Malware Analysis Report

2024-10-18 21:36

Sample ID 230628-pt6vxsad8w
Target 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
SHA256 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags
ransomware play spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

Threat Level: Known bad

The file 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55 was found to be: Known bad.

Malicious Activity Summary

ransomware play spyware stealer

Play family

Play ransomware payload

PLAY Ransomware, PlayCrypt

Renames multiple (8039) files with added filename extension

Renames multiple (8290) files with added filename extension

Modifies extensions of user files

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 12:38

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 12:38

Reported

2023-06-28 13:08

Platform

win10-20230621-en

Max time kernel

1800s

Max time network

1593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8039) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DisconnectInitialize.raw => C:\Users\Admin\Pictures\DisconnectInitialize.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockProtect.crw => C:\Users\Admin\Pictures\UnblockProtect.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeExport.crw => C:\Users\Admin\Pictures\InvokeExport.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisconnectInitialize.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeExport.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockProtect.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1989575376-3257970224-3313857678-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2475_48x48x32.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_13c.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanSubtract.scale-180.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Spider_bp_809.jpg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6100_20x20x32.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\si_60x42.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_1.jpg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Network

Country Destination Domain Proto
US 20.44.10.123:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
SG 8.241.134.126:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 65.94.81.40.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.5.c.0.d.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3840-121-0x0000000000AE0000-0x0000000000B0C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1989575376-3257970224-3313857678-1000\desktop.ini

MD5 e8ed20ad22d67238319455e6cfd2b9aa
SHA1 db810ea98bd6f719e0ee11949ff59d5e7e8240db
SHA256 791131d2dc336fae6c700db9127885152bfbf70d98ed6924f536d255f3175910
SHA512 4e40593bc3c0d3e860fddd91e57ecd50f2b754df125393e41426a8d2b436c17db3f64fa8f7f3c12baa204c33651515e8bf417285ec882ec000e388e0456acf59

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 9f2e3fccfa9b8d201cb847a60f9a2a8a
SHA1 2893959e04d0f1589a16fcec1a7b2deb30b501a2
SHA256 002132a1486857aaae364d646f52c7c0d0b49eeb8df9e95dd5de16d4a06a3b10
SHA512 0727fa5244be2f40657523dee2fca5bd6e07d8a50e6a50201ab704c272b8c6fdbb01212f1e444ae2ade67cf6a1e595fcc28f40da5ec69dda7297f3777432fb14

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 5fb38480b11e0fe17bd969092e0bd8f6
SHA1 2b5ca96e2244a9c333846f6965119024f9ad32ac
SHA256 46c3b6057b075813f237e255111fe2812939a0e9635377966b45be683ab2a51b
SHA512 a47ae3833ce759dd55ad70c38e73b870eabea2551acef4141a375e21d17b03547c2de2474df8207a7890ae6c176ec2e5104bf23b068bfd4873ab011b6049a535

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 d6f2024f54988325925579716a879a6f
SHA1 99d2282af68a441c862abf795f8aea45e5cefa1d
SHA256 972e9d1a39c6bc7db8470087ba30fd5b4a077b5f7ee6e6982b03a64600182abf
SHA512 4f4b56f7bade7b4523a258acb13786e726cb6bf085f95f8637a90b0e36a2f2684f47277e556b2b2e071f236fef0b6a5e080c6cd303696075549dd3336786ed0a

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 e8d87a9e6ecad6d89ea213d0b3bda34c
SHA1 d3f1268d4154b6ae9cd6167db92758e08c247a59
SHA256 6c6786a70c166bc8a9b96df3b3b51643667311938011b6cf014ba8df70f2c9ea
SHA512 4ab93865c43b86bca3ae355baffe4a83fac9c50a8fbe28e2e10649709e45f594cd7ee2fee5e3536532eaf3265a390d281ca7d32ed40adcfc6b352015a4483629

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 8f5f5d88931fb31d47b0cc3a284c0e47
SHA1 693464e198f220f4c985bfaa38231beb3b886886
SHA256 ccc63dc16274ab18bfb28f2faccb73c770f21b920da7b62dfbf4a2c7a1df77fe
SHA512 134782b3b62a2d0d4152bab76c70f416a0683879249999366b171b34d0c2c216f6b599dad794137a18906bdc2d633adc0b4e92de72d68ded7fec3afe41e5e7f2

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 5652aab2db0fd9081ec9872b289143a6
SHA1 d7ea8ad6879ae7f736844f944dd808eba86a70ae
SHA256 769680bd7b9df65341c6e2861d579fcd4b86683cd0346f00297d32c01b80cfbd
SHA512 0967871c6daef15e9e3de951a95660cf99e70b699b9f59e761507b1aff0f271493e1140962a5596ebb7136e94289f91ba326b22caa42282aab1319cab826c0a6

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 f3cd4da7ae29e6b67fd8325f188ec0b1
SHA1 c361edaebb4f3c82f26b06946d8ab3e840308cd3
SHA256 26f7522bc4bceae2c90a31f2803bc52b9e08c17aa6a02dc68e98015ce0f270b8
SHA512 3893a6ad57ac35504027df8e36762a97516a0cc5fd5b893f3aeed93ed8665b072f33eb289831be6dff4333f0bf4552d520e5a26e424ef2e5c3ba97430352920d

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 4366ae2954c1e9bffb93964a35265d19
SHA1 48ce8688b8ec3cecc7473b9bf0316ce8d4e3255f
SHA256 c3bdf39fed14928a6ccf59b43f032285360b31a12cd5616c5245dbcc682cb850
SHA512 f678787b22fead3a5ec5c4474c6791f4c81e5d325bb8b2c1b5251f60d67927e0813cd09083f5c4f111a1a78616d9431971541b83e0563c72c5c5edcc0bddca11

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 ef84a1f63510a13c16bc1b60c049c475
SHA1 8990b5867cbfbf4836d35bc7096630ef38b75590
SHA256 723187e23d190913ac6e1fd040ea1cf4521816245449cd888769da75501f30f4
SHA512 0ac66954042601aa739ef09713cda79838caece92617c7dc15ee61f786799d7c49bfe15f6e1381ce7f027a95e42f26b3ff9cde668797760c9524158d0321864a

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 f4e8613813b7a542ab6346aa1091b1dc
SHA1 145de5123e8d10870e2078fa0d32fcdf4bc4b447
SHA256 d5662f476ecb57531d3a18552a422e04133b8f11b4e308243b1dd7623d2ab085
SHA512 df52822747704bf8a4097f8140f32c29e30d8b4c02bdba49b390327b77c20da91b1e966a80f3b99728fd78e575f5e4c511a0da469dcde92c9ebd8d5f150cd10d

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 e7d4277abf39bcea1660c656b2cf2c0a
SHA1 9aca543d5bf11f7645044bbdab6d8b240ce71635
SHA256 a36ad735618b55de44f04a7c31b0e074de742034ff155162df9c227d13ee3643
SHA512 b58814aa3d785a4a4d23c75aa7e93f47b09e04bf2cdc2858c7ffc252f5cb5d21c314a7d4fa2323796ed5149077e368bc8ee00b89c0c5d7889f41007471d9e18c

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 6cf4976586a864a73125034a123d0575
SHA1 811a43fc47fd46539a7ff26c2b124b9430046ed9
SHA256 cfdc1aa328657bdf16fa9b307860d08ed0e74290fcfde55de78cf0f58a9066a1
SHA512 0b93612241b83220939e4fe0b320d77e01e8960f063c3477143bb8053e48a781ebfe629cc3c7a6084e2add3a34b9025c4396bc466fae173388a0bb924113e504

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 1fa3d008df383150612415ccbce1ca7b
SHA1 e9ef0afaa2121920f5aee548bb7716b9a0de6aeb
SHA256 badfa11f325a65b0f88b2b8df3b9c8bc724ea9c1f827a7d84b5eb0ac5ae9ac14
SHA512 75a8802276427f5b0afabfc22a8aa0e8eb51cc0221fcf573e67f86c93c48b66eb0ce459841444a579b6e5072d055abe1691a76ae4755145d9326feca70e61808

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 0a7a384e598f7c59e84ad2353ba530a3
SHA1 0ce50cf54411c8c1fe2fc6548027c77767cfadd4
SHA256 40d1809ef4b33477a2aa3181b1b2f241a2611aeb62078388bca20016c08e9efe
SHA512 208714bfab3478212a3f95ebdfa869437e0474133ad040067d975e24c8ef2e55267be81d69bdfeef10dfae2d0909dc4987c7667a5f29c322e7ebeede2462f583

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d83349ef73ca198ea16e97764be55d0a
SHA1 deb37b21d7c15232a7dcca9c6c957614db251aae
SHA256 9d7ecd7400029b167c5eb9173737d3e762a6fa1be1af63099a3f311905a9cfbc
SHA512 d621f644c3c6e7d2c6a717e183ea9ebc6b21aa94f70dba5d4ebe6ab952bd132360a00320d684a4bcba11f2993a641ba0836774f40c93c23871e60620c9a5d209

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 6bcd875ff211a5376801ec191e5e2f27
SHA1 3b61996fff4650f747f003e1738c5e92f87a1049
SHA256 c2d0784b2765a849d9c0b28380ffa17e035876e549e35c4c223b2f7119ff0f42
SHA512 a8d00b57a4f75fead3fdf6be1c44fc686710404d1d1a9755e6e7ba8ec337eed6927699553eecb31890a44ca2902beaa35bdd34fb66981bcc978c69f0abbc1648

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 9c3d658d6ff1d08c8297a4809c496eb5
SHA1 71e22b23bdb259b6fcc8bea0fda5476496192ec9
SHA256 d936d81f50b033981379ccf3a26c8adb67911d674b49db37594247486b604cac
SHA512 4e3cedc7575c978cc279cb0f14592961fc5487b5c61c8febe696fd7b30925d632d7a0a5e5da9e71c953c89813c2d928c089c1ed3c0e8a0df5bea703e26859ae8

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 9c3af160187838c820a31eb8878f4895
SHA1 8ca1b4a7a76c1f606610adfc0739a517e249241e
SHA256 46f5d59be9049aaac7c1c8c83152fcac47f812415c70576ef4f30bbf9e65cb17
SHA512 ff8bbf04b201faab0ba034f55daf4c186c05c57d43657d5683fd6db62422a37aeda90f1151dbd20f300a3c2b1ecffa1035c6197a674e0f7711b1e173ab490435

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 64e58237fa46a9f979731f6a246397e4
SHA1 cff27f53f9a408b708e074584c8d03d72d05ba50
SHA256 a35d23c130c9f65be635859c2b06b6d5f49c3f3ee60aad5cd45b5bd326d867bb
SHA512 957f873b3bec8451c66e0ee472b5519f1ed21a094edcf06c77dd38fa33f2cd3eb9977c48fdc635536959793f781f21d8bbc333199aa3967ffe461fc0dfbf2dd8

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 da7d10697df6714618f1a5cb30eb3e80
SHA1 d36e8a9f729cedaf2ddc6def58c14a3b2a030098
SHA256 160f86a268de991405e4c1b0ebdaf8b646b4a664a3bf567f09daa4605755e3b8
SHA512 11ff7af59206af8c4d7f7184b7d6636a04e87f44f330c7fec511fac9a5c8deea04c049f4c5d32f6bf4211c0567e0522971054db9a591313d1362c125c3e9f939

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 f78d07a8a872410b5285d982e478c7de
SHA1 f0249f3e6e141d5b80968975fe5178542a8193ac
SHA256 5547c8dd716d27ffea881f311034eafb119900f4a1f59088edd70bcda419f8c4
SHA512 9bf6895b5d28466c57c77c2abd7b07fc9304bbb8cb387b847be733af5db491a884d91cfe09118d8ef580c24d2a4e8dc0fb6616bf6844d3769b4e77f664987cee

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 02961f79ee185375c7b9991c4f1e2758
SHA1 5a5959cc120713019c7bd0e51cfba2fa6f43c0bf
SHA256 fc515d8e7e203ccf9d6952bcd48e09fc9f41387d24373e8b2f811cd9c94ec06d
SHA512 c016148d3fe1cd9bb22973420ee37093aff00e5dd728269e69873401e277a2171058e80ea24db8fe99593fec4ec2f27a04194752ac582ec58334e878271e14f5

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 82ad97d9d10f04db4567e9ed6a097b0c
SHA1 2251b19901bf5559e5445a4c7b7f3292a882f928
SHA256 ab7fbc43aa8370fd778d5525fa68d95c949b0e60aca1c2f3ca08d10427900450
SHA512 89f688795b1aecc383cbfe511aba5c5e9311afef5e4d852ab87afa7a9a357995b8ff65e1d14b832efb42802b709a789e80439b6c0fd5a040a7041b839561226e

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 1395dc7e5bd27e9b1f88ffc16fa5ed30
SHA1 6e5f80e1c88df09644f8a2bf2de978cb222a37da
SHA256 afd2fbbcbb5f074e307fe47b99ba7b1f864ee9db0a0fadb20cda9c0b840e49ff
SHA512 500eae2a0dce7a13e31adf073e7adf4adce9c9846175ebe58bc619ebcc2d637f078d0dadb84e93498f15680fd947eac46c3fb1b007a562c59043b76fc3a1fa3a

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 d2d20957825a7ec38f494f51d8803852
SHA1 238f3170f5c51a29255de48feed1f2602e8d4b0c
SHA256 d4ed5ad8ba6e154f498e2a2fa4279c144230624f19f9a29adba0e5b63af42f54
SHA512 ee33aff742bee426654a913304a096a895b928f1175cdf433606fe11784f2931bb37901b60e4305a47d3e5fce389c8588b88815970677c330b59db77a74fc636

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 aec51a1dbd19b5de7f48f6a6232ca894
SHA1 516f1ee3a4de7eae68488a7c84be1b7056985f8d
SHA256 c10dbf966f0fb00da76a9c9fffc7e62fa8894905e3f4821a2611b4cbdce57f95
SHA512 4e73d61c8508e71651ec2587377aca01ba5ff2b5b52b7065d3acd18d8e26dbef26fb3bf59a2eb9fde5e2141eeaa0e8f7fdaa61b4de7b7d1f9ffd74683faa9c00

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 56c3c51e76cd5b680b0d1ae275f6a023
SHA1 c72e7dbf9860c8b37ef8d7801b8dbd7210521bb1
SHA256 c4c785cec2ff173a297f650adfd1f406483ad5cefb03fc31bd125c3727865a8c
SHA512 2d6af88aff0758a992000cf2082947ac82dc8040fc11b8973376794a853b8562cc60af78d0fdf309918208fe991ef800361aed9b2cbd51bb48daddf0ff733e6d

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 cbaae3ee8bc840b91d9478359cc91539
SHA1 0336b09a5685f7fd4c855c0f1efcbf8b4de170c3
SHA256 b81fe3478e3ddbff16da33b8e7e8f1f4b18b601c40ed1d25d89b3133bbecd966
SHA512 47481ea41ff2c860c6e8347a17b28b6519c3cbeff562fcfa964fd516d0a2b8daea60e160c4188b31c67d399ef99486b90118116c1e67f9663a27b6c1b2feb5b1

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 b39675b1aa46469cb43a54a73569a6ad
SHA1 d438f6695e04f3a6bc639c180d5892bd8ec629f2
SHA256 664a133e4614d3a537a0dc5311e18bc7f13d8f54e6610427a7d7d9dd9c2060d6
SHA512 fb6239c5b69612f2f868c4560d8b614f8cdad2766cb5915e0c02468c820b1edc927794a33cc7383c4c252f23cd799f4b9a2f557aac6108231a8e71cc64cdab7d

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 12:38

Reported

2023-06-28 13:08

Platform

win10v2004-20230621-en

Max time kernel

1800s

Max time network

1227s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8290) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\StepComplete.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\FormatUpdate.raw => C:\Users\Admin\Pictures\FormatUpdate.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\LockEnter.crw => C:\Users\Admin\Pictures\LockEnter.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\SelectDeny.crw => C:\Users\Admin\Pictures\SelectDeny.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\LimitProtect.tif => C:\Users\Admin\Pictures\LimitProtect.tif.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandOut.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandRepair.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatUpdate.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandRepair.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeSet.raw => C:\Users\Admin\Pictures\ResizeSet.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandOut.png => C:\Users\Admin\Pictures\ExpandOut.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupComplete.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\LockEnter.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectDeny.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandRepair.tiff => C:\Users\Admin\Pictures\ExpandRepair.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\RequestClose.crw => C:\Users\Admin\Pictures\RequestClose.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\LimitProtect.tif.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\StepComplete.png => C:\Users\Admin\Pictures\StepComplete.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File renamed C:\Users\Admin\Pictures\BackupComplete.raw => C:\Users\Admin\Pictures\BackupComplete.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\RequestClose.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResizeSet.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Tongue.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xsl C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-250.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Gravel.dxt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircle.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlbumMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\plugin.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7ca.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.168.117.169:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

memory/4932-133-0x0000000002BA0000-0x0000000002BCC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini

MD5 fae3b590943e89bc36e187eab3a23125
SHA1 6e4df233b1fa5c64e55cbb985c067f750357397e
SHA256 c89fbcca793c8afd4b4e2c4a7bb5e4d0175f42583dc421ae59db594b358396c9
SHA512 65cba6795a96222a6eaf75b08656ecc9f63cb2430340f53f9f211c46951d4d12c123b34436fb985d096ccbc8d9c494da8e9e910b6f8a8b2fdd6bdfd4e5e0f0ac

C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini

MD5 dd46628cb2688cd72e468e9038d3dde3
SHA1 2516ff17706f88b8865ffb006e072f721bd53efa
SHA256 10e54d91770f82f584ee98fbf2aaeb38061a5fe7514e7cf3d4b398a6fab33f94
SHA512 6e85adf205e17a750048212964420b7ead17e283f7e096be2251952c6a22a3adaa041fc14e235e0717c9542f8b507db9a044d46736da3ce95e3b992eb47aa731

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 130bd9dba939ba8748a5035e06e19796
SHA1 8436309f799d66e80dc16f4de0f3e8c6bd627238
SHA256 04b41a2180bedf2cee1a1fc8904ca1ddce6de98bbb85a20c8e835cce7150fb47
SHA512 f411bd909e1490df9b388302b03099cfd6103064875985429ac4a824ce1f7c6953db1aed43aaaa2534f7976be9b293b80619a95d1ef7dc1e2de9be4d7cd79ac3

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 b3317d89d41d2a97f09bd6179ab14e3f
SHA1 e0c74d76e69f8c39dc1bba16db90eff30f73c9a2
SHA256 024c0aaa84a44b2523ed74671d0ff760f4096d9d1a4d18da285edbd3efa4e97b
SHA512 0f24c4f1b8c32ea9faeb2583ea1564ba68bec5fda7443fb4a80d47b0697b141bea1c10b1986a5f2d14f58abd69d5b69f8702f913a320111754efb9c9f1caf34e

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 98764696a76a69c81a12a3246d34571e
SHA1 42ad3a861105359cda40edede80ea58ea437020c
SHA256 cb73803a6fbeed87bc27a51c9624f81a63b34bef220b0ef1bcc13bb1b1426422
SHA512 2d36f364fcad5f21a0db20de170b07236ae14aec7917e4251890a994ccb526086e4a1c8e5cc8ce240e456fd95f0bdf8567acacaa1874bd723598f4443479eaf3

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 e71f141a8e947749c78616278f912549
SHA1 2bcbdd4fbab8323712a090e4b73964ece82de41f
SHA256 eda1bafd5c70b2123aad83854473968c45ab3223fc63c69fbb2cbac4c6852a31
SHA512 366b53befbb0cade9dd3fde42ece312a25753991d4c2d9dd681b3def53548a2b33d7242ac2cf9e41c6e96c7ce4b138450ef524952eb239ed3a1e7747485dab44

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 97e4c1385e8fe287efb48553005fb576
SHA1 c3dc75a24392cd4328c73d455f531c7b08979e5e
SHA256 8f75ae81e4c0ed7341e1ca51c44d7b3c7c3a5214b11e2e0c5d14f178e707f4ec
SHA512 0abf49ce489a2e3f4abfd8c820a6d857e7088b6759e87db074dbad02a3d673f89c9a8cf3997b3d3134b2658a282cc0ebedc5661d0c4e20fda2eebe128b0b968c

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ead763d8f77f8eff3969203d895837dd
SHA1 1fdaa250aecebb1b07d5e16f5de13fb5e9d50715
SHA256 da0aeaec89465c74cde7bb1ac12e914a81710dc6569642021efae2f338bccd1a
SHA512 ed47ee8e9557f566b928c21297fec0b160cfba855643f43d88b2f78715800d7dbc75481152288d4585c4348e71c9915e08b60d09c94cc48c1622b7ac22d107ed

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 e37236de95263aff5de8f78cdd6d2352
SHA1 198c1147201f1b75c00934f27b943467058ed8b0
SHA256 e0f3a3c701384da9f0458983916553f44894e4f0d0ef7abe51618d95ea1eea8d
SHA512 2d076a265beaab4f0f6174e2b86421f24d690e162de39d714cf366c82fcd5c3264b637358588419b815abadf9794ea78083668ee0a0591455ed3b168f12dc5e7

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 3cb4053cb072370192eb0976b33e1b8b
SHA1 c2d8c73648036141377d08a028b5914bd7ad240a
SHA256 c79401f0efdf937b63623ab875ce8780b2fb910efda198e4fd1077b0293a2d78
SHA512 01359478898fec6f92f8ae993f1c66ad2b78453654f4df31b7d01eb349796666312050042efb07608d3d228f0f9c38b7a671068d72e33efd6c5ccd787cfda76e

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 2e2fd7872ef0d601a782a97a9a97e3ed
SHA1 865ff28a3c3de60b67f5fa5af313654db3cc4e15
SHA256 a2ddd476fb2460a1e503514beb96402121f138edf182a40169a3defe0769dff6
SHA512 dfb95ff93d33aa5ed7af76f013e1692709a162d63c0f6d6066d2682eae8024bf27f41ad85517c2543d588b0802f6e529181f6a4e21a7a0c678f2de72c6f5d688

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 4663ad3355a344018e820771745fb36b
SHA1 2f2a2913d8880439cd4161ae09ed2096ea31b770
SHA256 20504be19f83302871c5edb16697b095f7c471e8ddb4c8c3d35187e9e22db7e8
SHA512 56a3f8635ac18bffe86ee9e4aaf49f2a86fd8904a3861086b7c924af70af99d3e0e496281cb070763ac5d818e922402380a7140b226721e5527b71bf2f1db393

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 86aab6d22c6a58adc8a8b8762d6915d8
SHA1 c3cab6a9eaf2a3f9b9cac486c5ccd8bfe2b5d86c
SHA256 bc4579f3ee046c76b377127913caf4aedc325c536dd63888ae149e9632377316
SHA512 8c9ea8a5fa74c10bd90a30422f85191f9f9c9e188ee751ecca98d80e6da39c400ea676a09f69ae60b5ddaa0bbadf1992a0ece92076d740171c893f88c74f2135

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 063b9e1f07086ef7df49bf6e4b5dd826
SHA1 c6e5baf6fb5a250b5e37ace434f926a38f0bbf78
SHA256 f8060644ee05d0e817d9556df2e7ef2fdc57ecdeb07490b71cd0bc960f571d1d
SHA512 7e4f820ccb8c8070e1878a4ef810cfb3e7b5dec9fec8f3e6191baef787c21161abf851f14527a11880497f1694e9eccb941ca4e58d56a3343c555f1290e8a119

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 10cbacf9e37ebfe8eda8a273f4302efa
SHA1 d93800b27288ac8f1f5b90b84e7b1a1cdf5b3850
SHA256 f9c253861d83d3e87e1e5a2200d8fb6855100e329a99611785cb258a0a26fdff
SHA512 7fd01e5dbff4e13d317ccfaebdce9df80a7309fac0c3af03e6e89abd1f2764ff8f506d739ab5e1690f22f183c3be12b9b784c7357aa2518653e6a3e548f5ebc6

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 71b1f91e928b8dacd932d5a09cd5e3f5
SHA1 f617ad4eaecd82a94d57b107466142e06849d59f
SHA256 ca596199389c347f04c24a3675dbe71b82fb2c2c3d8d9e3493dd34ab107fefb5
SHA512 12f49647625660573ec0f127ae2230525db2888d6217b40d587199617f3b607b053260ff3d44dfe4e957580ac5961dfac8e1ed37fbf524d35ee0c92d9506805c

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 0e0f2d9ce5ac19998c1d0dd92bda89f2
SHA1 6ffb49f75629789f7055b1d568c6e46d6a939d45
SHA256 50ce0cae85099f4242b5736c27f3a1c5abb3a7343b07895a05b53ce2a9c84ee3
SHA512 335596740d6b17c6970b0cb350c22a22e6b8846c4eed02a3a6c0a8bc2104cf161a87913c9eb416994fb383087479653566110a4cbf9d9eadf4a25061c0049f9d

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 762a8ae222aa130d2a9f0cbc05ebc957
SHA1 70e9a7e7193a1fb30b266c592160ccc5159d1d22
SHA256 4e240c9dc80d7e8ad49ed897404eae5d3c5fcc557538928d06fcc274e0dc729f
SHA512 669842f651a9df6f7171bdf822c4f19d97cb21d124c338040c34f810e2f5db2f57f0ab31dd5eb88c0b3b30874d8742b52fa7250066644a180a6e359ff41465bc

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 ca7e3209daf2ff611f20be6bfe1b93d5
SHA1 a6c62290025f2b0eefa66c523c5d35cba4954690
SHA256 7d2993472958feba37b83a481feb0f5a300d6cf89f6c78b5f441377a1f6221e7
SHA512 1bfa7333265317343971aff91039fc56d8303aefd68281dc7a1404d44f880668eabf9e350828891c0b204333f484849937fd04582d0f2a41e4aa551e2441e6dc

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 845b969fca5170f9ff2d1c0a89a0ad8d
SHA1 defdd092efbc22d7ecb88502636fa7b5012252ad
SHA256 c2c42255b6668f5dbc77440ab0f47681c2b83a831fe01a805a3cdb351f7a64af
SHA512 2a760fe7e3464444814e7becae2e84779a21051fccf6de5d37cf835396774cb3f38b8eee29acbdd8cdfa3de34cd8ea8aecfe2ebf2c54ae39fad03c5e80502557

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 ce8f0806886d7e2fadff244339220c9a
SHA1 8482cd5943673fb0bfc4a1589cc6cba19bc0d441
SHA256 c186d594f6d18601ec33e150911fab1f67b5b8fcccfd0563c10b438537ac15c2
SHA512 dec9d57aa71a3252f43208e240cc9cd43ada223261364997198ff5b33a81611148696fd6c214e269b9835d33e9560464ce9550f40ba2b4cc56893777a10ab478

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 add5ddfad97075919d77ba9dabc7027a
SHA1 e01fe1dd91ed125898964b09d30479d9a76865a7
SHA256 2c9b4bf2ae9677b93781c3ccf481b71027aab6c46a2a4c75b43b95968c561d12
SHA512 ad89a7fc9fdceb9d864afe4cc41002308719774da72411c395494def025024c0ea4df2099e314f043e02f52aa5bd5248761e197230f1d5d4282c273812e3339d

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 31cfe66d12fb16206e7cefe3bd723018
SHA1 1f189847d0de3f622d8d6ea3b8f5dc8f6e8828ba
SHA256 7f2bba85cf1cdeaaf97bd44be2a04bbdcc8ac4e6cf44c76522c7b772da3d037f
SHA512 57159c45e870425bed30bfb4e7f9d9bb1b1f7d9ed967e4e08c9e991174f2899884eac4f2fca6f627b9557ee11831654fd08951148430c5781dd66c4e6408992d

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 8e25d5535f8ca748056ddac3018829c5
SHA1 2c2fd27acd28ca23797471964176b2f6889f8608
SHA256 f8bf75d25b9099c4baff9632621f74e86aac42bdabf91f38bcdb677cf129e3fd
SHA512 d44d27dc1e73800d9b90e2a8dcecc5d540dda43f7bb1c708c07e62353ada90af8a8a7015a46549a95953528e97377fc1aeaa830990262050dac3dbb6a4f59d8c

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 fb6783be18a4ab1c52430d652082f004
SHA1 26c845f4385d304fdd774de914aa3abca016ff87
SHA256 3947823eba94033664800ab4cc80fcc2fe5d05e83dd4f886bf50eb09c93d2dd7
SHA512 3771a270b425b0251ae05435f37fef0eaf67d95162d968523675c85967fbf2601809c048f76fdb42518a62fdc956feceab524bfd33808cb4ad921b8d17a33665

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 eebb5da952b3c24e042cf65bfad24345
SHA1 410e42ae5cb70f3143328d896aa83fc66fb9924a
SHA256 2fb9c5aceaada77aa197621a15c9931e602fe2a221fcf322c5e68472c54fa905
SHA512 eeb4e1d091390ef2d7d0290afd83d071c99d220356632cbd248857c6cbd3cba2a1360f2eb362b054bccaa2332f808b2984347a4aa70d43659731532e2f83067c

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 336c1551801c3ac69066cecddb859271
SHA1 0f14993ca2046e08b252ae053dbe34da7b73c880
SHA256 ecf758d8059122ad144e8aaf9e49ff5fe0491daf7b6c7414981d286dc73b4b23
SHA512 dcee11044881179670c42c38a47fe6a34728a828195f4adf014c52e0dd4e204d483ba83efcfa83f0986d50f1eb5f39274e89344bda324e15feec59fd2297679e

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 23360f4a157df6bb39a0734e387956b0
SHA1 5922a2ed387d60cb0dbdb39cdfbfd8d734980065
SHA256 195d71bb031a3dfdddc0fd9bb4de16b2b177eaff5f40fbae761c735adafd0401
SHA512 8f95b1871539ca79daa4ee406113ee976a1b830db50d4345888fe3a8fa43daa10d9c42426a9c200c980cc02189b1fe9f76e2c4ae80a8a99070f0ddf8b22ca389

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 659d04afec842bd0ace945b891cdf8c3
SHA1 6f3df67ab1b987a831920254eb05284a887941f0
SHA256 b6ae6a9621ce1585379bc2363c7cd4f19a4c8d7dea564f751dd29d3fc896f930
SHA512 e6d1d14abb8312e2bcf34d5158273f0a043d6b631e9e242bd74e212276c7deee6c94d4ebbb3dfe730c07eeca81553bb5f19c40e44eae87f2e267801b87fb7af9

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 d987a9c7be3dd61673ff6d2463b312a9
SHA1 eff2356ed7758c93449e14966f24466f23ebed3a
SHA256 a6be7be64ebdc3f09e0310ae330ac0301ab9970ada907a327d9f53a55d1cb5a2
SHA512 5c85dd35709351f5191fbdf8addfcffae8387fbc13cfa5f51123d062d7ab8a5223df162be6a4bca4ecd15aaf5aff733507e2e7de701825e6048ad2876d65e373

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 7dd3948b44092730fbf2e9d9bceb35ad
SHA1 622172d5fa2417b1c4d0f1560101e46a71451eee
SHA256 9f2e506fa50c0e9fe04f00f56a714cc491e9899154945843fd2e0e47d14dda60
SHA512 7ad456f1d0cad35759cba893902383113a6781c22383bfb47c7a185749547862dff9fec5cc7837cd336aeb33aa3da56f3c11f666cc550626f92d363f6c4af59f

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 081daa9d9238db2cf3ca1f6650fb12e6
SHA1 ca5f629e25fb9d80ecfe7afb4c18a42216e971bd
SHA256 b790493b38bfb57fa2ebc31258cff7bffad53184598108b7fab4bd1ed15e731a
SHA512 8c8ff42b84906d8252bbcc2f48898cfb0460e4bbbc4984ab99b685bf7f8f0614dc0fab4f0e2553087449a88868762b7057dedd6d73f993bc764f48fca68f115d