Malware Analysis Report

2025-08-05 11:47

Sample ID 241031-fwz1qaslaj
Target ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN
SHA256 ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54e
Tags
defense_evasion discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54e

Threat Level: Likely malicious

The file ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery persistence

Adds policy Run key to start application

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Indicator Removal: File Deletion

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 05:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 05:14

Reported

2024-10-31 05:16

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\windows\alg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsass = "C:\\windows\\alg.exe" C:\windows\alg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\svchost.exe" C:\windows\alg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\alg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A
N/A N/A C:\windows\alg.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Mozilla Maintenance Service\RCX6EE0.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXC8C0.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\RCXEE0B.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\RCX1FC7.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCX55BF.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXDF93.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCXF0E9.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCXE6C8.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\Updater6\RCXCB31.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Install\{746C00E3-D163-4E65-BDB2-B93B068F8BCB}\RCX29A0.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\RCXE68B.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\RCX2665.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\RCX203A.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\RCXCE82.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXDFC4.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCX35C3.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXB2FC.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\alg.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCX41DD.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RCX588F.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Mozilla Maintenance Service\RCX6ECF.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXCC2F.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\windows\alg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\alg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\windows\alg.exe
PID 2036 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\windows\alg.exe
PID 2036 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\windows\alg.exe
PID 2036 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\windows\alg.exe
PID 2036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1804 N/A C:\windows\alg.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1804 N/A C:\windows\alg.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1804 N/A C:\windows\alg.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1804 N/A C:\windows\alg.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe

"C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe"

C:\windows\alg.exe

"C:\windows\alg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC7BA5~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\temp\*.* /q /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.365xinyu.com udp
US 107.178.223.183:80 www.365xinyu.com tcp

Files

C:\Windows\alg.exe

MD5 f2128fe384c2b474aa6c6656b967c250
SHA1 c1bff657915f937b70c71348f64494a3791bc7eb
SHA256 ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54e
SHA512 39b711228c7e2d4bcbc08345277f0003410fd71463a46e1367de4dd4eef2c3c3c29712a0dd2cba928a00ab27eeaea474b49a4fbc31cb6f870a0b4b0d8a9b6640

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 a41e524f8d45f0074fd07805ff0c9b12
SHA1 948deacf95a60c3fdf17e0e4db1931a6f3fc5d38
SHA256 082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7
SHA512 91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe

MD5 e84927bc7e4bef6af8daf8640d95325e
SHA1 796cfbd54995d1340e3bdd9329e6d165af8c3859
SHA256 7744d4c0da090157809e65259fb2682e8149b3fcf64a055607ab04f0cb732ea6
SHA512 dd8c9e848100b8c67f8ac5a01e76bc11843e36824d501eca797c9560b0c99a1349ede26e5da0f57a1c66c817d0caf99284dbf968e9f5df442a7c64c88dffb261

\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe

MD5 55e392d1bd55a1292b6ce766225416e5
SHA1 06d8134a3002e6974407fb5da0a59ab43415a52a
SHA256 db42cb95904cfc6891df2aa736506fb34a26cf9a26e88ab0ef262e0459344a3e
SHA512 0c55062cf8debbdf1a7a4f41527e43cd124fb7777e9b930de9cc900abf9c27a1956a536200e23dddc9a4068ac5bc9a8052299a4f2cf010cffd205a32d99581a2

\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

MD5 e16dd9faeca97b4c185426e5672becba
SHA1 f32087a346bcc58dedcfe1bc32f221d486a385c7
SHA256 c21bfc263890f02763f56b4e9f5cf9113656cf09d7864b53ec2fd2024bdadd60
SHA512 582180e0c7b35660114d5b1d4d5c92d75615321a74d160c2c7bc92b91a2c2b7ed758d63e2bbbdb1658992da6fe7ac546d7f4ea9a6c73a4a503989ea6e1a22d6a

\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe

MD5 dc6311fbfd49f41fbf35860a30e68355
SHA1 b08b15be412e843acaf7ad5e6df0ef1e8bdb465c
SHA256 ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba
SHA512 5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe

MD5 6ff84be315cfafbbdf36aa01af8389e7
SHA1 2c550a4059ac331f5f5c9d3f218e0f6184aa27c9
SHA256 47c67c1c88ceaee3cf1667bf956a3e11a84dea2f7c2afc634777aa5f1bf65c76
SHA512 72498b009573a9cc9b5554e61d56b68f273682bfa2e13808f4abd5b2171aa59dd4a64bd9f68a3a416cfaceacb0041df918d8a84f28a5fa7f204fc562c5b6b174

\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe

MD5 cca0c5482b8a6a275d9d49433f435dfa
SHA1 a72ae8621386e13c34055f612ae7612b8a18a39e
SHA256 6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365
SHA512 b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

MD5 713a30695b671b6e3b19b7d09f9d8409
SHA1 83916537c86d7dc1043c752f195f04fa42813afe
SHA256 6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08
SHA512 a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

MD5 69b16c7b7746ba5c642fc05b3561fc73
SHA1 83d80d668dca76b899e1bf662ddee0e0c18ac791
SHA256 0deceb6b1b7a2dd1f13133ac7328ff420dad4610cee1fa7466e8e0f6baa39116
SHA512 6b8eebcfe5b04141640047fe468371ad02bb115ee9ef00260c0b33cfd56b142c2e01b3b1c6f07281aa57b1f3b9fdb1f1082fe5620f88a57b92d8f547267ef154

\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe

MD5 e5b38b9828293047f0352f7a38a22fb1
SHA1 681311628ac93f84371b2a069fa220dc89a3f672
SHA256 b85aeeaede189d9f56c843281a492cd8ada329f0b5b8b03d5a813eba3a290b61
SHA512 ed3e369451b938a556fb561afd6fd3ff5cfc93e386b035014fd4824a808f1e92e6d095ab33c340e6cd64ee00122fbd882abbcf0e15f3ffdb29a4fb9febe42920

\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe

MD5 27f8ebbdef6e8fa26f02d74263610729
SHA1 2ecce90a5b5661dbae6cfb890443cf8d47f052bb
SHA256 9feda23e175fa401fccd34614e2c3afde740c2ebab9a8fbc710fb9d08b712829
SHA512 71884b8e1d7042813f9ea6813565807cfe7b57b7c2d838ebf90ec2f34ab2a6acb36458d0e5b7f8a2bb07f03cbfd9cb145dfc72dae1658d1c514ef18a025c9a28

\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe

MD5 34c4db669b76a662c5fa7c199e4f7519
SHA1 b047730ff73cbb63a540a2a0cd4e632ad594bbc4
SHA256 5a9619856991c1184c789d732f7c597cbe8d0add0732660a4ba358c6a3f258f8
SHA512 da596adb60d4c5ade81b196cc4277c3bfd523e70d72ed2f27d4426833f72182a99fa4bc8f069805deac958e65a4ebed7f43919853fc5fdc5b91a6e62089f2c09

\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

MD5 5e9d2fccad3b9edbc0a8ab0fe1e5e510
SHA1 4f74227b71e570f57e0bf611de8fe2b73cd3aba3
SHA256 ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7
SHA512 8e5ae33075564851f1534767558b1be79894858a912e5f53b00c98ad38e46bcdd17e225e32acea78b634221b506a312185ea155faaac976642c6fc8ed352f035

\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe

MD5 d598a0818ec112074e4ecadb7fd83414
SHA1 a7154846b004135ba3e95e1e175d08bc9aab2e60
SHA256 d8fdda58db1a84ff2868d0d24bda9d9b496347a35008225f15c6599aa2f1c4bf
SHA512 5cd13c6b4247854a65f7322eafcb06d82c574384dc996be3bb3ab8f185818334acf6858e90136a321664543f3eb9d1b0419513ca254e4ed32959489653357240

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXCBFE.tmp

MD5 449f31b6fdafa6652946ad358226e94d
SHA1 2007fe108fc0f8ee1f810a6bebc64fa2fb627b6a
SHA256 4d0fc20bfd642aa6dca9bbb455386daa71e81abd5373ecbf409a895a8a4c047a
SHA512 9c6c97906df0d7d35554c7f78ab8d1718cabb6856afa6a1482cf5f5f62adc093097381c2670994eaa5ffcb1b11f7f52ee5fdff786a0030100f7484fd64000069

\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe

MD5 9c5b124efd76128d26d3bcf85a3f2092
SHA1 6f4a3a1b7d4fb47aba5b1c1bfc151f6eb8d2b3b0
SHA256 5fa546e912a3fedea19477ba68bb127cd2867170a2bdb831b78549c6190d55b9
SHA512 ca13ada6916ac4b5277cb7684a05ae2d36e61e3a5dd425cdcce34b8461b2337aa9c81fde1e08d9f6d24066f103bebbf135c6f66ac76bb2767eabc93f2e47f7f3

\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

MD5 a87236e214f6d42a65f5dedac816aec8
SHA1 601f4e8cd6b1c5fcd8f0be4acf01a08261a07b94
SHA256 3c4a68070f3d7f14e488ae4f7ede8e7add0f8029995dc800833126ca062a2c6c
SHA512 5db8f065c02ac6a014ee407e3d64ae68fc9c9ae814532e58ea3aa27491baed8a15b5b1f90369eff37fb399c0ee96a92b3640110e3730084d3f0687734c41cf18

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

MD5 55d4acd4b1f8c060e4e880c213e5eb79
SHA1 c902866e5a10554e44b4e743ceabd5d687a51484
SHA256 7a7f3d1d777a49848bb8e4e344b7e6d75819345b4fe27b8ebf836618a8ad8d73
SHA512 b60cc303c2324ab7d93b8afa479a868d98ea117968f4d7233c27f5c9856f266e245324634548daadb32b9b9affab1e2530fdf9bb8248281f2fb671153f334bda

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE

MD5 37cd4ed547914384c817aed45b50b8a4
SHA1 20c7daf067634dda7e1255e7ae3ef934d1fb1522
SHA256 7021a2b725aecbe925986bdb969f016b0c5f9c7a42301182acb351a1db66c19f
SHA512 64e535f3f91656d726896abc3d5a50782f38cbad30d17da810b113da24e7ed7b2a5ffbf85247859854264ca6da66458d9d4622f088b98e6a881afc3726199e19

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\alg.exe

MD5 1203bb7dd284cc1dc066f94bd24994eb
SHA1 d502009b65daa0109e104374959e9c708d321f0c
SHA256 ebe7ac9c35242aada727ea9d75b5692f50cd40166393d8a3ea514e10552fa3d2
SHA512 7c86503d3e78b1cb3879291a1eacc2531863a0d2f19a6c4aad3d709f6ea22740ab7668274964b898f8ecb89ff349478cb89c8ccc8346182abb34f5c3aa3c56b3

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE

MD5 66c88b6782b844bc169c7f792936c0e1
SHA1 50cf028b05ede61c89d4fb3fde4caaae8b1a94ff
SHA256 b13d6112575cfcebd36ed20222b95c3869e7d292d36fef126324be8f29002a7f
SHA512 7e7825848ed26c5c04a61951139fc8c1ccc3f916f6c3616287a5fe707b59fd8f272bf0b30dd776632d7d8620217964e1a1b5381cfc7fdb6c2e8c45b829cbfcab

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE

MD5 6ed32d3206c69fd9a591976e64003b18
SHA1 8e8aa84fa47579326aff29113db6b0e825d3f947
SHA256 542a9b77fe0f2adc61d3d2323d046256cb8227e09f337ff7355c489165e95e9f
SHA512 b612a732ad3175c1060a8e9e92ac3f5fe80fbfaf3e32a73b956b1f3b10ad0470df875fce8615b8affdffa3df17eed6d1bda9b27bae5d0ffbf9d4e4b37770494e

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

MD5 015751930f57a169f41b4142869cd139
SHA1 6690556f3cb5677a4d35fba7bd6c3f6c9d0f6761
SHA256 23e40ab5500599c794559e6b02ca1a63c436544ba576089e6c13c8759fbaece5
SHA512 740882f2527047ae8c473a038e2ab3179672e0eda7ba06d35034dfb3d7e686f10580f80d86e3553ea9870ee89fe34177d2b4f2f6f2557a6e583e9163c03c5ebe

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe

MD5 d63cb47f665ff3caa0cd0db21b50345f
SHA1 7a8b5c9a9b2dcf08a0622f3475f0fc486dc8ecd0
SHA256 b237f60afbf0ff3680d68b673b4f06072249fce099f943dc731e0cccb4437576
SHA512 830c4820393557adcae93e625aec760130bb569b3eb3255338dd8c5935e236a32aeddbce2a44cd7347c9dfd8340e5888748e74e4a8bf3f9cbc7b7adf8669ea8d

\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe

MD5 988166248240a383a509be7d026e3ab0
SHA1 cb1f5e8941bff04f11f9bec60e1fa9d9e708b510
SHA256 e89ac835ed17dbf494434fd54adfcc1d7c2a6a57e2d7ed35abff4f6f1d290524
SHA512 3651f7e30b85449714183c5b3268f214c4ad463ecf62dabaf058b6beb482eb4844679d36217950d86a1e5365b9607c00dd6117a81e13dcf7e359ffe023816123

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\RCXE68B.tmp

MD5 b481b1d5e196d51224fa0830d106c03f
SHA1 e67446c8bf63fb756297d4b6e074328e9c23b292
SHA256 0545fea93909baedce8842a83c12d49d687aa4642f496de0014be195101c1902
SHA512 ed8066ecdc25baa698a14f763e54e743396df528dd17190d4bd3121ecc43ebe494595173f9ea1d81e2625b339295d3de3e92f8d8b3f68444eb3bb48ad971d268

\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE

MD5 7ffae006610a85317fbb092a2d65d1a9
SHA1 f61f245695232ada51d81671e9918d54d9f35575
SHA256 f10acd6e32bc4d7cc74feb9e84fec18a77aeb2838ebf2aa7e3280ba1c7f3fca2
SHA512 fa163a348c7e557d12b24f212eede900dee416f54557cc6cc1a18c6cf2d4d19e049e4e03000abaada320c80dbabba4a4eb028ace629442ecea8dab0add9ccc9b

\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe

MD5 20d3e26304e9366c2e9ebc18df8d6e53
SHA1 b509c0db36f01849a9267544545bb6d5e6d7dbe4
SHA256 36d845e96a732363f43534376dbb776041ab6df86a9ec1cf0419e74e89855277
SHA512 ea5f1a35d3aada483e3fc60b83b2de5339e8095294a8eff4c66131dfaee5b74ba2e9dcf5754d95bedb72ef2aeb43ef47c16d8b3f062a00408242300082263964

\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe

MD5 41bb0ce03e066012f36f5ee81aa5a737
SHA1 fca620d6e7b7c6513ea93f6b5d657b39bc7bce40
SHA256 47687c7db0d4107b82898d92a45992858d9452089d2ff7a3290ac79e4f5943da
SHA512 9d556b991aa3227f2ed4e079595a8fc574cf5bf560049a101d32b53b01aef41eede22ddb82f6f3509eb1f9a2f6fae2eb97d8060f2a6aa4fd6d73aa6a31117f3d

\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe

MD5 7a2323a4ef4c2a7651443239552581f6
SHA1 b3e6138072d303fbfca579a15ac86bd7572a7c2c
SHA256 18e279d77b8271a37bd9077900e57880f3cb3d2d9e5235ffc00f30752592f491
SHA512 39e6a802b7d64bf9547d4f93ff52004dc97bfe22f1363aba20b47e652dc5c27fae3a7b32fc10c585ca5e9621d7abd08888e25162991988f1b5d28e054f0fdd63

\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 ee0c93a37a7549bb3398c6093f25c9bd
SHA1 02ea12b829f147a5c6345f99ee4d2fcdd2cb7d4d
SHA256 604e2abeba3f46842e49c0d5dcfdaaf2746165f595f9dfa8ebfe03ffdd372c09
SHA512 1a5833d091139859847745f77032f6a0ff447d07f3c609d34d205ef63e68705b7232a72eba5315829ab52980d8ff5a9d2c9db59af056cd2517f4122db93010ff

\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe

MD5 381c22092074255a291f4c9946a5c28f
SHA1 cfd3817b09553851738818c55a01d18c7591f95f
SHA256 c94dcb40543cb405474597c7e7c9d8ef558b1422797752625db9ca4faf53689c
SHA512 e1f176f4d3f9b7ac057fa427d006e1d6c918e3bb623a713435011e6e27ba7728b22d501789f449cd54e5a58d19d62c25c7f55f8185b022b22cddcab070a385cc

\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

MD5 f1de10a8b9909a4af635112c8866d534
SHA1 c340effbaed989e7f8ffc6f7574856cd8ed0d18b
SHA256 5df635fd14558c0a25ceecd2ad51fbc0d129a8fe681d36ecc9e7254ae0e0a40e
SHA512 a227edac6a6d440da6e13a7d0ecbf42f6ac6acecd7591e0a105bf5e8e417d54e0610d9d28c649c510dc91c454894bdeef7f4c4d3463c57225e1e7cbc142b0924

\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

MD5 54a010c60be10b65eee5506720fccabb
SHA1 18cfa274db7d6567441db036eb2b25b720d58884
SHA256 9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89
SHA512 afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

MD5 9482267d8e065d5c3cfe30c69b41b30c
SHA1 b0d7b3b52fc3faac508a01a61ff9e9e7ed8a16fd
SHA256 23085b1bbb7d7b175ee9c4fc9db4e7dd8981a3f5246cd864ab178c53c0612758
SHA512 33c19803c00834755d2a6e75481b0bc0d50dfaeb4cf95d34bc4bd22b82cb58ab72f7e7af9d1e56c19e68374365d4fd095b8a4121c0c0099254a0bdba2dd86c63

\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

MD5 067c069e3a48184c32333ebbd152eb01
SHA1 e13808892bb9679a81d0ebdf5f51a6df42400149
SHA256 55f4339688f1e72f5da0819abaa1d1f0630f39c496ec1ea0ad8e3458c8df6b02
SHA512 74b3aecbf11f94948264b29481839bdf48d7b37f966cb5e2aa3062e66cf3587ecf247563e3bcc1837e1fb89602d327fdb4f22fa98c695b4d5768bc3f1903a2b4

\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 d4b257c01bbaa68d15d8368475a4e227
SHA1 fafae083a882e163cfa8c77258baaab891c17df2
SHA256 dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546
SHA512 167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe

MD5 27a531be4e959f1d7772133949832a10
SHA1 da4d3202e33c4a4c9480e8bff7726bbe0bc88e84
SHA256 09b9f613621fa39c97de92265fb886be93be5b37fe0985c54eb358efbf8befe3
SHA512 7e4e78a2f6ad80ed822c40dfc4466da49a4941f42ce92b78f40f0b0d3e22c087985efb134515d5592f7b86a4bc583733ea9eb7d33fe6e29d6e771572d75421d6

\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE

MD5 987f657313a388148599a9baebb9e7dc
SHA1 d4071ab6e1895ec19eee2254a39b9cb6096b4ab4
SHA256 83dbcdb3aa38fe0f77fa8734eed8917001163ef321b1ec418b6f87c7dae1259d
SHA512 ecb700e94740944cb4027137774448aee938e88645ebe34b250d1f1256efd099bfe48b50aca3935a48bfd9da0bff5473a3384f36cb3724b0fca90658b17a0aa7

\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE

MD5 a1cbf221f65a4a957a1561e94c05d2ba
SHA1 f737fc584cc642e8b808a316faf0eeac8360d344
SHA256 cf4c6c14eca09ac8345555b82585c6138f7388de63fcd626b0c19bd88b9231a8
SHA512 83dadebac14d91aa9c41d8b516f369b2a318fb58bf1e05437468d4f339639e431f981b8841f3bdf84b0d8b86b9e0a918900b559d1a327abebeb25a35a8954295

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

MD5 901aa7a38ce13f14b6bbec38c0595698
SHA1 6abd81a46557f72680eb9e5fc74223b8c9c32088
SHA256 1e95f2048e2a1782807d52e9816ed267355718e24d01ff07ace73d965ede388a
SHA512 34bb4f656423021873363ec8dd1908fd1d01017e607ff8bc79fea3176ffb18f3281dcf21f7bedcd96c4ddbcff70bb2943435a18e31ddfb6f6c5bd226bf901672

\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE

MD5 a351a9e5b19018821ab612496da0c2c3
SHA1 b040fea2e94e6bfdef05540061b9f9a9f9ca17cb
SHA256 6bb70e81edc34e15d9798b317300d7758042db033a91efd7a40efa5e45a3cfa5
SHA512 00e264e71f1f36be5bb284f2d281a9e2e11b050c4e07c75c975b1fbe19be57b89f651a9b0a9dd338ae7b8ed68ce733c872d7763698c234353354035d7b42371e

C:\Program Files (x86)\Microsoft Office\Office14\RCXECC3.tmp

MD5 f50959f59fbe2e8749d5bdd46d43cfa5
SHA1 163dee6eda4189acc0d12d55783fd46a28d48bc0
SHA256 826f99e9462c00c21a6c2254e5af574a58f31a59293d7d55503714a873590b10
SHA512 bf8ef30a8e967b004d5b54461c36f5f3325513812388753e4678c92d8084f43e93a6e73d03dae5bc3af327409cff51061bb07f53f879082f7cc4df04c3d28450

\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE

MD5 fc860959580c124e7e4781bb08437681
SHA1 b551dd88a1d3d5f277dc174f5d9d11eeea0dafb0
SHA256 eca127142a480fe51e7748159c8d219313a4730d60dc22c4dbbc1bd4d6a67b66
SHA512 abab3d964d5e7b1bdf365a429cbc5b48614f4fb64281d5c0a4b0ce0ab3580fa539ca0f33bc4243dbbe5c6649fa0ce1a2a89de12725a78971001cd768aeb075d2

\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

MD5 a53cc4c0fa7da7cdc8dddf4a0e6123f9
SHA1 09aeb141350d8d3ca91ac4cf902af9d6b2de3bf9
SHA256 ead4783058efc1fca6e92266cca02ae8ab79105405775208167d280c14d98914
SHA512 32a383f768d90c1eb5ffb8fffe6810ad90d76e6c65716819d4296344b31a3858db528eebc40d0561ae2be9d5f14533ecd44a0a783164b6b57e2588788209f665

\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe

MD5 def8d3ec3d85dc8dae33683766d0be5e
SHA1 7f13856a4f5f2610485de33546416917838270a0
SHA256 0f63e7d7cb8923fd0b8de1d135883b9b50b453f1093c3ac9c6e2a5cc1ff9d8ff
SHA512 3a9af3e8b506739e15f2a8ff7e39fd495f5a8e84df901fdccfdd855403359552af33dc805c58e2348ea8544088dde2d96f76b29e7aa93c5fa60cffc49ca25762

\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE

MD5 b6aba3b6872d0e4957d860bf050fbf64
SHA1 d1e55e141c402b45c6578758a72b52d112f1b16d
SHA256 a98aadf44727be20c0550b457a2e741c6fc6173f2eda2635c0213a1e509d9a24
SHA512 47f9184977e3a1f61417151b3678b41c61a9a2f30d12fa2bcdd006d8c32126ae7329a1e8a0816838d0940fda6529c7dc0931e9f5659caa9b780be7f6a5588766

\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 334a6b52049c0a30a89369785e05027a
SHA1 8881925df0de69ff7702313b182c31e6b84c8886
SHA256 086d9c660829c978140eed4851715224f4653a4b66e7a147b52fe5604eb514a3
SHA512 e59351cc3e1d59ba0e34235f33ee7316c5d44217c5b3dd8708504c86a3253a0e38c2be04430ed84601f0725857826a49ca9dd2f216e28e4a4ff74001453ffd02

\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE

MD5 818cb3b1d36f079b03e79e23d0fbd83a
SHA1 2a60afd7bf7d1b198070ab199691bb2c0cc315c3
SHA256 955601226a4e610d3ca43f6b6fdca64e274187148be5b2ce60db05aea233625f
SHA512 d6f9d21b45289ac628af525f8197d429b3ac70dd59f68e0ab04da115e7bfa97ad2c9d34bdc0c805671acc9923e71818e226b2b4287f19f471f4863d7f00664c4

\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe

MD5 42d927353ebd38247c45f73be30e5438
SHA1 4c09cacb7ff6f2daad8b9171f1a4811f57f460f2
SHA256 46b682a6e218066005b4691c0d16254607c41c51c8711558740d4a62beadf4d1
SHA512 435b77c1accae88db0ca27bd152c1bb374c47617db66fac72bd1f41bb8784461cca8bb36c3002bf0124c033273960b57af3514e05e5222f8b2220b5583da997e

\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE

MD5 e7667239fc311cbbc86e84c7d4ed1f23
SHA1 ba55b9c8d2edca3483d600616cb1a9114d4f625f
SHA256 343883df0625d9ab21c3de31c2c5fbcc24c6d0c151d2dcacd2ba1f04e6a40ad6
SHA512 7a8423e2d236f1ded8b51779519dfb9cce45bcb5d92503b35651278a0108e3b3e7b35fd266201e14bcaca76be99218481e9037d95394ea1442c204e66439aa7a

\Program Files (x86)\Microsoft Office\Office14\misc.exe

MD5 fb3c8178ad435b5b2194d5ce774e1f53
SHA1 f8ffa7825a628ae2d3be6d1a82281985f8029427
SHA256 8263b2fd09374585546353e8b61439dec4fb6e26d547d5ebed7696cab7dc8060
SHA512 e0ee5d6d9d0eb5b9724ca2cbfc642241c5b8e7b48d4b724473a5af7665a25442c22fb365e1431f567cf88c3f550d411d99818bb9346e29dd1730a43712425a7c

\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE

MD5 87232c8139f1cd82a2c3e39070d30b52
SHA1 13e2beede1ab86a3a12277893570c320e375d191
SHA256 8b8ad6ac7501d2c82eca1197c0310fa306b05d313d1b75c1020bc2b2965272c9
SHA512 e0032aa0182b66e3edbb7b76dd9411a6839e10cd3749337449dedd706ec8ff387042349fbe56c9d4b76a1aa095d750b6bd5e4a180ba7c70c144bf0fe697846f0

\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE

MD5 325898762af50cc9d7a4c504b7cd6206
SHA1 94bb4333872c472fca319c5b59aa1f1d0f651b7d
SHA256 293eb1f421601477e48119966adbd2d8be68510334c19a8377c5e772e40e039a
SHA512 ac780fe9d27a92699e4a5d6d8c29c7c69ca8d298717710b06fabafa66e5422e61e2bd02b8245fcf7543e3a4f7fbcb2173feb7160eb8659a769b19a1169406ab8

\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

MD5 7aff1c22e8bc6d8181053fc3590fd0f2
SHA1 f81c044f3ed14a7c5ef33495891a846b297d5353
SHA256 7ad0bf719597cd4770a45e16c4f45f233f99d473aa1f4f0b0fc0f8d26976f883
SHA512 2a8c89e80371413e1458270fe2a1c963e085e8fbf2af5ecf921bd075a73c6f08333ade3cb6993a0db3ac5a008d0f3b80c9c5248a38d7e70842fe084df446f121

\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE

MD5 84b5e431dd9e08590e15ba29d85964d2
SHA1 738daf1cfd697baa77bc278493d985de3ea4da27
SHA256 28b7f8a6e333c8347c8472ac6bc9bb3caf4b505cc1a9bcd92c3db21947c04127
SHA512 484f62cef80d58728df0e1f255fbb62121c5d9f12eaeaa4fa0bf73d57b9f8accac598b1c3bd03c09aeae014d2687fa8bc06bb698af15f53f20b7bbe6b4021709

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 05:14

Reported

2024-10-31 05:16

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\windows\alg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsass = "C:\\windows\\alg.exe" C:\windows\alg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\svchost.exe" C:\windows\alg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\alg.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC1EA.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6509.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Java\Java Update\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Java\Java Update\alg.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBE11.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64D0.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\alg.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCXCF2B.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX8075.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64F8.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX6BB2.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64D1.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64E2.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64E4.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64F6.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64F7.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX650A.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXBA86.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXC873.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX8086.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64E3.tmp C:\windows\alg.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\alg.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX6C20.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX8097.tmp C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\windows\alg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64E1.tmp C:\windows\alg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\alg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe

"C:\Users\Admin\AppData\Local\Temp\ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54eN.exe"

C:\windows\alg.exe

"C:\windows\alg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC7BA5~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\temp\*.* /q /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.365xinyu.com udp
US 104.155.138.21:80 www.365xinyu.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\alg.exe

MD5 f2128fe384c2b474aa6c6656b967c250
SHA1 c1bff657915f937b70c71348f64494a3791bc7eb
SHA256 ec7ba5d18a4cc20171369ee9720e2c3198172a23b0d098234ac3f7fa4072a54e
SHA512 39b711228c7e2d4bcbc08345277f0003410fd71463a46e1367de4dd4eef2c3c3c29712a0dd2cba928a00ab27eeaea474b49a4fbc31cb6f870a0b4b0d8a9b6640

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5 a5a1e89d922f9d0e308391abd1e1e35b
SHA1 4480fdbbe4825a63bf8da81617b8d48cdfaf8fcc
SHA256 15052c9984705a582e4618b604cf02bd0c58faeef3698caf4a9735537f2e5e80
SHA512 86b0f35a89bad9b797f651043794a2a596e6c84c662ba7b58ddf354d3cea11ea97890e971477a092a4b0dc781e929a00aa0628ae2a2957eabfd009f34e0ccbca

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 b55d25175a92201c1c772b65c9ad2f05
SHA1 89314a76d70440b58e65177f101c402a82fc530e
SHA256 54907e882afd47268f893dbf10bb3d03279b5e9e43704d7fb35742be9b571e20
SHA512 1f652695c05a4214d471c592b3cf26064606112217268a49dc17d1f699071c3b1866806ee90ca9951805ab8e724b78bb4ec65ae6caa3900f20fac2b48c63cfc6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5 14a5d83316e21d9c61d829d4456d838f
SHA1 55083a20ade81d2e6532b7065e5507ce56fc218f
SHA256 d2f773a9f4d8f94803ad677071f9b368621271f0ea44e2ead0a558a3e360311a
SHA512 ab21cb06d76af11f57ec31dc78bba56ccd6221529a7fd3eadcbbf3de4391c178d92cfd6e07b91a4180df2273ed37ad480632b8fbac44c8224bb3fbc8c1b39fb7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

MD5 271db4f4d53208d081b5ded4c4057fef
SHA1 49f8ef3fe8b9b092bb03656e14dd18cef5ca0d3f
SHA256 01f4b71424a2998f9aaeaf02810dcd289f4b0072e8220e99d9618c21c9739b6e
SHA512 a8c65b1613877cbe7478b366962ae403a45c2f55b397b1c374c60d76367281eb9412596e0315a2656e315866754ca1bcee105df7dc373ccefb458acc53eebac9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 8b2f441d39fddb3cf7397dfe8e2581d3
SHA1 54c91e47520d94d61a680729e5a441467895518b
SHA256 d81052f225b6cc1067eb9a05b94915fb7246b97e7263072081b5ea267189b180
SHA512 89d60c2d4bc4946fa9cdc096d513d720ea48f5251d9d8476b03f4278c8ceee851976d44973f2bf3d2345046937c2738c4a75032969e53aadd9fdde6d666b2a9e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

MD5 bf3f0690c0a9966b5c6fb4af9e48166d
SHA1 aa2a40f788d247ba12278f2281b453dc0d684466
SHA256 42c7fcbae2f7c1ba8a237288c98de1b10c54ed633d39d13ccc1c692b351e9485
SHA512 989d7b3eea6f931a7c648b5a874b1dcefce89104601cecedf2863aace12b65842618193c16ce8e43be1751c162a8569d29ede018e728e791e708e063560788e4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 02ed374aa771882c6c4bcd30eee46a28
SHA1 640e534fd349dee5ec2de069850fb5556e0fd551
SHA256 c08b7628d9976b6ab2e35d145b30c6b7788517c86eacdccce618af4bea7542c0
SHA512 33ee2a878021734aebe32721c2b7ea880ff621ebbd0d7eb6657f3569bb83c4ba281be2ad58267002dca55c3fdf16a033142db6f7100b9d3b55a27fefe5a449e7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 d8220cf3b3bdfdf6408e0e1247260c54
SHA1 d6d4813c9c1c26a70070f13cf1bf1e3f64e1839f
SHA256 730dfca88b5e1ab72d2efeb6c1c9a5390f49d0a66205f701ea9b4fd041a36090
SHA512 762c35275f8ba3aaa6e23aa140df7fc25368e2aae2acdee50b5f940412e05a725e69fdd7ad9471f1f815f7adf138043877a3ce2520e7898ed85cf3e2b4881106

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 f5b45434157089cba1e5668b154b4930
SHA1 69dbc12e5a860b525e91d48c7604c3f8033fa8fd
SHA256 20d973bc2bb21527c55274441e04ce8239f590651d749750a0efa4d1300f7e4c
SHA512 f715b6a905b77727c2343f1a2647d7dd8db4921c0f1715b4de7468a12712f746a36bf30291bae3f7848847d8a3006634131256d8ca4a164765e4706f9e713390

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 bbc7454df6419791c040042069a7bd7a
SHA1 b4e48387cc88ff619d67c713cb854326fc2fed4a
SHA256 137add95165f73728d532e0c50710cf953dd5056ad8aa5077bbff6be344593d3
SHA512 9053d4182250321e2d9e12fddda041b1995e0cdacf8f33b1a6214baa0142b1eb74e3366a144b37758037a37bbd9192ff314866d23bb530744958ec9b7e2af1a0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 945f70a339c02f62367b6b91d70b5302
SHA1 5ae0091e68a95b6837c5b3877c1dedafc0685e0b
SHA256 76ed17ee80333fd0bed4bc9ac4f778273c30c9fb2cd988da36a098836e0d30eb
SHA512 7056bea3235a823565238150bfa63ee31d363dd167c5e4afa838ba3c463612dee0f1fd6e03e6c6d5136aa6d6c462c24dec78bd1592a46110f100249a5ed3d56a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5 c0d68b17623d4a63beff07670fc357e4
SHA1 38a09d33c3b142ba434aa430428e087212a92764
SHA256 9283b9c34ca1bffb93ab39f239df13112e38b3e928c5b63c134e2f9be199ca42
SHA512 b28439310c8b5917e1a433a63545120bd374261d42f2fdb2d1a84c0aacdf75c031f5f5913f7adceb0c619cd377dfe5c92896159b7d3770ea57e3cf01ef389f39

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 f336e81d7c3c4af681dfac497ccc6aab
SHA1 d8760fa2c4a742d3d3ab8133dcb806178a633e1b
SHA256 ddd1ce2a24fc6016176cc5be4c38a5c04532878f79e5b5a34917c44f94efb110
SHA512 f938cff0406298add1bdebe462ad0ae0e5f670248a603880e206e86be33956d36f3e1919ec00d1cb0af9fc963d6720f0f606383ff583f373862a9eab5d4d9f2b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 c787fb105d16476c990784e460e1c7bb
SHA1 5854c1fb551d13a466a4a415ef4d5d51d2b0c358
SHA256 2fc7b20f1e4fee266ba31fae8c3d7f783afb9abf83580c2d22d5ed758327766d
SHA512 503345deb30dcd2bdf72a1ba15d379ee4ee1cc4cb382d074c920156e6af007bdb967c2a84db3269fd56b08e9bae29a447669dda99b2b5f022c63f857ac6fdc76

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5 6623abd95d6ca5b4e9d78570d1e531ad
SHA1 dd734ce4057e98af82197af22a436b3ae05e1af9
SHA256 db197e4e2d60b8161a5cf5c41a9d3d1d5cc694c19fe96d71e33747dd20c1d4b3
SHA512 77624baf530a198eeb708b5d28cd536a8314101a23e8b9570699f35d4d962f47e1537ee283efb09eabaef4cf5c0523a9388d37a64f9e926c580028454d65d45f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

MD5 6459c415c8057eee0e2f9e09248b0788
SHA1 147299d7287e189af5b1e68fd56b29945790288c
SHA256 1492c1b6340a4b495b85ea7a5ec0a3b48d8f87e936938db3c28b67f9b73159c6
SHA512 3fdc770ce320cecc23eb56359b96b9a5765d5c62c0a26d0efe6fcb6e7a663af063b35e0e096dde62bd084511d5913c818a33c95bc2c7e2536a2b88da05dac469

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5 b190797fbf932bd613084e30ada19612
SHA1 da1bbcadc4034e84cf306fd57387833619d70d58
SHA256 5aab9463ca3765a4d92aff5e6591fab2f7403baad57d2bdb2bcda3aa89f4bd9d
SHA512 7f08ba34a10aa83e3f8e8eb283254513847e585410079ec5decded75feaf3fe1a86783bba96b9b29da186d3a3cbbddcd7993ffecd127fdf96f395ae546b6bc5c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 fafcff087a9a2e0bc5097f1f18daac62
SHA1 f5c323c8a28d1992ea074a1dee6ecc1beb749c69
SHA256 8bed44823706382b3848534e1cc9d26d90511d1f195fc08f6be0045f415377ce
SHA512 30e43cab53dd0ad56a27532bf1cc832ad1f06120559c06eb298f59da5008e448a60396e7d7937451f4b7fdfb02e128b8c8765f52d1e0a3b65d452bd3367d49b3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

MD5 a77340ccc7475a541ca0fa36b410bbd0
SHA1 a387412ffab19b206700d86d3709230bd55e9641
SHA256 148c2a561257b994fe0e1606653e8ba80b1ef53dcfe05e914e060d6f5c6e3970
SHA512 4915969a0690719b0631963aaec3452f533ee8a66c5e30f22104a1c1623f0e00958c7e6b257235f78787ed505af92be44cd7fe06e9111cdc432bc1df7b63c230

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 d6bd9881875e0f56aa00a28d777b3afd
SHA1 2c04eb10913fc5321988064a1a5a645423aab159
SHA256 9f25c4d0a9770a2772aac0ea36e213d152a8024c6ba18c219f9ffbd0b5de57b4
SHA512 d184c5935cecb095a42583a96cc5f8bb1dd3e3dd1b76ef5eac21ec22145753f330861f23d1625d98e6e7e71deb0e5d51a3eb8374b34d32b04fd77771141aa509

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5 5f4acee947beb23f04d9599322c47cfc
SHA1 1c39b1aaae857cb352f1e4a7d2295508fc300f8c
SHA256 9b589e570ce599a1fda95f583f61b23d4c0d193302f6000bacc6a0db1f218bd0
SHA512 1032cf200b912e670af3c650d25fd278ef38f678aa84d81f3d4a8873ae494dfd9fe3f2a20f70b132c501d83974be84c8f7355058341649dd47a74397b86ffd2f

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 1de54c2814da9588027386bb14bb0f1d
SHA1 24b493a0d6045a34fe5cf0885f8e4a7048be99fb
SHA256 f9a3bedfa54cd2e612d63bd227e09704e7af8827ab04fe2b4f8cea9fcece6b0c
SHA512 5928e344cbee629f271e72c2ca3e635d1a0bece93e89830c7586c33ec4c275068aa89a5d00a18daba86cdf65cd371bfda88587f23adcd10b0df65e619ec4a94f

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

MD5 7f616d7458f170901c4dba26cab431be
SHA1 12ba3b464909189a3bb5d7164de6bace7f0a8386
SHA256 d50ff428c62f88dfe27d0c6cf77eb714e2dcba47fb2c932970e6fb6f5c960a1a
SHA512 333e244f928c3e88d29a58c3e5a669adafb02d64e0ad3b42bd48791a722794143de89767a4619955daa5abde3f127ddae638336d0676c513d68ce1cfa05cb7a2

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX6C20.tmp

MD5 ca6118f28b7c3b8e37c543ef974821e9
SHA1 2f60dd3d730ffbcaf1282f6d1ed24a6f4d21280a
SHA256 5ad87c88da15602fe7d6ca05ce80d369ee3e298e3ef6717c8305a3bb69c0be44
SHA512 c303ca4d1ab93c9778eaa4eb9327191637922afe40f33d19d3dd11312cb6eff1a70619515b9e9796863c19801da4aa4bf11e183339b7e7c5c7f0456d6a77caa4

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

MD5 5815e92687ebe087464ee1b2ec2ae9a9
SHA1 051e132c8c13d0a3d2b3cbece3dc12a6f6087df2
SHA256 a3554c0aa5b520fd6bafe5a51315af9fab83fc98d1a57cf24004656acb479f8f
SHA512 4b389cdbd06ef8f7513214756e7fe0ebceef3e09877f41192919981b97bf7dad0bc6f94948e2ec3f4f286f0b1aca55c69d1e37f80ab2f4a2c60f8033ab1b9b76

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

MD5 d2a9beb443467eac08a7f069b8e81114
SHA1 7b9fca8e0c3eb8ecc874eae7b6da000980ba7c42
SHA256 b7defdbb386b421f6cd4d380d051c0b7d738b89d6cba3b5b70144f40c9409e55
SHA512 efeb2d0bb36f575909d6d3c44444200ff833dcbd2e98240d63a4c498c40123388001ccde741e84cf292d0875f8543dbeb174eb86149c9aa9c5ba79293d7d9ad2

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe

MD5 ceafc7bb4274b5595c713f1a15394b5e
SHA1 ce685a5528155acf2e6631f66ca48ef514a62727
SHA256 a00f66e1b20745fdf04c8525df7a4033f69ad0a24c86b419d2ef1fdd99b7596c
SHA512 5e37efa26d018601c479f8bf5e81f6b15dc01eb15fc9b70f315526251ebfec2f15ceb17758c5d9e712059a0e3ac34d7f89b514d401922d8d974638cedf05736a

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe

MD5 2b77eba99bee2b51f35a446dc37c3be1
SHA1 e5392a754c5b857e8c8c14ae3adfa1a17bdc8179
SHA256 cae4670dd68fe5b255c5526555d3dab6c3cb379f8ff5b7dfae68b3934b9dbab1
SHA512 08a7b12b6d8a622e66d5c0cdb8c4e27b3ddc3fb95b16cbae472f7e02840d378f2e70436d55f966ab99efd7f739e1865afad3c200c1b709b14a17ac05176029ee

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe

MD5 0b38ca1d466c8533026d667c3281c1a5
SHA1 e374662a449dab9ef6917e872c68730d501ae736
SHA256 1a12fb7e54396631be8f84ba5f4f3c9713025918c6d5c3a3cac58b65803e5f46
SHA512 fa46110e7e603f277916fa84c5487d00f2b640ac206ecd58246f312e11a177281a060776bd7ce07d306591db73ce88e84dc38418c0bb175998895c2166acf427

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe

MD5 91dd5967805bbd43ec8a8009ed580f81
SHA1 d468f548a04802cbc60de96dd54bf73dcf7db615
SHA256 6c833b375c04f7449619597cdc54933787c7f80f9aa55581bb6c4439411e3a52
SHA512 04b281988cabfe8a3bf7c7c8a8dda3fb51930ee682d406d60f305feddd802642d3409aec1deeac36f5dc53c2a1ac9dd1f1963562959f18bcf4dedf3da698fad7