Malware Analysis Report

2024-12-07 16:33

Sample ID 241114-ah45ma1hnd
Target 90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe
SHA256 90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761
Tags
defense_evasion discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761

Threat Level: Shows suspicious behavior

The file 90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Deletes itself

Enumerates connected drives

Indicator Removal: File Deletion

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:13

Reported

2024-11-14 00:15

Platform

win7-20240729-en

Max time kernel

34s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCXAB7A.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB35B.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB3F7.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXA919.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\RCXA9CC.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\RCXA728.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXA7DA.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXA8F2.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\RCXA9CB.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\RCXAA77.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA883.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA884.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXB42A.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA871.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\RCXAB24.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXAB7C.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\RCXAA17.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCXAAFF.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\RCXB49F.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA835.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA899.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\RCXA9E5.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\RCXB48F.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCXA81E.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXA8CA.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXA931.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\RCXAFFA.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\RCXAB37.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXAB8F.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

C:\Users\Admin\AppData\Local\Temp\eqsA68C.tmp

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\90B55F~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 efbkfqpcdh.com udp
US 8.8.8.8:53 cffhqznqzd.com udp

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 20dbf807dc0e5a499a0f9c149941ce8b
SHA1 b5ef8f64df0fdc4c04774416f8b6293ae765046c
SHA256 6480ddaac6f2b2107dbb6e6a4dc56d4d3a6fa210925ee2e6e3a1e1172d33f43a
SHA512 5167d7eec74fa19c602aa66dbaeb210395662cf217fe6d044e2bfbbf80e3f64274c2ad296105a4df868c89ea5e8eb8db6567d621f24cffd0bae20f2a0307767a

C:\Program Files\7-Zip\RCXA6B2.tmp

MD5 fc80202a8fc434099a9449b2a14c2d75
SHA1 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555
SHA256 d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51
SHA512 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

\Users\Admin\AppData\Local\Temp\eqsA68C.tmp

MD5 c1fae6798a1f41b2c714e675dc8ac3d6
SHA1 d9717662fc6684631649ce95b2afad6e26268fd7
SHA256 8a5222d3f146218b1a6b3f775ddd8eeef27c1f4319febf6a8512b7b9df6ac8f1
SHA512 7a7cb32aaa4755668bdb94ae4068363abb2667af4ac31fc85d9f9d2cac1da198a4266d07ac53b54b208e76b8d22b8243ffb751b49b8a3ae89197f30a5373ddb1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:13

Reported

2024-11-14 00:15

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCXB5B2.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\RCXAA78.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\RCXAEE9.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXADAE.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC194.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Internet Explorer\RCXAD99.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\RCXB39F.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\RCXC51C.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\RCXAFF5.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC1C9.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCXC53F.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCXB4F9.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCXCA4B.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\7-Zip\RCXA8C4.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC4CA.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\RCXB39E.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCXB953.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\RCXAFAE.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC083.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXAE2E.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCXB592.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXAEB2.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\RCXAED7.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\RCXB336.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\RCXBAF4.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXAE7A.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCXB9B3.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Windows Media Player\RCXBAF3.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXADD2.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\RCXBA5A.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\RCXBABD.tmp C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp

"C:\Users\Admin\AppData\Local\Temp\90b55fffa3b0b7cb2a22f7b5d376eda96cc91420dada951141ce292349a4a761.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\90B55F~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 efbkfqpcdh.com udp
US 8.8.8.8:53 cffhqznqzd.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/2956-0-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 1bf497954f9b22947bf856f1c4cf33ed
SHA1 7a9e1c64e903c5c6aff112474aab04ad33f3986e
SHA256 904a17390af456be07648b518538f02441eef0c49d13ab73ea2161ef177728ed
SHA512 0548ea08ac9d314f994f8e6bce9fdc863b1529780c0e10139508ddb5d26be9b74c9d521c50f2d1c16410ab6336de72f4ac05ed79bcf65e74592ed46796905ff1

C:\Users\Admin\AppData\Local\Temp\eqsA8B3.tmp

MD5 c1fae6798a1f41b2c714e675dc8ac3d6
SHA1 d9717662fc6684631649ce95b2afad6e26268fd7
SHA256 8a5222d3f146218b1a6b3f775ddd8eeef27c1f4319febf6a8512b7b9df6ac8f1
SHA512 7a7cb32aaa4755668bdb94ae4068363abb2667af4ac31fc85d9f9d2cac1da198a4266d07ac53b54b208e76b8d22b8243ffb751b49b8a3ae89197f30a5373ddb1

C:\Program Files\7-Zip\RCXA8E5.tmp

MD5 fc80202a8fc434099a9449b2a14c2d75
SHA1 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555
SHA256 d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51
SHA512 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

memory/232-63-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

MD5 57a9abf61d8908651d30523aacd254e2
SHA1 b72f79795b0b62d3a29cf2726504ba9277115c3c
SHA256 1e00ff16725a7104d17a694cdcec26fcd3d57fceee579a670a6347c99a069e4b
SHA512 88ab9f0d65eb4ef7f03d1fa090f6777670e76958dba5301003aacc3bf3ddb7d33952f927c13a771ff6e0e26af4dcb1d7fc673e209b25585ff04d4d386cd51ae4

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXB6CD.tmp

MD5 1ffc6d56a9477cfddc2b005bab60a2de
SHA1 1ac454a224b1f155ebe69d1588c85dde755ac0c4
SHA256 e23750b53fe1d8f667e49d1829663ca733b3e7ba86c8ff91015f6913eefb218a
SHA512 a17488bc85ed5f177e952c399565edb84d23d4fb62ce6665d3c638f624869f0dfdde6eb94b587b0efb6645fd55f49d4619b6413cbd0345d70b8189d0b4b02a77

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXB8E5.tmp

MD5 301df11b1d56ea84b641035869e1714d
SHA1 e26a679087b947dd12e130dcbfb0157430f51168
SHA256 ceaeb65fdfebc6ba36b69e3df628fc4e1f1048f44c3b0b0f2815e9b4aa68df64
SHA512 4914e20e99d295314a2dc63962f187cad0c2efe2e770b4265643f6e4a8c231eda9595945780d1e9e9572ea5cfc4985fd2593ec08d98a1b43c4ec5e1753d54a51

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXB993.tmp

MD5 cfdf29654da360dc586d65d4eb06179d
SHA1 5464f625f5aebe7fc3169309a9403e25ec09432a
SHA256 ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7
SHA512 30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCAA1.tmp

MD5 5802188c8db128cc08d0cc233c555673
SHA1 f7e4a8b406c9842cad07d9ef88a0708b2ff05054
SHA256 4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1
SHA512 4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe

MD5 0a270e18172df5d4429adf9947d5c133
SHA1 b11acf6a6afe13596572b09667fdc7b516548856
SHA256 ab628b8022e1219d5018d8cd715edb8abd0b68b76dd5b02bd0ef518fe7f7e6b9
SHA512 16e76bab982f3841c7672809e2ae4f74105e4cec9d46d384a201931d718ccd3726d3a0c9184cc54b6d74caac64c3c74aa014d5478d60bead2e2bbee31827f1e2

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

MD5 410d9f384a4d2da54039ccb1b7b485b3
SHA1 1fd2a6afbde16738ce290bb3c84f2e3e07599ca6
SHA256 2bad93eb2c981ea0109e265cc6555d515024d94ea396358068048752865068b3
SHA512 eb40a7b394c289e198790922d0687f1e9e2443133b65a9d7fff9cdfacabe23126db1bd83fdcf5f9fea574247b5ecc2744b7d7f5a22b7714d163128b08a81e948

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 ff5fb87c32e28f0dd64b248df04513ce
SHA1 8b92146d4405432d32d73ea1f89dc3744c180208
SHA256 2612bfcdf8fa6c4f0cc8b8f1aaa15da9cae07f3bb2ecc2facb174f31311ebbf9
SHA512 4c602ebde7dc6133435209a751d8f4b5c6702bc20e0c01fa163d67429ac01fcc2a54db570c196374ff5846389b32c4db5b3357ee27509442574d9487e984d718

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXCC11.tmp

MD5 b4888eb7f3abc796d0589767fb54c734
SHA1 21d766acd5fec6697251702f7986a70f86677296
SHA256 514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598
SHA512 41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0