2a627d96d76bdf583c0
SHA512 6b64e1ea58f66d6118690a6a8f1d32885619e9adc06ed472cbba329c3a956a6c266a8b108a1dfc4aa10d66f453ba4c41da5f5dfe82e6bf38a6fd9e42aefb2fcd

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

MD5 c722ab16fda80b717ac2de95deace7df
SHA1 bf5db933a592a5a322136cc3c6b641d301f8b12b
SHA256 557d08f719e57ca67eae671d10bb227c94346b88ba19d9cd1e5dda1b2adef424
SHA512 b7811d92df31d3e6ee44e7f1415f63fe02eeeebed54a0022211c6a7ca046bda3c6561eedbfa816ab12ccf995edd460d65dd8c75492f96f3d4cf7baace7e504e0

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF

MD5 55c982131d42ad22742e8b4b4c35b026
SHA1 30fa5ca4d39fbfd23f186493280f19b5d899c257
SHA256 5faa6435c53183e75312ca739db95615c84c75be8999c9060564b976562baa88
SHA512 b6c61ef3c5528dadb36a6d7debd688e4a4dc0f7bdc2bd8261d0a228b02e868c4e35e9e041cb234b490b663551a23498fa05b0625d8162880c337aaaa767cdec8

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF

MD5 98d6929a2e795a00c350086d930fba01
SHA1 f0e405719f436f667b13bad025e50baad6bff7d8
SHA256 b75dbb7c2e8047f7e31ee892561d298c94f66d12c4fce4a712860142b399d19c
SHA512 20f6a3bcdaee61fc9b26543143c40a6cbab130ed102d745d344c8502898c094479c34f395931345af76f97a90ff18e5a510e65a7cd9e3ea939be7779748d3555

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF

MD5 8fd7bbec7fbc8d02872e096a6b7e775a
SHA1 f8df4436be56f59dd52f1c210fb62dd26c34743a
SHA256 9843110957655520aca1131cadf24b438f7aeb7d7f78c87d7e17ae5c97aed6aa
SHA512 1d7104b6316c78c6cec8354785354f1dcfc6ec76d6217c49ca25b2b81f8703dddfe29ed386a0029254d3855e232ae5cf5192bd3811f26ad2afe347c8d58fd199

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF

MD5 5876dfc92e6280482f900a0b95e23281
SHA1 691928629792f72405eb547cf648755492344381
SHA256 b4c88e3c153e870aa7b8eefca0a6225cccf3b2c50e9e7e1197a66f22a3ae9359
SHA512 9eb650fdb80cfc8b72a121ba8ee02b24128da2d5fd46c25aa0c4329f6ea67c000ce4310f5552675bf860da49d23250aa1ec0ada6abc5d2827787d17ab41736a7

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF

MD5 d7735d33ff1d882d1d6df4154cdbd2e6
SHA1 865826b2aa2510484fc7bbbf873587043219be9e
SHA256 34ce8c867d4f3698da5931f33138364abf1ce53e56063f664d396ca58773b037
SHA512 51f9f772cdcd6c83d58cb79aa6f7f964d5ad0699fc4bcf80f5e0d6c7c10b2af6b14196d20e64e918fadf86b9028ad4da92f95a47094dfff6d6a5e42df884a974

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF

MD5 0fce3fc8f4100b9b149bca5a3b602003
SHA1 707a64c4c0e8e43ea9164e4a4560f6d7d624d1cc
SHA256 ada83b26082e1274fe3b480fdda2991bfd2a9c6462d2f5685ca647dc29f0637b
SHA512 6ae4c3c5db65853154de0b4e5c002949cb429e3c5174ff345f2451b7b6c40fe4546dc13ed3a08633bd98976579a00c2c6a3219de3457c6afa9ef00fd9fba6a42

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF

MD5 fcc8e72a35083fc88529246dbc530290
SHA1 4fa28cd3302feeeaef40a9227cf7e4601620df1c
SHA256 1abd2838e3ecbff1d3a0d9a8789bc7b83295812ac7e239c4b2e2b38f35c79777
SHA512 84aa0282ffc706483fd7578051e15f66bb1c3fc027ec73e318aebb3b88e357b56b1057037cc978c89e2c3924314639e71f133be3e9757b3333c76566d4db5174

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF

MD5 4536a6a9450790116b5ccd21098f20d1
SHA1 e1c35e647666b1b82058419cda688f8610f69399
SHA256 451ff1ca93965caf7833da35c24830bb9c33825d2054c01fe78ffae1426b14a7
SHA512 d452c0489c8040cd7c60672fe1407eb3aec3367b578181681c0d4939874f333cc03bbd9b3deb2065f35f5275f1014c689e81d3d7332a8851521c2f6c7554825c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF

MD5 0326e55827a4234fcc328c73be32d6e1
SHA1 46fef2bd80a33e7f0644c3e365ffe01113f0f765
SHA256 377df853f278a5eb7d03a2bb70e20c0ef87502da8bcc403bdb8627041985ea14
SHA512 f3103f8cdafb1f394b0d4e4877a74850b4236ca9d402608909cc5c769e653703e6bdeedbc1b8ddde8bf05c479d5ed1c90de4535d25adec34315837c308897f3d

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF

MD5 244def9ab7a6eb7ae0183866c647bcc5
SHA1 f6b840d18ee4e76bcde3a577d362c2fadf22bd89
SHA256 bc54433972cef91b7770e6b0aaf5a04317ef14d0c6d0ea9f63d2ff3fde5fdc6f
SHA512 c378747d39b47608539d291df712ef1e4fc99152237c40796bba016e85e64b8eeefb5b5ef22e9a5879451454b85753ca096f29aba366989914721afbc4da77a4

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF

MD5 65ec9cc600ff89ff27eb0e1e2de2854d
SHA1 ac13d8f3fa99beed8e358cace75edb0979353b01
SHA256 9290fa3b351addfd761d7194398d0b7ef648c4290ca9e6fdd688ee891c742ebf
SHA512 4cac40fd9e379b9c21a3741b504b339c240888e807a92715abf7e3f9a0e67f247d8b56522bbcee793cf99cf96124e1a7ec4262730b148887f917e3f629a7b0fd

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF

MD5 189f6c8f73e6f21a821e5443a869eff7
SHA1 4a86ebae146bfcbd2d39427d6399d6a1b455425a
SHA256 f48358e885d61ae3e6f8b4ccda9efeb0ba30b5e12827ae94b88f318a6ba95105
SHA512 f374b9b8ce42baf414892776f9cc11a7242c579d47f5670d33040a7ee065204f1455765db0def926c32c1b025f694d82648023a12420334110a067c60081fc75

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF

MD5 6866fbe819a82b986b1e70937af65f06
SHA1 b66aadcdb27025690df907b7a17ef90e5bca3150
SHA256 1cba8759ebe5895d73985c531fe71c466aef9e5036d8f14ab66e6cf049e0eb81
SHA512 a4917a2a9dc0edd52e14a1d5c898698a23e63b87f88c549b3d797620fb4a85884cca85e584f116078a73db926058cbae829ceb820dab39aa04986e8fb073fba8

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF

MD5 c818f5a1659f341d07f9279052456cd7
SHA1 6c1c57c1c6594c0eb16a5a3f099e7bf0fb1f61af
SHA256 f3df50895b5b81fc26efdc7b5d6d49d2fe1a5c87c74da042e86932be99720268
SHA512 d33d6805d6fec24f6cd211f0ee57c79494224c7ab5095529b92e12521a151de1cce6f08a0b80b7e5c2c422309868ddd6b0f4d4436f74dc5e4c890452e80247c6

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

MD5 687506fb06a7a594c839b1050eb4231f
SHA1 61397a9e29957d198ff109215285360bb4963923
SHA256 5706250375a8ca95e62425f887a2a59a2b6a40885d9c432a3c090ba94d1fed8d
SHA512 86afc6079d41e9638c06489ba2c70a62de69435a9b0598c4a1421aed52d9e93c07ac69c4c31e00d4269559358d888005dc447ce4787fc2fc54982cfaf1f39dc0

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF

MD5 6541248dd93ad43d43b36801f0334fa2
SHA1 2276fc2478dbf2b27b2c79e16e9ec5d3f95dae83
SHA256 5e003cd899eb1857718b3d1570675bf55df0426001a3e966c6b4ab94ff60499a
SHA512 989fbe63fc01299cadc5b86a6ae2bc023d3102788c4b413e4d851c8db8d31880d2a9d13f6d2ed4cc84e2151dd20ae754bc1946585063493454ba1790408d27bc

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF

MD5 166ea1466bdbcc23b973aa8e56b8c3f7
SHA1 6702d13f10c40ecfb92eb65d1b8bf152b1c0a021
SHA256 3b2d65cf401d9325459b40c53326cbc948acaaf6e4b915ada3462a1cd27074ed
SHA512 ae9823ea50f10cd34ea5b1d5402f26ea246dba8efbde083b38726371c673ea2f7187ea6e53f7c89d185da07e5fea117b43bd11c96fd205d32b5c0d4a26ef7d96

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

MD5 6503333e7b0b4b89b6abe6c973a2075e
SHA1 ff134650e56fda2087207a7769839fc45e1ba3e0
SHA256 59031cdd028ef181c61c3ec65a49c88e310e09e53616edf21edf4ee1f9bb32d9
SHA512 aaf78feb4ddc67dd934694357e83088f7408fdf0fc08511dd58ed9595c7d6d4180f35c008d4d371e1f75a25b4e7d84ddb3f9cb65625f399415093772d9285e1a

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF

MD5 1b0ac4d7737592ba195f99578e5a2e73
SHA1 19bf08f45cdcb2b152f0e22aa720501794db8e9f
SHA256 aa4c541d4ddd9510033fe3643263da544aaa09911ab2bb6077ae45d6012bc1d7
SHA512 dcca61dbfb28b7ea5d53927bd78ab4aa0371cf8cb55ed6bfd4ff893cb36e32a7caf59f07663e739447474ccba7d24d0db658ccc6f7db5717d625f9c312ab7b5d

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF

MD5 03dfba1dad2a4ff3dd0134f31fbad773
SHA1 262db5a227d24c97e35df560c92ef659463bf818
SHA256 f6be62fc0af7399a7bee3823791c6675c4aac4c4a6a4fd385149c5e6c4189890
SHA512 f6a1ede513fcc82a493df0def27be040fa319cf7c79a892d3ecd10009d45b9a0cbd3c6437830f9ac46fa117549bfe13a5aa7ef27641d3d2ee24bb62826377182

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF

MD5 9dbeaea9536292c0d063dda6922fc25b
SHA1 261b8fdf5e8cbbbf4a6b357412ff65cba3eaa83f
SHA256 f055f56135635c363ad86172aa5cd2ab6e56d31ca6fb7e4f20d08d7c8d174ac2
SHA512 957341f2213880c7494f49c49471b4a5a1b7780c50db3d2702c7a989283914fb7b43f39094f720e11a9d341fc04c8869df2de81b0eb3cb8b59796ce5569f928b

C:\Users\Public\Desktop\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-16 06:33

Reported

2023-05-16 06:36

Platform

win10v2004-20230220-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe"

Signatures

Azov

ransomware wiper azov

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\OptimizePop.tiff C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizePop.tiff => C:\Users\Admin\Pictures\OptimizePop.tiff.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingTest.tiff C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockNew.tif => C:\Users\Admin\Pictures\UnlockNew.tif.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishConfirm.tiff => C:\Users\Admin\Pictures\UnpublishConfirm.tiff.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishConfirm.tiff C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyUpdate.tiff C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\CopyUpdate.tiff => C:\Users\Admin\Pictures\CopyUpdate.tiff.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectBackup.tif => C:\Users\Admin\Pictures\DisconnectBackup.tif.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\PingTest.tiff => C:\Users\Admin\Pictures\PingTest.tiff.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveOptimize.tiff C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\SaveOptimize.tiff => C:\Users\Admin\Pictures\SaveOptimize.tiff.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File renamed C:\Users\Admin\Pictures\StopConvert.crw => C:\Users\Admin\Pictures\StopConvert.crw.azov C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Eyebrow.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\platform_format.lua C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\common.lua C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_replace_signer_18.svg C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Cryptomining.DATA C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe

"C:\Users\Admin\AppData\Local\Temp\7129291FC3D97377200F8A24AD06930A.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.1:443 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

memory/628-133-0x0000000000020000-0x0000000000027000-memory.dmp

memory/628-134-0x0000000000190000-0x0000000000195000-memory.dmp

memory/628-135-0x0000000000190000-0x0000000000195000-memory.dmp

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 da0603bc3692e6c5849977350196e61e
SHA1 e8bfe6e95260c99ec765e91c18feafd5e9cf0264
SHA256 153b9826d5baf17cddf5e845ffd88273ed6b9e6e42a8f704c6c665e69e9eb3c6
SHA512 9914dcdfc91920d8f1b8fe25e36b91bbf03f291f21c7be680506cf5ae0a8ea4ed687261c680b3f5dd3afe835fa1d1f6f95a4c2e87fc9e86742b048207a8b36e3

C:\Program Files\7-Zip\7z.exe

MD5 35435dc27ba389e40599715c26700d08
SHA1 f2cfeb5d9976b978f1707afb9c6f91148cde9320
SHA256 7bc6749e433ed1d019d40f9b3311a258d1a7916b917afdf14cd5623003f539f9
SHA512 16409a320054c4e70ca3fa0285f51ad15bdb224c7d824244a962821e5bedadee77edec0b2dc6aa1a9da8f17124adebb7b2b239d3152bfe3be01c5616c87ddbf7

C:\Program Files\7-Zip\7zFM.exe

MD5 b6bd6d3c47add2a2d96b8681ff37ca21
SHA1 ab4cdf39ae8d18c4176b74ad769d25687c59b01e
SHA256 605cbf5a5c594a19c28120166a08583bdec7a94eec4f2371c0b6f861838e0187
SHA512 d9380c62d4f6af0324219e42d4e1abaea9d9ff0f346c810845dcfa226451dda2255f3629475ce1892803fd322a11eac74f2268a4178fbc28d02c33b5c4e2ecd1

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 a3128d3ddf218ad1643606a874db0d7d
SHA1 f7040a4940177995baf2d7da008f36449ed8eea2
SHA256 e0d7b6ff8125dee67d88ab09566031270f9708056e682d01e231f852ce089162
SHA512 d3d1e6736c252043652673c840faa6201b63c490ffb278dfdf6d09502ad6b6c5e7a45af4b287a608c0b7e681cd50ba375d93c3ebf7a2c09bb4e6abf72940d481

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 28238be5b184553d54b047b79cdbe121
SHA1 1bc5586bb0b21e9b37a52cfdfd49b107a33fc7d3
SHA256 f39912069daab16cc4abbf8f61c3163d98859c72d43c6cdacfd233b3e9382e38
SHA512 d078c51802cb6675824b0c4673c9fc1093bce047824fdae9d1422fc2716f1e112e60a1059429cf55610f80ee72adbfdb0912e6401a1f30c7654e5107dd01e245

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 e320c3483090098ecec3fbd637501b17
SHA1 215ae17df5607720fec2b590d940e9c0bc118fd8
SHA256 bb09ed5a812c6f4a22ee83e631a9738a67706658243a47c494020f22701f96e5
SHA512 75ddf9a96cff176dffc94cda8711cbaf00e45dbae82ee0d4714eadcafa98715ac48c43ea082c39c08c08688b3dbba7d07cca67ae5bd5931df9281624968b195d

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe

MD5 c6e2e486a1b27cfbd85ce9b67d7c86d0
SHA1 0a854ad40d6a8d587c4befdf7d72b6346a23b41c
SHA256 c295f8f5972ba7c0812d615aee6bc871c8e1f016b21e0419170aeb48210c9f6e
SHA512 d649928fcc5008b6a7b35ddc361f5ded6422248fa2610a4744c46696865bf67d255ea32c01a5f82a0ab956efcc45390897448f012c30eb9eb828496e2ec9572c

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe

MD5 d77ce450bb52e2baa4a4a240c6280df9
SHA1 1dc242289ed77ba2ac486d145f9c4ff27a641b6c
SHA256 3da862bcdd7d9e992a6b4df3873a8f02a68584b8089a48819e2efe44c251f74a
SHA512 45344705c7e0962a84e95b33ce57615dd5a76f588ffbeab092eb6e69f03d9a645a913e0815854b56d3805a8551fe42c470ff9fdbf54784a0d4dfc885adb9c343

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe

MD5 296460b9c1911f964fe5e90455d43123
SHA1 23c7027b82eaf529900905b64b24f48044bc0816
SHA256 057ea4c6839e638ba8589e3ba3620a0bad12339dfffb57077ab0db7ac76b3ee6
SHA512 fa47fcb3272146f0fe23c289078fd13c1b9325e07c7ec878e26e693c3a29325acef51935adf30e0ab8d10102851e5b3ad653a0858894d0a8082ddf71fed3681c

C:\Program Files\Mozilla Firefox\updater.exe

MD5 93d6a4f321bb7f7b8585b0eaf376d8db
SHA1 7e3907ba9ad407fb7877dafa35c76065629751d8
SHA256 19c2bf313ff63c8495fd9b0dfad23764587fa9436ec634cca0701fc01c567f44
SHA512 1f5234264901c2f136abfcba5be14ded5f427b5e817c150610b40dc6981ad8db74aca9b0a65c9360f3ef2fb802644328d720ba4ff533e269d568cdeb855464a9

C:\Program Files\Mozilla Firefox\plugin-container.exe

MD5 107211663fbff198b9b1c84fe1fe310e
SHA1 8b4b8f54c73c5d01fa917334d0802022e41eab77
SHA256 9b9b7267c7933e0f2b293b76b22991babb8f272ef849991c9fbeb4242cbecbb0
SHA512 eb7eef91bf39e409f8b3c8962dddc0b152375fac939f7277fd2d68ce2c9071919d1776aaffbfadfefe85692756ad6624e168d12fcbda894e08691564c10ba269

C:\Program Files\Mozilla Firefox\pingsender.exe

MD5 5a924f0801163da13144f57f3d6dcb8c
SHA1 ab8bbcfdf599b62468a93d2c3468d24781ded0d2
SHA256 100ee3fe72463aaed8a92a9346b5ae300a9d9d9f49518f7f673f52ade03f1ec0
SHA512 9a6a56f4835092e6255410477333eaa5df3437ccc58a902ba9350d065af1c7d81757f616782900ad8f245ca068326d0a86226d19218590871f60cfbd8e896237

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5 063f766c27bf79613df948a6bc09f021
SHA1 4a5ae537ff54319a7e8c35776c8cf91f19c974be
SHA256 4d5ee9d794ac0dfbd7a89ccd1d4e15b860f5a659df9c7685c701b6a9ddef67e5
SHA512 84a3a8ac3254c1ddb1b74c4b00b35b97a37968c121b5da654ecd1c49a1b885128a00fb33cee27849e9a4afa86477cfc1cb01101a425b2eb0a6e9b1e2141e6757

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 6a8da11a90e7de63c3508b6c4ad19db8
SHA1 4f8627b5ff1489563f4ce389d7095ce439112b4e
SHA256 b746459144c99206d98951de287e87576e4891b68f5838979d26d6c490c4a0d6
SHA512 079f6c89025ecc250c47280e2ed3ba3f30ceb957496982a1fc494781062ceb15a53444d9fcad505e77c7069ddf925d7b0279c9f49c89bcc4b2977d0dbc22463b

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe

MD5 457614129c57da19a66d17da19c15e2a
SHA1 821447a7675f600eb035d9297f72725cfa60e1ea
SHA256 7e329b622f5007475a6ac6a03567ffccb995bafdf1a8aedb962e1af94d35cdce
SHA512 89db97fbe9f984aa3e421795fa443c49352bd20dc67ddcecec075388f86214070cd3a873b0bee9e534cf75fb414fd44fa510fafbb63e384b9b6821ba205a2dfe

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

MD5 6a4013deb04bfeb2eed4adfb294e2b07
SHA1 e7bf21352cdd1dc8ecd3efcb85413f713802cd71
SHA256 f5e98e320c313a3bc1f764e5d9eea8b5b32c7d1dd3590383e76649b03a650627
SHA512 584957c4ebac1b5995120af5a2b43452ed2d0152fb929cc65975033b007a19f972407cb793b0b7e2bb4e7265af77463c13f974deb0ce83c0ea98086da9e9453b

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

MD5 61be0a1ee91edc6ce5e75a102f4224b9
SHA1 4649c8ab9ad44287d244c0d1f9b1fc7947e9ec85
SHA256 a68f3ae031b5f04b9ea3a9fdd40c2aecf08174657b56354025cf168bb6aa4b12
SHA512 e05e7afe7fcb5f2a0f6cc6008689a1361db6dc52962c7fc9ae65718be2a4a06242443e6918dabb83f5ebd89e17abf07c5edc8d118784b764349edd2f8a55f3af

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 e6e985612d3c8d4f575d9777a53e469f
SHA1 7e7ddda73cf53935b87953a46e9e58a7cfd45a6e
SHA256 fe8469fd979ea27b1576eaac6ecd65af866b4991c07ace45409ba52ba38b3147
SHA512 85a97fa108d750909abff71f4ab958680dd6a67452aa0246a11f9de833960b6efed808f195b452e1ad19290d49e07719750d8b98442859d657c67874119cc1f7

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe

MD5 64a75c16838aa407eb54db4042900076
SHA1 9bfcd8333806d2f1d6ec2e204827a0486978b021
SHA256 0509f71d2496884736e2a04d3d25e85b2bc7449a217745dbab162c1ce7527eeb
SHA512 04c9d2d7ee1dfd3b40f312cd9547eebb2ae75bc3184cbf4525f44f1abb4490715c9aa4ae713809b0bbfd4789b12f3589ae59134b83dd73bdab24ea1cda707d2f

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe

MD5 b3e73d7a266f00a0121a698df534bfa2
SHA1 a3702ea499259c349f81fb50a140849498cc2a47
SHA256 7e18169fe4994b765939c1935644e194de480278fb6bf8d96988bd1e8d511678
SHA512 766b9103142155db8c062e8318e09ca7046b2736b013deb0a3fd88479b5bf9d3076f9f64d85cb2e29a0160a7ce9d4abb2ff4bba74c8859145befef4b882be7e1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe

MD5 01f98d7380894fb7a2e60ce1fab16e8a
SHA1 d9e62d9f3ee122ee19ab6d45c87d181beafa163b
SHA256 27d1381edaacda796a03606535ef7f051a08169ac1ef7b545ca95eb68094ee1d
SHA512 744df282c5050e54b0f291d686efeb7878c873061860cba114945520047f0c28da32f4f478f275d0ed359b64d4c6998fef6636859b02561117f453549e906615

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe

MD5 8fa0b2e2cbc3da76dd1ac4e15a4a7529
SHA1 28c35a1be52494c73f474990cd86e93072286751
SHA256 e5ea8758b3d51b92d58531c07450a229088850dc2e0004849cd6df021879d4dc
SHA512 883541af297ce7a42e27553fc3085b2a9579cf404b348935818532b59aeab201798b992a196bca0ea3afea0d050f08ac838f950f473671ff74d78eb1ad0be9b6

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe

MD5 d9611001dc256c95671339cda1a05b01
SHA1 bc9dbac0d65107c4efff90c4196c1668834fe5e5
SHA256 83d1a083f5b84a8f749db111236c499a4c6f9f735ae9c22c3bf9f18c99fb8f15
SHA512 81dd5262a63a0ec61d996ac9b295ae439b6d52c40adf640d36aba62e678a104a78fc132d3ce5efdb72ca6cf5e83d1819165606d000beba8d637ff5ece33188ff

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe

MD5 5817511fe4740d788d9007d111d03b29
SHA1 86d88816d627e54559d806bf309488dfdfef097c
SHA256 5cf779fa28d81295f8379bed74480377feadd88be5ebc1c550d6006b12f30431
SHA512 fe2a2046d08a57e82c795891129f63014fca7103de94e72281cd8c92227145007a01f67dc0ab9f555dc5fd99297ff5a3a1e86b70484c296c20f479b1dde04a72

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

MD5 8d3d54964dbb4a31853af4e40849c42b
SHA1 54baa7c2e527cd0c0b31bb3d12ba89b13e7adaca
SHA256 2ecee3726a9916050813cb7313b054857ade82a7b6fed2029f816747271cabd8
SHA512 a8388e3aa3d5d4765193a98d458897b1211a04480cb0de0d2236cfa5118be980c8459f6419434d9edaa86e3d5b7b5584a523d49ee18a01083610b0fba6ea81fc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

MD5 d82b7d64dab3304771d6066773d547ae
SHA1 4ad3432ed17772738f0f66f8686ea11978b4ac55
SHA256 f4177b9df1099aa7ee92022bd0f532da0f03cc57db9ceacd74040cb518acc862
SHA512 5d9d73e5ef949992686dfd4f359a0c7718441272005f44484942ac5556a873f2380cdd03a541afdb72de6623f5d5ab42abe9145e0821ac4dfcb130c21ef5a11c

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 91d8113c179e2e4b86ecbfcc1fcb4c13
SHA1 91e82dd2523c0bb8c21434a35d5ec803cde30fad
SHA256 22a7874e6a95279c39d9df0a3f6beec836c8e36bd5be097744b3f7c12e5ced88
SHA512 59e8ec278e533cc4cb48e12206a7cf7c48401bbfbe12c8ad36aa275d4fe5f5348f8daac9669969121d921a12ed0861496236705831a48702c41d60069f42efbe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

MD5 1b16e087c65740b0045b4099a4193098
SHA1 79441fa5ba1f408bfd4bb294320fa81c9b4cf192
SHA256 10b6eaa843ac3abcfe30e1fc1a23b880f3a665759e1234a3b5b8ded92afb98e5
SHA512 3eb8617556fe607c9faafc75ec2d506f553e8cdafc7f084fb35063aabcc42b5b569eedf996cc09f5bb3c8f3e47d15e30ca7f01d5291f482241d6a6c10ac9555b

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 d0a533228bed73152034ba78628db826
SHA1 8c40e754daaba35096b532cd1207e803eebed8c8
SHA256 9bba198f6bfaa9528800177ef276944e00143defdc61c3ca8ca515dcdcec3ce8
SHA512 0ec587c8f2174fb42fba5615d499d986984da3f75de4c7e44f97906d103068bde08ebb8a493c6ecb1643921df39450d0a0bbea9f2b7786840d828497122fad7e

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

MD5 336b3a9f2bac12bfd3bb1e9874a6afea
SHA1 58defd5e1ce187c602aad5d421052654b76b994c
SHA256 59771f006ed502fa9fe15cc295520c485b38417613f9ff5d2d1ffb66db4aedbc
SHA512 801d2dbc55bfe37e5de6dec51dba322ddc8532e75c7efaa9b197cbaade8cda37193f90b2e454b8bafa94e30a69381db6bde73ebc657920c29e202a20a914b28b

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

MD5 a0a270d610c7d40ca1f2b65d184af15f
SHA1 64f8daa62c0ca0b95e920a1062dcdda608ab58de
SHA256 eb91bab467b473bda8ec2ee91abd1bac18b9bfe6bee08169a2fc6fb214e663da
SHA512 9b69b6d35535b31d1322274b2a3736878e63b3a2715ed46e4c1bb5675ae7f091f8efb339dc7bae55a35d2b5e4d39ac51eb2a81e9498155d47a0a6ec930b6e617

C:\Program Files\Mozilla Firefox\firefox.exe

MD5 55d4b29cbd30deb02d5701392d629d4d
SHA1 f76df876ac570cd3c68e5d4e80e3100228513371
SHA256 79456e7636e946161ec5b193edf913e3ff129ab24b62fcb04cc2ef1c277f30c1
SHA512 464e929954638f0474005070c6d215c88a2b29710940717cd98e931811f81e506533d92d5f489afdfc02bc5589ed4f7c8db72eb1021301a11a866fa13ffbcda9

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

MD5 f15f9bca0dc2cd970543fcb386467647
SHA1 897d132094afa083e905a15f0acffb4fcdeca5cc
SHA256 7895d4e9a4e8fab41564d7b3b9835f045f234cdf56b0c9ffe436ced81788b76c
SHA512 f5ce293c472806a8fcec879b21dadc819902b642302d182212af31acbb021340e224c5d0acac46432a89efff2d7f01272ab13daec2df9805610459d63e0763f5

C:\Program Files\Mozilla Firefox\crashreporter.exe

MD5 aa19eb379785560d7cec60369499e85e
SHA1 8d49b06a122068da680f6285d110f0be4d2dfdea
SHA256 60f8490a2aa91f4636281859018951d317864b801f364acb1d6c8eba4c229d30
SHA512 65d3fcaa670dacd7079965d4ba72dc72ab4870880fec837838d30bd2cb75bb6c0857a719e91e3ce8f799a5d749e1f2e23a0002742a1e0a2cbffa31c0a28f91db

C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

MD5 14c447ce2fd5f8364a88200b7439b4fb
SHA1 30ce48e265fc9c8dce7e3d92beb44def807ed2bf
SHA256 b37ac3bb94090f86522d203c20de7f0e487ee663181dfc0bc533782d91380294
SHA512 6a13569874eed786cb6b08802aceb3390354e02896ec233435c7442e27846782d0649e47e0f6490ee8e9ee585c2aafb2537eb4af566e5be970cf0e0c86bd4347

C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe

MD5 31d107eebb7bc7383b020da961d0354b
SHA1 eda68ab4cfa0b13aa32f7d35d960e166f7b02727
SHA256 223234af7b1b783196e78aad5646be358191354f4cf70b54b384a4e861936923
SHA512 34977cfd9f425b7b747ad616023265d5c942e098f8ba3d8b31f099997ae326284e95075ddea377a9986143a9d80da1ea357480ba759f4f535d309154b317bb5d

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

MD5 79f7cca494d8a85bba32e31f0f9bc5e1
SHA1 f41ee242c5bd249c8df29f60f76e821e121d9a93
SHA256 358a2d5712bc7b3da9d7d8fee56bbf98e9f92766c3f542e16b6d1aa02a4338cc
SHA512 67bf1a85bf42f9dbc3f97b7d5e671dd446b42e0e6b09c7337c00702e7593372e02fffd8502bfdfe33b4491fd6385b65b3800b0ab060f7695db10cffda8255c0c

C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe

MD5 72f793470cebe9cb37b10107bd4dfeda
SHA1 483acff0b13904387e597cd728b96e498f1d9376
SHA256 2af8c34c36cdc42b19046f7f306e5f5630a4e9721f1e89d3d988eea31c879d99
SHA512 677918962aa8514349c986a05bd82e239d6433f60a0ced3a4fd1d49391b9b1c10bd55a5279735b54815e9c3149ce4e7f935dcfcdfc868a0e3a121e6f51090dad

C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe

MD5 d3c5faf8255049dccf3c05815f09f2f3
SHA1 a3dd4ecb032b8217970484845cab4ae3bcfe398f
SHA256 904184def63b0637871ac3ee67715dbf17b47b89193a7c43b7772e674afa53d7
SHA512 e1734e17d0b6f670d8ba92734f3e9aace9c725651ab38753ab1c5abbc1541a0781db51e75b72e4d059f053a327129433936bced4f719df01309aca09c87f88fe

C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe

MD5 f0db46ed9acb229e00a969bcc8f48565
SHA1 400c3598e9ce5ba7a203d716e284664a67afedf5
SHA256 075392284246902c749de2700d4a2b7ac14a6590e923fbb29014ac1b34bd0a66
SHA512 95d8433a744d2433bd5f26aba2594abaea655f78fb25ab9c2dd725b0342abe37e8b78cbf9f0d4a8b3178ec7f4742a15d4d506c35a26d534ecd66683c929d81dd

C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe

MD5 70e653df348256415ead49a6c0e2f932
SHA1 949f4001368224868a1a4a982d86c3ab7137d828
SHA256 a83d40e4f0acc2574823eef94cbb6411535caabae2f9b035db3c12d79c72fbf1
SHA512 4677a5b928de8bd1e4f04fc98fb11596e8fa0c7b6296238233ec6c75074ba52cfc8dad67c65118fd201d9b87043733f6912d3da6fbb6ef9c89597795af51b8e8

C:\Program Files\Microsoft Office\root\Office16\msoia.exe

MD5 0f3f2ad110054ab2d6058d6e307f26db
SHA1 fdae2f094a484a3a42922ddff6a8ca5ba13c14a4
SHA256 55c4205f319cd0fc7cbf812a41163b5f594ae7a969f7c0334911fa555f06a996
SHA512 f2c5ed40c0a1533e28d4af6ac16dd486b37f076208c2732a2bedd659195d015bd349e6702d59cb9feb89eeb5b69cc6723e58fa6d75ca8f89c8bea2b80c680bb5

C:\Program Files\Microsoft Office\root\Office16\msoasb.exe

MD5 c670ef306f732ede33e7df795e92d0ef
SHA1 425b82a7e56b3328d42ba74b97817dfdf0577a2d
SHA256 aa70d6608ded4503a7176ee430a3b0c9c8111a28d7d9f428fc519288913d7571
SHA512 61e732e2a61d99f686c42ece9a89628edc537f691661000c43663c203407156cf99930b29e0811532ea6b76b027111620f72a9226cff24926d0f692f891fcb58

C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe

MD5 76fb4fca9574c8efcf9605b930751a63
SHA1 181856b1225170d5bd3b2c46b321da4754a7baae
SHA256 b7810d935f37e41c81bcb155aeb5aa65cc0c1b014aa98e1c509b1cfb3122ed9f
SHA512 dc3b53afdf74e6932dc967dc9f051f758057c1d3ed011b2882f86fd8935e0dfc1eeb6e93fca4d9de6f5af52e8b478c7bb1e339f285af83a388f2f34937659a5c

C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe

MD5 0de479a34bef485e8e33d366cd6deb82
SHA1 47917be66c4cb74c4e29ab642710b7741dc41565
SHA256 a01ac1b5a55b71a65939db950aeb44009ccf7d297f8ea9685069b3df8be2abbe
SHA512 629842f14f8b5f002549442c97f432cacfc0dfbdb99dfb0b5de373a66db4cda4659256d63acbd8f254326b28c236450ccae5d10efa45c7d478c6fa8a405242b0

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

MD5 f4f71b4c6f2387468d9db988c810beed
SHA1 de7479c3154c712aa8cc81b067ec9f1027f5f67e
SHA256 380100b9380a4d10a40198eff04624251e1d14a68da74279b4c89367fb4f4fa2
SHA512 cc4d0141cdad1d25ea6b7baefa6acc70fc84794557544b0b1d5c36ca0cd6a2bf58efc38e1e011d08db95c54b805c27186599c861a50fd8b459b8cfd97527e7c9

C:\Program Files\Microsoft Office\root\Integration\Integrator.exe

MD5 eb53ab612b97e44fe0bcb1bf7ab4ff6e
SHA1 00a0207df4586955b0109ec6ce2be7a338c4cdfe
SHA256 cdaaa6b65b3cbe4add8395fe0d301400232e823451aedee6c7df0e94dc4f53f4
SHA512 15d69b37f861d510abeb6c918f26c0d1282f3170b80816ccde9ca435ce453a65bb227427e7415c4f5944e81b78d9da196419bc88ea457957a6f7f10fe0f3bac4

C:\Program Files\Microsoft Office\root\Client\AppVLP.exe

MD5 cc83d230a6ec74ca56054217ca5210ce
SHA1 e2ed7ae398f583b43640db3de001634083bffbfe
SHA256 c82bf28b36826d2b9b5a0d8728ff4fae7aa7f8ac84f8333824fac3576f1033f7
SHA512 0995081a19c2bfe2c8a8c02409fd846c89cc353a54084a25108f436ff842a1b0aaf42d16de1f7af8a6edde027ee5c5f730895d530b7c728e14e8abedf2ca6161

C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe

MD5 1c442d1f2542c5170af2dccbc4cf18ed
SHA1 68200acba6e9d3524ccc021b6b40d4401d509e89
SHA256 69ad93cc6519964a8787c4f48f525007995fecbfa134640627d03d0e4725e8ec
SHA512 da9954af0e1e6c6e2969ee8cb2aa29f82b3422507a888894c693fb6cea46af9165d7b60a59f6ac3f5c88f490af0cf1a063c0f0f33759ef34e645019fdcc24dad

C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe

MD5 eec7f8e3f51264e6773c1976609384c6
SHA1 b1d2b674ee21f9c571bf409f14c885e59c6e18cb
SHA256 8d31f7b3d6854f59fe10963fd06534c60d3d1e76a7de320cf4c9b8f19b6fde00
SHA512 446e8d40ddf122e81cfddb0fe8b27717eca4ecb44e08f55e828e5afc7be827006a5e910438d71363d1567dce46bc25f42b77a37dada7fadf0de8d8702f178339

C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe

MD5 b85dc8069142c46bc122810f97977b82
SHA1 6d17308d7b2f56f7044a343bf846ef824328aa7b
SHA256 dc41dc7d690959300ee115f9404be69b1c050e88be744b8701baf8154432154a
SHA512 3488eba6f3305ec924993fc512630e0794a9d09188c1b5dac2b4e67f01510f8f12de39e814d75921972fee90c8766e83f7fb26f65f5be83d0b85fb5ecbc187bf

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe

MD5 2d730d1605300ec599469816f10c1590
SHA1 985925abf597bd1ca1e5c60964bc877d634ca9b0
SHA256 9d3854b33ae302703b9d525641ff6188f15311de9bac909e3cf9d169edb8ae21
SHA512 cfe00812256f6c9287560efcd8a8d06ff93fea88cc2b8f3ac95d08c053b9c1bc2452d7537e0f24e0284bdebe704ef672a1aa4d1a28724a1b86fb3f20f5483c79

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

MD5 f3a68b3fd6c2a7cd0d7459662f19463d
SHA1 8853369fe76ce43f591a35c654f8af74c9a17fb1
SHA256 12098df122b81ae2269bac7b2f0b40e2d6b4d649f88beb836db9f6baac7cf5a3
SHA512 a85c489efa2a46ddbf53ef50b8b74a287f1e3453831931610029bdb7d830be78b7c96a26a2ddd53ca4597caa50524decfd80b182226bc4a15ebc74338d9db814

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

MD5 24626f755c94635eb2c42b7364719516
SHA1 0cb51eec91a0617740171d7633264a83d98dfe30
SHA256 7e51b0f911cf2f5ed442ec02d50ab89c575aad5cbd965ef69c944b3063a2f734
SHA512 8a4449cea2b6d01db6830b68904f856922c2811e52ed4238f826cc24cd043deedffd663e82cfcc69d98638fd39f8cd937c853ca1e628b7d7b787cde8b9d7d948

C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe

MD5 1ff170dc512226f47d9d647c7b6133e5
SHA1 ce5da030a46e78761e40a6c2facfa94f6473ed06
SHA256 7f20d70d510ce6c62f12d63ea53c136c602783e5c7a9c89a3b35e1e12d6ced2f
SHA512 e2059fe3ad1a3017d184ea41971b324e57721e3d75e25c645b07fceff56d2b93d656150d1f5ca0d0a1713e65d95f4cb31707ffe15665229edda653205a73bb9f

C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe

MD5 c106488718f9328ea16256e6ca2a4309
SHA1 d7d4655c4f6a8a6015ecb77a63cc59587dd1cbb3
SHA256 de0a1b925044a26d93759982dc66e67dce89b0a0d79d3a66123123d02b914cfd
SHA512 33b7bc7f9b73a84f6969df9ea6b9a7723c524b8679589423180b6394bc1ff62d1fba38c029f6aa0092e9f880bcda0c846bad6a3e7b7c6d5fa33a581d928f2215

C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe

MD5 81cef93f82bc55a4e578ce52ad568083
SHA1 93583b10ccd7a2c8bc67e758cc5f41594e80581f
SHA256 c0f3a3345582d1566d51c092602cbb349ac2e805dfce57b90adf5f6efa2a27b6
SHA512 71ef57a47ffb888d8dc5068a5083f97b5b036f01b1783010b1ee6b4ec78b0bf408bdc6243e6f8c377ac7be06c7e8c8af99a28bea5709ce48ad076da10da765f3

C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe

MD5 9f95635f18b161b9743b63d625153ddc
SHA1 e0f2b0a616d0443583811cb57450a871f965ecc0
SHA256 1e7d628b536949f916d7240d68f896d45927cfaa8e265a70006410f442be0d48
SHA512 7cd9e976485b737134fb1f8bbffe6e8b2baf4372896562e0ada8acd6a46e3439383d5cff4a94eeb274b0dda4b09ba319e73dfde02f8e7773983b8400aa3a092a

C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe

MD5 c97094491bed6ffe39304b024394d984
SHA1 ce4373c75eea36e5286b391c733a91cf9a3be4bb
SHA256 13cac40d0787a0d0c6ef4bac9dce066724a91ee8dcd67676d3d559e3c43b9061
SHA512 253c5e03db547c0d400e0e1c0adcb2ad0ab8a53d77cc02a3f8a3579b68adeb0d9b201005382df34e4107a3844442775055902608b1c4fb701f6416495b2ce92e

C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe

MD5 33b76dc54e2390137544eccb540d2ff2
SHA1 43c99d81c614d6df56b7d5c24db8220e73be5392
SHA256 c8d66a361b25ef471fc56a99bbb5756f37ce792a46fac6d2de4ff104094edbca
SHA512 f9525db47f7c4a3a1e23206e876845d73353314e77e5dc38d42cfb3a3005047b99ea65834ddafd0b66136323918c701b2d6ee6bcf1e39c7aa153a54494128210

C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe

MD5 ce6d961f01c1cbc503049deabc2b0c9c
SHA1 360599dc8e949bbc5e374f66392253501a111a82
SHA256 860bfaef9064eb9f6a95c983f6dcc644bccbc4c5b2ba427567d82d1df65916cf
SHA512 d23cd1e8e520d16eadd29904fbe4eafb3c9b375c8db5cf538f7248289a865221bbd135e04786d3969dded23f3ce57f9b6f9cec60e02785e8b8d500934c4b1a2d

C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

MD5 9aa19a4596bc4de0cc7d6cb06bd1504b
SHA1 1f1644c5a94e991f5b40cdc1312124ae9dac4aa4
SHA256 628d00adc1e3b09833f0ebb4b91a12aa3472ca3264297691474c64b9dc9f69d2
SHA512 b2639b3e96f903acd7652fa648a5b3d77d2b413475260020d8f6367251ffc7d4c3dffd1a1590119bf22518d23bb7e61c073610ebf34b72fb3ba53aad9e3e0f69

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

MD5 d1d3d0fefacd076a880ae6172170cb28
SHA1 4efabf0f1d1002b4a13533e99ab66ca2a7f9a8b5
SHA256 2480829c9e76ba7e539805040270f8450709e72623b59d53ff2856553cefe546
SHA512 d43b8cefd8cd664050f4f5e1274a13aa833291edda2ea3544a9cf1037317cef6f02485e3461cb3e9d23fd75da53ddd21ea0ec897e026aa09590caa51733580b3

C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

MD5 d93909be387eaa27a2651309b763187d
SHA1 5839069cdef4704fbe16c0e095c79352f3c4cd42
SHA256 08da1a413e663facfac0c0850a6f7d4b99ad351d5013c04ddcb2812bbc94f325
SHA512 4bea7e220a908a6a697d4fa00b8b6f5ecd6008455062224b06fac39a94f401fcf39932a5f26bf00ac1d160334128d87a5fbb0b13090c2d942f85fed95892b818

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 88b92c71640b4bce15118e47c11fc472
SHA1 793a1d4112b7f2807ac187fd9a3ca79982400b25
SHA256 e0f454bccd9ca7aac5bee2dff54c7c5778d0e84e0677d58f405f0185c7cdc0ea
SHA512 14d05f7d5192b6229abec9f030853dfcd9c56a1154d2372b8413e45e92a06d9bcb0fce892296420547efb3f6411b2b33b6b3c2a628e25ead9ae9bfd5f7cdcefc

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 0964a9d4a6a3b120ae771b65b262bf28
SHA1 231eb65ff9b5d994526bba0d97b327d2624348f9
SHA256 73814eae3d56d8d8a0bd611fd501bcdc7d1074717d552f63de2933a8c695aed6
SHA512 5f908910097b6fdcc8916dd04e239e3e492609eb3044ee03a7eb03c70237e21e84f65ed9696ca232874eb665bd40a62a72413b3fb2fb67eeb6aca2e1b30293ba

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 f4d7fc7722abd0b67bc6052dd1676cf2
SHA1 b4c2e3c28eed2f1397ab4bb43a1a377b834d345f
SHA256 1fd97604de1e4451906ceaa1bbedfcb772824e174ade981437c98c69a8b1b073
SHA512 578c108c478e6cfc1c075e63f4ee19af8a3986605f0fd119ac6b12d23d5a124b0b17d1e2170b84f73e5ace05c165a57384750fcbf2f1eb9e7b6476ad15c8689c

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 7b9975484574f1104c19ef95f1029a48
SHA1 64bbac0c1e0c1a16b3584178e76a7ee044cc734f
SHA256 ba6de712a4c297ec66edb318dde83463e2fe8ae915208adc55ab13856c744aed
SHA512 ee2963662c80a2ad731fdafbeb674f168eb65468d9d046002d2f79b9bb47c23cd32bdd4021a149ee45a2a91452c2054e252c8e99353c5f7fb5ba599749abf49c

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 209534bc7b90f8c5eee867ac253ac644
SHA1 5801a152f7b7937e4ab940ab5210684c7834d085
SHA256 597e1d23c2ce3627157398b3e18c174948acce716cd23db5884e5bbc3a8d7dbb
SHA512 f859b95baa091fbf7b4e7e0c5b322b9dec5aca08cca2ce405b302e921582694e14e47a0c84acc4bc291cff94489ccdfca64e5e73a05d3d8c129114e5bf1f251e

C:\Program Files\7-Zip\7zG.exe

MD5 0fd9990bac6f43430afa48fd11aff7e7
SHA1 2c024bf627c19614be8fe5f705e6ce80390fbc8e
SHA256 f14a1bc05fe24bf1b2483ca69c02301466e5a9cb976624d72e4f8fc4d08ab824
SHA512 20310a468773c8f1ae6f235cd1cce229ea2b6fe8b21095995b72f7f7e945a3c79bfe0c5bafe4b786fb1bb0d1880c4de40d1424c08e59716a50029b08b96db626

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg

MD5 a02423f021072be5c358f2ebb8b3cb7e
SHA1 16703f79c64870890412c9d7447f9d6fd10a1517
SHA256 7c94a4120f8fbf256ef66d4b596c692432d7dbe757a92b52e1ab5629a4ce7426
SHA512 41bf9f60ce0ab8a4625091c0ee522b46887dcfc391e70636f9abaa7fc21795e150e59766a2a1060dbc22a9400bc8eb63878d4129e63dc77089e8982f262841e5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg

MD5 ee82b599d6b810a458024d88009e28f2
SHA1 be56313333c75ce9b72dda4ad36ec0930c15a517
SHA256 4fb2383a83695df4d250f68a49fdd7a3941bac51092c6dbb5c202a6d00806a0b
SHA512 5aa6f008de0166a9895acbc19fc6049f8c2ca528796c35d1e5c2617d3b99e2cd5f77d36c56e7e20043a290edd55753f3fa3d0bc5491624f7ed9be4af3056ec1a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f43676e1-64d7-4600-8996-7b083a6eed1a.up_meta_secure

MD5 bc216696184d3bd5ff538f2f22d3a568
SHA1 eb2df68721519ec8cbebab3dbb6b1d4c043d2996
SHA256 7b39e2def898545729e7aa0d548ca1085b43a721e130879d6807030719b0cb79
SHA512 b23272c652e85f2e47bad0a2c5403a39c6af60014b1ecdaf7bdad29442b25ec040536fe4405fcfb3e93239b6819f22547b10b181d20c7dfbc6e265b9cbb3b0d3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f49d4778-ab32-4eaa-82f7-c04bafa69f75.up_meta_secure

MD5 8d86d238982a3119cfdf6d511d73bea4
SHA1 204fc02dc97f58ceaab615804dcf9d90f41c1c02
SHA256 c57f0408f2b96664047ac3e62e8e3f652e250fb589b04d6b788d1bc218df4bd3
SHA512 8fad101bfd6e8ca4a07cf11badc775f6eae3a5688501a685790453181c44c7a3ce7b520e3cc444172f662381dea06963588bc52951a0c0b728910bac82ac7210

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\fa2d4bda-8877-49ed-8679-e7a96706b84e.up_meta_secure

MD5 c490fc78ed852c5ece6c0db8c654558d
SHA1 8c7feb8bcac12387aec894cd0a08c48733358fd5
SHA256 92a8f6a8f8f012699ec91a4aff523869227303ae95cf710d5ef33926a5884432
SHA512 7a2f6bc06bcf8c4ced1186f632b172afc9774f38780ee6116bcbdf3d3fcd326e78fd38f5c650ca6dfaaa809ffc075b831ebf7c20ab5645cb53ae883fd919054f