Malware Analysis Report

2024-10-18 21:36

Sample ID 230628-pt4essad8v
Target 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
SHA256 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f

Threat Level: Known bad

The file 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (8309) files with added filename extension

Renames multiple (8059) files with added filename extension

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 12:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 12:38

Reported

2023-06-28 13:08

Platform

win10-20230621-en

Max time kernel

86s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8059) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompressInitialize.crw => C:\Users\Admin\Pictures\CompressInitialize.crw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File renamed C:\Users\Admin\Pictures\StepResolve.raw => C:\Users\Admin\Pictures\StepResolve.raw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3592352177-2971570228-3741369827-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\CalculatorApp.winmd C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_48x48x32.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sleepy.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fk_16x11.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Awards_cup.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1h.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1d.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\PlayButton.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\newsprnt.jpg C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-up.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\Email.ot C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.small.scale-150.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pw_16x11.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10911_40x40x32.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_20x20x32.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp

Files

memory/4040-120-0x0000000002320000-0x000000000234C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3592352177-2971570228-3741369827-1000\desktop.ini

MD5 c748b0076d358975b54c173e48e085af
SHA1 bf5009efd38170a1f217438f71e223dafa3e658d
SHA256 92df5d9970caba79f232758722a383ed1864eb8eaadb367b6bf534382e47240c
SHA512 4502c337493a977705ca11c7d5f34982e2c68e7fe465f12a841e93da8e40d7a45fa117831da97b482a7e2d988fa11c990abac1eb9a0c7b071006f11818bfb9b8

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 12:38

Reported

2023-06-28 13:08

Platform

win10v2004-20230621-en

Max time kernel

1800s

Max time network

1225s

Command Line

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8309) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExpandInstall.crw => C:\Users\Admin\Pictures\ExpandInstall.crw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File renamed C:\Users\Admin\Pictures\NewOpen.tif => C:\Users\Admin\Pictures\NewOpen.tif.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandInstall.crw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewOpen.tif.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportError.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FlagToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\.PLAY\ = "PLAY_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\ \ = "PLAY_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\買戀ᔲ셠 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\買戀ᔲ셠\ = "PLAY_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\䟌펙ഀ蠀⪰ C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\䟌펙ഀ蠀⪰򒟺\ = "PLAY_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\.PLAY C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\ C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 71628 wrote to memory of 66636 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 71628 wrote to memory of 66636 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 18580 wrote to memory of 70028 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 18580 wrote to memory of 70028 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\TraceWrite.docx.PLAY"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceWrite.docx.PLAY

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExpandOpen.html.PLAY

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 47.125.24.20.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/3204-133-0x00000000007B0000-0x00000000007DC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini

MD5 5d1f5e27c5d77d9c6158d3ba90eb7a08
SHA1 5b3e88ce9c569ae94659a72af50bcd19e340e409
SHA256 401a6907fe93d6016a9dc4d66bb601ae526c6df929f588006f70ca8b16378e23
SHA512 a28dbfbed444b122e0d1069513ebb8d8d098947022b3586f8518fb6fba3fd769f8b76a9808f0f77951ed2fdb8c228f12e580f56be8e03dc9f058dd9585a57ddf

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 28071b6cf2a6c73a073733f02b95b6eb
SHA1 d0f1bfc0399d5f059fab32f1e6631e04ef056808
SHA256 34b01ec923b81326794ec41a0125d86ddc7e8db3e27850220612d330a579754a
SHA512 6a62ac71df35a9ae6001cbf52c72fed90bf3c0753d2c27ce63eea9d94ffee05e03fcaa623832ff71ea1f415a361dcffb50c7e36065f65020420ba8f9c27e85e3

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 8f7eb56295dc1f951d346e167fefebc9
SHA1 05a6fe15a7507fe27101f5fb861d79049cac770e
SHA256 b1b9029581f32f5dd6ebd61128d0c0ea604a7781bbc1b29da2b85c07b0ab4e0a
SHA512 a08bc1305bd5bb990e7a196cb9b9b77c355cf13b78942f6ddda9264177f91e875700864cf604852a47d0eeac43ecdd8dc5b8ebafabd07685d1718bb3e4431b03

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 e9b0cc737e1bb988f9a70d67e79e447c
SHA1 c04fbf80456d4d2949b8d279ad547f683b74a32c
SHA256 b2a8ea61dfc4c6607fb65aebb640495043489d267c052d011be66ea709f1d10c
SHA512 dce9b866db3c9853b02c6d5fefd628bb9328f8e9778ca1e6c7d75764380755fb4f75e932c5b250dc082f2657ea8262933b089bdcf733602cdc738ae986ecb0ec

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 fc8066c0a65c762eb7a2d169a2a4b47c
SHA1 ccc26a4e6c136b5ecdfcc02688cf067de2612ae7
SHA256 a9d40783ebaca9a91fd432ef6840eafd1ccb536f77c0c76cc71e3df610f5a33a
SHA512 39e7fead50116b3a1cc4c8f23475b61417c834d7d722e7d3c49719ee536e412b5ed66d0581ae8a499757084150003be6a6cb29a1604fc6acd2887bea6f915ff8

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 3611bb04d64e968cd1a959730f5c0f07
SHA1 9cba8c9f7e6f1a241b2389f830b3127178a05ea3
SHA256 203b4e4b9e0f170195b4f1884711a5edb52f389cba401f891484531ccdef8c6b
SHA512 be35ddbeaa0f648c36fbbfaf9f026696f4b76a93ac54f35faf7f56365455404569aba9682c8e980e4d1b49288c4a4b762ab16c8d63eb9ec58a67dcd4f78e59fc

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 66f7aac55a10f143726f1e27601162b0
SHA1 5cc51ac3190554f99dc219b01b8245646d36facf
SHA256 fb7adf0ef1920239a5536bb9d9f2efaf33b2ae40bedf0d7094e39c646360b86b
SHA512 95527601ebe3c4cbb468d177afcf0a9ca6b3b1f887c3d624d15a36400da415a456471d4835fefa800ad26095ea252f859cca6d51471a249ba83d3b7598a37d02

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 9049840aeee7a24c7cf193aeb113687c
SHA1 40e0ed443892952ba75d547f2fdef854f7cdeed4
SHA256 e26b85ea955f5c7121ba8f14539215647201f881bfe072dd74c890dc5aa3327b
SHA512 3ee011de32ff40d6f6e944678864166f4af774916fa7070e92c02f9a0ecc1898ad42c95fa1a8a082252c886962abbf13c3273b6a506c7a61496e4bdfe2fb96c8

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 60216ce85f0d6b70b3c1adfe959e603e
SHA1 f09e6afa57031e1cfb66aa56d21b818e4fe13c23
SHA256 4fe47a4bdbd236bd95dd5b1d7ad6db8a714a5be393106a1c8582b73800840201
SHA512 631c064a93347b6ed8c5917d57b3f156b8193a9a0d52343a5d6237220ca12ed74e4190dbb7b3c197c25dee809544103bd55a312e658a1b6e99b4cf427eded78a

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 4f085b85ba7cbd45a2c9c634f0be06e1
SHA1 716113d1eb63f5e815e3b590afceaf69cc5b6ac8
SHA256 7c4c93f3eb9660fde09e5ff14e155b61cdf18f03bbc24ee607d06c9bcd94c1aa
SHA512 72d77b6b229911a9985ec130dea6b575ea98ad824b7c0e0c3384f79372b8007e9533de1ff7be89fa47e85ed3f942f1c33703d1b36cfa033059a245296bfc3847

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 8676a1e6f69a7841bfee577b8f85557c
SHA1 4c96470c1f8050cbcf9698da9dc5257d26ea7a08
SHA256 740b7e76a69c26cdb6c84ee06d6bcbd1925b90c0bf2a0867a857f05c21a92f69
SHA512 1ddffb22818a8d1d6ad77ad2ccf2a768ac8b968ffb9e532363b5877184233092117ec0afcd47a01a537722c2051eb88ead3a77c423fe301274520861acb7fba4

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d7a880f13ba8526d0368024102cd8148
SHA1 68432791f4557cd1d6bf47d0444dce5cd21cf6b6
SHA256 50dfec72f03507b062d033b4f89a6b38652b55aaa7566e2d6c1b735791cdb151
SHA512 cd28615c99e32c5413dd188dbc3bf6f210da0ae64bc94b8b55e148d669c382774dd267dfd95949c77d8a26641fa1354663abb1b7d3feb06711c69f88f766e66e

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 a153d47deb67f8d08777926b4689dc9a
SHA1 01c8c3820f26cfeb58481f3e0fa58e9513222202
SHA256 f6666ce00f6d535e2cc9defc7b709b6b3f14c6dcfca3f3f2094012a7ea665eb3
SHA512 41982c38882fe358867bd0fe4a85e4257b0cd1192723a1658a814ea8df85ef408fb5903f94fc5b54d3b6f938eca7b3a95bcb528385f0899cf36addd33c1bef84

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 0b419fae5cb9f9b891832ecc79055ff0
SHA1 a5c9f78fe589cf65028c5e592bb74c238f3ae4c6
SHA256 c8c82d15063844de849f97c842f91d5025b21c9082f6450437d044fa3f23050c
SHA512 b8490ce5abbfb05b13f3f3caf775d9c7f33e7c54fcc2efa2ae1ebfaf639fbf060b36f3a4ca1f32968c6433e8f0e3a538b57fa74eb11605feaca146d7a9f18326

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 934194896a16f2fa72ef1f11da5a35f3
SHA1 2baf9d34d147fe5a8300750eda7435447cc67433
SHA256 ebab74acc31964467c8ef8d7c1104f0c40bc79b03b683cb9605e95fb78b8627f
SHA512 7f4a2bc9927e580d7a812892146114869f314ce1ef242bd6a589e3e7355e6475131d747e5be90f4baabb81ca9bcc11d4742e61618e12164a40e7d704c4cc822b

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 e4f3e57328b45f79a62928281ebcfa1e
SHA1 77e25bbc31ae8084c2631676308080cd23bbe4e4
SHA256 6d54faf6c6cfa3377a14edfc49bd59c0d2891cadec23728e04f526d5e70cfc05
SHA512 cb3d5bfff57d10f530a5066f34bd94a3c617ad9247fed22fd0ab28a98a0721e82cc679148fc9cf0b057afb71aa32048421336a36fef52f9b8082a59b6c79c88f

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 8341aa85d97bb8661a2c0482a3dce49f
SHA1 6b18567acef18849e3f94e5659f26d96860d4784
SHA256 a45e7c2461044caf0fddcb65c1ab01ab6a345c47135cabf5dfcdae34c54bb26b
SHA512 dca30ec29d1d66aeb6c96e4ba1096ae26a161082bfa882df98707c0a637f4db33e4276f0466c35a5bb9aada067f093fc3df938b841a3ff9e5a2592d40e3bca79

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 7d146cd254c0100b8e95f77c70d76616
SHA1 c8cc180ec599c9c9892fed23b622b93f7f71d14d
SHA256 596d7dec97878888454643b0b5758633d1ece1aaed343709a497a00ab2a8125f
SHA512 e5a2e39820fad6e1e6910879109947e94b0a3e299020279eb6233e37e10ad2e6fda49434122b292fb8dbd327a38ccb19a22913d4f68e1cf4c9e3ca4383887fe6

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 6ca1acef60278aa55a9bc41f7611f8da
SHA1 b1a1dac10e9c79fbe6b890c43c1a37ed7278df28
SHA256 34bfc6b47a4b74e1262f2510bb1cebd5317378795f32f2d887708caf299efee6
SHA512 f5726261f52c664dfbcf70afaf6d05885f80acc44483fec776de000cb739f28925088717196fede374984f69173bbb670b3acb732aa7e364eb89fcd4db72fa15

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 8319488a6808ee3816837de8efa97205
SHA1 480fa3e8787b4e5425040c2e16047086d0fad539
SHA256 79c85de002564d5dbaaa1c12faf351fd52f81055c4f5634c403983ec11259bb4
SHA512 6f019e0da8c1100565582c8530e65995adaada0194b9d7a05b76200caee5b3e01f987962e18ffb8bbab991d5e4e47d1e6468d342de05b5b2f9cd46255105d890

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 45fc1e2cea44e4e7944b96f0c794e79e
SHA1 4ffadadb730449b737dd376613cc4a941830dbd2
SHA256 10953c72245605dd3bf86f4e2a854c37df00489a660f4f725bc4276fef33c2fe
SHA512 c878ea96cfddf09dea1fa92968e9e9181e47783de7439698f22b97837f43c22275ec8f7ca1afed9131197fc6e8564601958eb2289ee56ef1c50be8511d2eb5ef

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 dadb3fe845720fb8956b007c494c14dc
SHA1 13a70d676df48fa0ec3f6485508cc229f9674290
SHA256 0f870d04d7cc2952b4a0bc45769af2f551b196288eb50dcd250b303ac3a0c27f
SHA512 7a7430babb75b71111a7d1163f7510e9d76547973dbc982c6bdc3bc4cc41f938741ccbb515b5465a2081b2cc8aa4041744458a56449b1f575e520c2fb5926132

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 6aa10dc261b1d9c24720516f3ecb121b
SHA1 7f6245356282a0ae9c4308523934cf8f419b78a1
SHA256 91c2746571f351b5601bb58bdbe28e56273c3806cd16cd8a45aff8fb87dea219
SHA512 89366671b5be4e0600a41489fcd9ede4328b74199672d53f4a891ee12b6e56af18bb508e5b47758c5cb3356b778d476d7c902711ee0388d7fb328e737786cbbb

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 5766c54b1e07afae5895e8d937bdcc39
SHA1 55f3b5e729aaa27f53521b8da897c671c9175d3c
SHA256 7e62f478f7ee0a2ed4b5ee0baf1c6eee6ce19f2650de888514effa855a30d8d1
SHA512 264f6f28e916d315afc7496a5b7511db8a3a7e0cd981d875cfbef8f0a1b5414a44c167965519907cda2ca9b629e1fb45acf08f0e7376c14942f13721ee1910db

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 066b65b8a0917d1ceb9809b4c1433d31
SHA1 b7289119356faa7a335502d8c7aff19d9208648a
SHA256 16c6438e9933459fbbadadc1d38da673b61eb66a30b93da4e508b1ae967a6190
SHA512 03c4d0879df91ddcd977ad6e6a2d764eba434b1a318d2909ea84bed5a27a0a15891d76f04cc12fd2a2e957d3377e2d7519b993155373f060d8974073e5e841c2

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 2bb541c2f4f1b4300b534ead32279dd6
SHA1 63a139d2be0ec79a51814be586aafb5d4a6220ae
SHA256 5f6fbe7a9bbca5fc85fea17c69af99b9c14ca2d014fb98537dbaf83ecf6f807c
SHA512 882366a156f79aa5e6bcc6742fdbf459f7b0367f7eb312b112c9e80e47359bea0ff765802f723539e93361ffc7dffe05418a1cf7b04c166dfb65070630403fe4

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 48d837177753f54cb5cb41baa66bd9de
SHA1 92646b5a3d51cb769221dfbe3655f12741deb9de
SHA256 1ad500986fd70fbd7889bb3b80db910fdb93f21725cdff440ae18d9dd9b5655b
SHA512 ade92662ba6e4d1af28694e3cab86e8bce216a8ad6cc7e50691c3e724515210c3ec7aa7b3ed376b55c9357e164f6dd8176f834f42b771f65aeacf2ff2b61db17

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 2cbba6114cc59cd8d265414b2f1122d1
SHA1 a3e9995ec267bf6c5f79efed0a0a9867bbf7ff1e
SHA256 6a2fd0d72672282a79c9f2824be71801e4c681b313a79c6f1611d326722caa08
SHA512 8695638767fb97a5a207ea83d24f80f0859e673fae9c6f5fed5c7d2ae2c2ad84ca7675d8e0d6935f63590507b301f25bc72476e2b74faa1f749a3da7fb4b5073

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 833ed492701739ba06cd2bc5be5e8682
SHA1 786414975fa5180e73b9bdc7c7a3042e9b129020
SHA256 6dbe1c459276b24f56ef1735cfb3e83986368627acdf6f4337cb7db80728d7f0
SHA512 282f774127cb57fa05c84858fc1822b5e409fda2e2e42664dc08ebb07432550f937e14650bcf59ad860aa29deea3c3b997edb5121c44683d63e3082745e51498

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 3815db7df7ee0f6f81a8a7557aa93ab0
SHA1 7d8bf6383dac3c1941bf9261b37dd3a0d91658a6
SHA256 0fd640a563662b6a4b9d3756196231abed24777118f0c8fda84f8d37971ce8df
SHA512 fff290748de219786edec59658863a0ea95995c6f7317e4d8b221b7255695bf41dcf373a58274168339df4549735d97f760095bc4afb17fca66e5de149455a5c

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 b3e4c478f6354241ff55b60bb44f50dc
SHA1 866f88c907e16e4f41703c65c4111175845febc4
SHA256 974aa720e3e8cbf4b03c3e7fccbeb12360d174dc1a19e2caea71260b09537540
SHA512 e378f124bc51c4843201ef6778b2237dc9164284f5f42e1c2f18cf618836f4d885a58d14b3c7475cee8972f80b629545e8e3bd2fe33f87db12889fc69f32d20d

C:\Users\Admin\Desktop\TraceWrite.docx.PLAY

MD5 e3d34923dfb17ca0b4f7443445812728
SHA1 15cb25b77b011ef00483a0a2a3c54d3ed7c3c3a4
SHA256 309be19b761dc28e0b9e99c0dd4d60b94d1a8e283943c5fd4d8d778b39504032
SHA512 30566062cfd906ab035055f9476d9d505f3b5425561000e657f77fbfe08eecaccfa88f36c416b9067cc2228678c8b384284265da4f02ccb5e6f4f87700569399

C:\Users\Admin\Desktop\ExpandOpen.html.PLAY

MD5 c4ac426700e26b5c4c1a95f4787dc37c
SHA1 7a2ff05940233da0d8a2ebb213bb3f303a46bb0e
SHA256 c0ba467cb2920f3b333cee8a1723403ee443a2c3de95e093e8f4d7e2cc4cc4ca
SHA512 737338ff1bb2c9f91eff1ced2640fb55314455f6e4d4cf2f6b254b9f5e99d7d747b61f1a4395d437422de5dd3566f3782b10937dbced2620cdfe7ad17c2bc646

C:\ReadMe.txt

MD5 0eca4058401c315fd630ca879e45e158
SHA1 bda153fc364827fcd1a8b4de22b47048995e0d47
SHA256 7a4fcdb7e62b5267b21681a93fe4aca5ee72d3fdf17c1227d372437a10c0bc61
SHA512 e7ccad8b45fb1e88f0ef985fc0e70f8f764edd49a23079e6b7f02de5776b3218ff6af9382dedebc3656b216f0af66693f1bb3da05924683070bd66791239c330