Malware Analysis Report

2024-10-18 21:36

Sample ID 230628-rhv1dsaf8x
Target 006ae41910887f0811a3ba286.exe
SHA256 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags
ransomware play spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

Threat Level: Known bad

The file 006ae41910887f0811a3ba286.exe was found to be: Known bad.

Malicious Activity Summary

ransomware play spyware stealer

Play ransomware payload

PLAY Ransomware, PlayCrypt

Play family

Renames multiple (8230) files with added filename extension

Renames multiple (8398) files with added filename extension

Modifies extensions of user files

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 14:12

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 14:12

Reported

2023-06-28 14:14

Platform

win7-20230621-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8398) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\StepRestore.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendOpen.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterEnable.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\CopyReceive.png => C:\Users\Admin\Pictures\CopyReceive.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterEnable.tiff => C:\Users\Admin\Pictures\UnregisterEnable.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameUnprotect.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowUninstall.tif.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterApprove.crw => C:\Users\Admin\Pictures\RegisterApprove.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallCopy.png => C:\Users\Admin\Pictures\UninstallCopy.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameUnprotect.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\RenameUnprotect.tiff => C:\Users\Admin\Pictures\RenameUnprotect.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\ShowUninstall.tif => C:\Users\Admin\Pictures\ShowUninstall.tif.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\StepRestore.raw => C:\Users\Admin\Pictures\StepRestore.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\RegisterApprove.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\GroupUndo.raw => C:\Users\Admin\Pictures\GroupUndo.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\SyncSplit.tiff => C:\Users\Admin\Pictures\SyncSplit.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\ClearInitialize.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\GroupUndo.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterEnable.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyReceive.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncSplit.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\UninstallCopy.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\ClearInitialize.raw => C:\Users\Admin\Pictures\ClearInitialize.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendOpen.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncSplit.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendOpen.tiff => C:\Users\Admin\Pictures\SuspendOpen.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3297628651-743815474-1126733160-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196374.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00453_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099163.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15173_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMAIN.XML.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\ImportJoin.jfif C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe"

Network

N/A

Files

memory/1724-54-0x00000000001A0000-0x00000000001CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3297628651-743815474-1126733160-1000\desktop.ini

MD5 c2307601543d51f75f0b3f025d121462
SHA1 c73168b61d71c4a677ddac65c9220969f1197b39
SHA256 ee5ca610ce5d38b6e8eecb5483465b9772a917701b5a77b81a13ec1e6add0089
SHA512 89001ca310a4611a0d72af4e43a06f669c96db5fe9796a339a559cba96e0334c8e5c45e750ebd146e4fc734c6dbb8a59ca4f1295b26ee417d09f125d1f7bf54e

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 4f89a8f6d4666962bc7dceab285427eb
SHA1 2397d54915ad5ac9b413d21bfe503169eccfa9af
SHA256 d3e76d5e82922bf34597717d1e786467dce8e568745ff0c92f3a31fe42e80d02
SHA512 43833f491047a5957361f1d5527718120b7bb68c02a5f28a5d4ab0e26c095a9a9941a9f44c5dc8fd3d0596f91679ee45cfdca355325ae971d69cacb75948175a

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 bc350e361a2a018881e53f0f9e2b6eef
SHA1 c1aeade497ca765db51585896d4d3164f2e597aa
SHA256 61345595a9cbc80365a51a04222b5de2440e6d16f1247507f7dcea3639018ddb
SHA512 ee14744851d5f0d4dc129a63a4b61e0e9493705fc970dc228527bd77d79e44ae146c21be0d1fd1dc3389284b87abd5c6a996806e66faa4f8c7d24d96d5646f91

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 be6d1a5c07cccfbb08064ba527fff7cf
SHA1 b9121c09e8e0702c350b0c57ce77cd1ed98cf628
SHA256 f92ea0710635440a070232c6a141cac035f8018c481addb5612d8fd5eec762e0
SHA512 f516a9c29c0db9755f324cb079988f830f71f571a1bf3e936844e72da993e23eaade257e5575fe4d7c60354318e108490da142e963ef0474c3ffc1c543bcc701

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 47061c8a33bdfbb2529f35deab3dd20e
SHA1 35944e44e62f6927a1ab1b185af14e5c3895d483
SHA256 409ba7c022995fe743c4757bc87043e6908340a3b0554ad576eb158ea06be703
SHA512 7bb940c4525e5f97a2093cdf607dd799ec427b7d37c76e86403944fad822521d5bcc67571fbafc05e613384223033ac209a6a9d83fb9e804e982832385dccf22

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 a63d41416dca36fb2671cd3c82c4a9da
SHA1 e1a25c36a94fe01f6470411a69e3230b60d26db2
SHA256 5003b4d623531cd7e572543ed85b5eae753a12c00b8fd7f7bfa04919554ef321
SHA512 27f70170dbc98c1be99e605ea79511b0940736d9ead08ab78afffb01f493758bc7e30ef60f1810648272842c71bef06479d15f47348da0d0b75d9ac7bb4eac5b

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d52fcafb9fb4d90446e31e4f500c1094
SHA1 305589a49a9e2e8827e25120b64b78a8c692232b
SHA256 3ca18de26320efac037f6b5d25f6b7433d8395e916380e261fbf8dbb6ca995ac
SHA512 4337fb68be417116e29a172a3b0bf8f83cd747fa0943ab03e7e95f39d4867b5b55b4cbc445d154a0d7fd631ee486b4384dcf3adb1984959b89879de379eec4fe

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 dacf2ad7a1aa3efe7f65f07ad5513314
SHA1 9c76144cc3a9ed95c30a942b34a5501663c9807b
SHA256 ba1875dca7b2769dc690234e05dbab7d820452610980811a3516896f8e269b04
SHA512 2beb2ba535ec29fad408f60954f73a6bebb00b66cb5edea9724920b1b3a7cf8d2b50813fb4c944920e3834d4faa99f1e7f3ee46ceef44fc8b9e306a232382310

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 a480764b39c171c2bc1c995a1279c896
SHA1 812008c429dd92fb333decb1b20c9e8db9b84678
SHA256 0d3f67dd56c2ba2b7f2d68352000168bb63eddc8e5e3474e61f47423a79d1121
SHA512 a2a2d892dbf1ae638dceb7504662d4b50436c9917b6f9d6fb9d73bfe692485bae7476dfd5a49970c578f22d4ecd0f6e6391ecf1095690b4d6e120dfef2715965

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 be1dcf940c00055ea50181a83e85009a
SHA1 395c0dd2b32ed67c54f11978b06d70a6068185c0
SHA256 504e36148baaea34b2a305042adcef93a9b8487f1899ef980e1a02018e5efeca
SHA512 1769261ff5d5e8ec47ecafd36ac7916db828dbff113516ad465d5edc17028505a83eaa099f46793cbe7aededd16cdc8c3297ab5e6de582cfb9f575cc28f96bf6

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 93467ee070d23a051a77bcb8aedfbd66
SHA1 113ac3608be6bc35368be526e11885135497a42f
SHA256 a85da52339ce7687d45f98afc5556ed9248ac25a88e60ac0f79a2db369984a73
SHA512 a07a9e1e26d6bc27682a854b567f2ef5c7aa25defc79dc00e99d6f29ad415c9a9dc48db0e096e600f2669ca9c70eb6b05e802a146fe404366e82e4a99d22126b

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 33eca5ff9e162e465871e0288ab72831
SHA1 32d8f7caa7455b2f95b438043096ebaa836f6651
SHA256 cffb51771e146e77f965c0594e99ed7574bc1696d032c8ab0b9c84159757fb17
SHA512 913d25bf20a70183139bc4ab98366f5790879cdfb46ead06cab2092ed340a9577a2a47696c12a9b4b99c841e7eff0ac18b66110a4127c2825f17b359dc9ce69d

C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

MD5 0b2678f74fa9cc52fdfcc65541601ac2
SHA1 521b0ba75b13c1df4eaf113f262a315d1ef6b12f
SHA256 004d09297b2401fc057600d9af7aca73a204a150100e87971e64c7fc9f031bce
SHA512 eda4b23aecc5f61b86dc6c05f28c9444e55e78fe8a3d2efa440d7ee4e224275fd79bcde64f3651e1860bf06cc3b860b38fca9b51a8b24f432821ca842370a6b7

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

MD5 1eb458c7360d835f25d5e590d97c7799
SHA1 bf71c6044ea81e903ad8d0a5372e26972b9fbda5
SHA256 4c6e0687861b0ba79955983e9da6eb2b195958cc4c973c6779dc8de510a9a216
SHA512 b23ba7a671f3559e30cb4acb6af3aafb8b2ed2d7194866384f28dd56a897d3af90077ae74fc66484fc7d9ec0e39537057a870b093e0498fd9f07702ec9744c28

C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

MD5 2eadcd4e46981d616cf7a81e899575c6
SHA1 62ac4f17d43fae41e2ee09e5256f5cbd0cad5cd9
SHA256 93ca4f025ac8e1528e293d9fbf3b1049006a88aae57f30f2b5ec23031ca564ff
SHA512 3f800b90f47f7689ac84122c4028e10d1edcd352a6932118b369a65e6b6bb34469571d78432f4ae7a8fcaaa858a583b34ebc4700121d5807c260befb7c2f7da2

C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

MD5 a11af016464c8b5129f59d91c492d817
SHA1 392c84e8d49f0e9dc6ad6dd3131f1bcbddbaa63c
SHA256 7c835cf08e96f16cd8ae8ad9235dc45c356612a826f18761da2269c2795fa26e
SHA512 023ed20f9e23bef3b21e3c1ae5bf0f38dfb1bfed4e228590b254f527b0e2047c1680bd47c1b9e2c80308945e4eb8e08208aa9f9b7f9ee9239cdc544abbfc17a1

C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

MD5 f6e61be3691c5a4932031aa5eba6a5ef
SHA1 cfe480d7e576d231096c8fc62593291c69c9ff5b
SHA256 7d9d2cf524bebc2ef13c025347113159095ee311866c2cc5cc647cf118b50d07
SHA512 e86af975eaca82ba01b702e9a34474cba5eb21d0a09b4f54c565e1d7fec23ca21d1851136b0663e7b570d7ce0940fd446ddccce53f61d0fbfe899467948f8d11

C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

MD5 fcbe77fb2dda56228d4a1e5de1af8e0e
SHA1 5301627e3a40a5697de8b8fde655e35c6f01777e
SHA256 4a9b1d7a91f06db882fd7d42bcdb47d2acccf00d97654d1233677bfb65872fe4
SHA512 1e9434ba8db9baad41b1a7943c7c184467825952df0a18e7a0151cc129fdb3ca3343a9b0bf78b2f480027c6377b0ee8472c5bf62ff2b204334d0946a949ff0e4

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

MD5 88ae6b5c658768a962f5287902756092
SHA1 1faa36dc1d6aca94e07f222625618d97e48faf21
SHA256 4553e8f32a7d8fe0d0f2ea02074e262085892de72e0a6decaab745c2124adc3a
SHA512 b1ef5119069f03af07a62ab2a8a3e2369e7674e7aba4a69097ab1ee9d4f7fa9e8aba6a29ef00c5844bda709bddf6afc6085fecf70d8eb227338e2c8d4a347a3d

C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

MD5 6e5a12a58a4c8ada0c81130ae5dbca24
SHA1 602e2cce89d39ef6e6cb7a0096f83c5e8bfa481f
SHA256 985788cc917134c4389f2d11c6aaf858534239b86f75046f18035949722061b7
SHA512 4ccb7b32c2cb1e8e6fbbef10b2ea7b62c35a0d6bc11e633b130ed28fb5295fe37670a0913b6969ed981621d67758c720e753a4de1014325e52ee7ac759e0a259

C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

MD5 e7ff58a3aad4df3e6972d1b083649eb4
SHA1 15e53c5873b653484d1214dbf0124c28e868e6d2
SHA256 bb4a22e5efd79d803e8210d5113b03f7955c8bcc1054acd52551140714ca5cf0
SHA512 00177ea96d37057c6be6bd5b593101fbae5ac10a0a17c1ea009b180b705c3e00ff82000ea615b00da4890ace57030ad2930b890cf1a6ef79237ca85937af69b4

C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

MD5 6c8db00f479f21f9875128d874ea3192
SHA1 0d0fe5b892afd9c556fa3ef4e3d4575fa3959277
SHA256 ccc4ee4aa0c25ce71b7ba0e6e923c51b4c3b9c86a2b5fd5f067c2b04d85b7d7f
SHA512 2b3cb24a19458c52b6ce3c501870f2b239ea10bf6fa74531d2b3f1b2ce1600744e55d04d6e7ca09d90eac186ece9c04412862d0006ec3a1b488b4a5e50848545

C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

MD5 13153e6922af396fe9ec1ee4cd87916f
SHA1 faa1ec5cba2e93bbde063b9667407f80c21a2820
SHA256 a5362d0d7bd9920a3511bdd2e3d25512985afb05be21c0bace80f99ae7d35b22
SHA512 30e68b69fbda6caf56df66ebfc317fe13d58980a62efe8a068e51a5a72fe6cb7e6845f07affdfb3c5e61e002356ed70bbfeefd2caeb1f6a696717b40fdb12abf

C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

MD5 d0941c610b7a003368ce7e67fe4f985c
SHA1 b24c02d7686dc2e93514509e8716485c17b0c60f
SHA256 270535b198e5ba0af62db9e19bd0a4b6dd8d9b605724c4cabc7174a0b5d6db97
SHA512 84362b7537389c5a6492e576291507da0ce52c22b86e2445ffdc26e345fbdf41e8ed2791ec566a7b1b31483a1f594ee3b501b0d97ea35efcf2fc84b9701e64e9

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

MD5 c22c0d82554206b8cd6a9e017e7c30c9
SHA1 2da18690ca21b10d285f5a37af4e2c388f10ffe8
SHA256 b910aa7efef083ea6758259a88e78913c285f285b607ec4f4548dc9af17a176f
SHA512 6853a04b7e494b59c53f3ab30a3cb527241e19e851a65e7ce6bad0886034fe91f5dc3a30a30707a76bc822f2c39230b9b752e5da158c411696a1d759eee50051

C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

MD5 6927b14442a06f0bbfe4ea10a56705a3
SHA1 03bd7e6679a7e1586f6756b36a0ee7c42b5d5da1
SHA256 c58d771df3a824a3a366ff7ed0b38c66e593c5afb49c618d7bcab153b6e4d64b
SHA512 31689010edc69285a53234d8a6aeced02e3f28a74c471b5da8424934297efba211a671d158ac4f5b85a3b240118eab4ee38aec61f972b9e170200c27835932a6

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 b41936c1c474543c5f4d3fb7ac3cb5a4
SHA1 c52d5d085a462b284be93e91806daa7a29fdf246
SHA256 5b357e0d24dcb957b8232f88b26e786fd248569f76e6fc44d0b39b07f6dc8985
SHA512 b720ade75e0cf4aced3a55a54c185b5f3df56ed5108758dc6050085bfb66b0809a5c19d6bf9681468822834671f73f5c221c70b7b125249bb755a2f9d475c73d

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 88632c10279598afd3f4a1baefca7f99
SHA1 2bce2d36b32f31ccac13f84f908b0364cb96f5e8
SHA256 643e874b0e4873857ba6b7f474b45946bc9dee47ca7296e51a6bb905b1bc06f7
SHA512 32affee276a88142cd5cfa7c2a1ccd3c44c9af377380d1ae929d635007f78d05fa185d19cb583af717a695df94cfc40da40221cfcdbe72b2c66a53f038c6fe91

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 9c617990c9ed3bcbe9455e451a113ccb
SHA1 b9481a8a2e12a491e6df9aa857765fac558d0274
SHA256 4d6527c6753052d96dc2e03dfb885e581e4a61fcae47e1ae2c9f70bc3108eecb
SHA512 22fcc7c044215995a7dcb066ed91440c07e697f552b3d15e4c260fa995dbd6a971c7af0d9c0c70103a64fc5a69968967af9168597b60733076ae921f3c31f698

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 b6f7eea369d92d991064515085d6ff8b
SHA1 7e0eaf801ad2dd3ef359f7d2ddbc2289ace1ea06
SHA256 702f1b34ba6dfe9504ed6b7767c28687944e72a9aa61b4cce57ced7d4f840b8b
SHA512 83066af3bfd72d8ef5f3c82318df6e4a6234ec76ee5f52c0e3d8bc7c4637ebdcee7e77fec5d8de51c57cff5b0c346c58be1fe637fdbbcbb9f2461e3dafee57c2

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ea1b100e58b431fd3745e3816c75865b
SHA1 af3a97a8c200321fda6cea38e26b22d93531af82
SHA256 ad6960f652a3535b285e7d10bccf4f435bc251e95f2f118553bc200eea6994e4
SHA512 0b5d6bc21a51c710e2655b6028d8022567225c97812691a132bca9b30c5dae86d7f4ab424250c7c0ec925a579ab3c2fed1e2928dfcdf443c06a9a4cd22fbe529

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 26f6327d66623f541f6953ac8ed02b73
SHA1 58c9e6710a5bcdf8debb472eb2208e447992df36
SHA256 bcf6ae82ccb0b1ed6b8fa96452013f1ae255818b21cab96e4500baab237e1a38
SHA512 bcd8a30c13001c4f0583184d14a047d160e22374017eae46ca0dda4114725ee6b3ddcf7eb2b0bc000ce8a68ce6e62478bc10959cd9f9bc0e71d2206b028ce3b4

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 3874cdcc784b6b1ce9007a923b66fb8c
SHA1 e9faf2f8483f2fd09430167a0bc4e12be50cb312
SHA256 38bb6fe75332c31f66d4c1b83170dd5abecfc093ee67fb3d0b2421e13878b114
SHA512 4951a2af73422010ee7e895a4149554b31e78c9cc1b8adf3aca78df40c02f5d9aefc1248c62f979bbe12713f04613d722b03bc427e8a6c02ff5020279aade512

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 f2e2a9db37655654c057bc1322a890d3
SHA1 c8c757be0d77e21282be9843eb1ff44d947f7881
SHA256 c168e63ac3f12b1b4080fb11faa2529151671f8cf2efbdfd1f22a9c792a91258
SHA512 873bf7580556a5ac1026f74539ffee8285768698f0cadf3d616fa96a146a50541c7ea3d3b202b87ef83be1c426ce3a2b4e72ada6f27d21cb4e1da5aca9a33bda

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

MD5 ed3e6dd0a52095d70d067711685d5b03
SHA1 486db951997aae60e71e9fe4bd01a9cddad48826
SHA256 100f3ea6d518eaabf1ec3d26bf43501d2da6f7ddf1771043501ea0755e4dc58c
SHA512 31178936f26e068061804c589d76e6fc2cfb1a898d13ccad9f164d43cdb94adb123f2fa23b1d0cdc42b75fd23fe12b483429adadb83a8cc8e35d88c9c8a00587

C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

MD5 70983be95851ebdc357a1541f64b1d5b
SHA1 50269ab9fd1cc72d9bed22a8031bd5d1dcc67bf8
SHA256 2f3a9625f2ec40a147847866b2eb59065d4fda729e15b2680eb108ae6b36dd26
SHA512 4ddfe6ac219e929865cae4433ef4399d431a861ee81f8ec8e67b6e7642e26c28c2bbf4b09c866ad4b53ec1af7b4009457ffad4b4dc1929bcaa4728880436f3f9

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

MD5 323eafa7b88c9057a6c53da1946ac519
SHA1 c8ba1c547257c0a187c3b3774e8da2e96d6de92c
SHA256 c192c8b5ad7b666714e2424b7a53c0b850f3b5055fc2aeb3f07320eccfac6bf9
SHA512 137b3bce30d8ac464b2aeb0eeda7ce1cd0ead256448db574e4f17604e03539ee794a116e8a6d1d9bf89a999899933de12c52583ee61b1e322376c716a4b653ec

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

MD5 ac245dbc800658eade498b0b6e4bd8f2
SHA1 0cb1cc165810c5cfe4d8d0bbe8156992279302c8
SHA256 620f34e49a6b278b4a0549b3abdcb80942151bef0213c5097924e0270009a1dc
SHA512 1219ce2a948fa875bc9f4ed4e4bcc089d43e1634c10016c7461b08abc5d67e2294838345a115dcb237c7dccf9d8dac59e0d9d5e2e27bd55491bcb10f828c427a

C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

MD5 db56e46eefbdebc41852475574b363ba
SHA1 b443140e57e86ee0f6a79977e86cdea57ba53079
SHA256 09cc109630ad04bbf38373569005deec3b5996f747950dbf5edeedb8588ca4c1
SHA512 185056cb6f8d259fd39c9688150d73a81369e098f28f59352b7062b7e5802693798768639665d795866cfe861e3eebfc5720d4094e6ed842c1792e723c7a6882

C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

MD5 a5e8ac8e85f76cab998ca08be40f01a0
SHA1 04d47fcf79dd984b42ae915e7e4ebdfb707f3e42
SHA256 6cd0d5fb960a228b27f67cbd85fc267322956b7033b76cecb89c31c144e00ec1
SHA512 75e33a1cb7cc7cdea5522a5b26dbb7de2c11c8d039e960a79bff53a96b8d13f87a9173e3309b53be9bcda0db517fc0c418889b9562f467a88b0e59be037fc453

C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

MD5 84ac71a8bf142cd88feb7eb0b400fb5b
SHA1 dc519e82ab90dbffb824522f53927581fc25be3b
SHA256 07286c98977ac7386f9e67ef58c235fa685ee9c2f657d5efd311d356637e67ef
SHA512 fa96fd05b9e30dba5578985a72e446311b4e2b58eaf8df8f37ca3eec36b7213c61980777d28e8f219247d8a9ff1c0a7dff67ea1dbf1f6f0cc27ea0bbfd5e2d5a

C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

MD5 5f91a5777e834dfe3b60f8d6a85a74d8
SHA1 97d136e8d72adb5f35355b90e63223ee12381c41
SHA256 ffebd3c7ad96e06510710444bcc64e131dfc4ef83cf602fe48db8975bb602c36
SHA512 597b5bcd36c45db9396973096506546d12941dd4c29f4ad841f4c0840a2fd5b7228854954dce957cd6d23bf7f90f69de470765aec3bba3a8f6f29510e2fffe3c

C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

MD5 837aa830e87acfe7c418f5c98de85f2c
SHA1 a1311fcf70518e08c9eb7d27e9e2f0359759825b
SHA256 87818217a6a14c96ac9689c4a9b745f80566702d86a537369c903788a6486854
SHA512 ffec78f3ab502f976c196bfe1dd0d39ae8b871f1e154629052506bf5b4efdd787264d5e2f49e454feb8ef8cd4e4cb6d4d340a7946e505ca97205323a12b4e016

C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

MD5 22b128c21f40b6523fdd4de02872dc17
SHA1 852cb9734de9bf2c62bf9a4aac31e4cd0c1a8fb0
SHA256 8f18b34fc1f41071cefd56bf87992b880b9208d60d6480b67a18bc1cf0201b4a
SHA512 5381e58916b5ba225f636ebb1c56a7cc881f54e73930fe882c87006a206546536a2cd928e1748000cdb9395b3118a08716138fb16edf413b8541d60bdd322052

C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

MD5 a1374ca326bee4e57af4f9623c0b0780
SHA1 f20f65d9f1e5835f4c242f14e3d093d4ac2f1ed1
SHA256 cfa1980828597550dfe7a378efcc71266c7e7c4644bdcb0a3d5739888d444377
SHA512 996a996527d5fd32962323483961be86bf5c6df2f87d2fdc4e22853a010277bbc83e3da6152467987aabe0820867d692a5d2b9b93a53f69db98668ab5b62ef00

C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

MD5 1f30d2dd44ded3469c68bc01a02999b7
SHA1 8f109672fb77fedf08820fcb9acfbf9e7de8d5e9
SHA256 04c98817d570e5d0fa5163593cdf30f57c66d13ad96967f486f1adc5306f5b48
SHA512 a8838fcf1c76e25933a27810930dc461bfb2ec0fa26ab363294116eebfd2af8c7fc8c41815e3dcf5bf33c1a9800aa8790155f66029f69ee9f9bc2d099d50324a

C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

MD5 391bbbcf023e1614cecc614fbf1b2429
SHA1 7f3a2c1459d63c62dac4f2c0b8774a2df63b34a9
SHA256 521e48e2b9a2d65a5ea1404aa44ff20b0a82901b921a76af689d3c918135d2b2
SHA512 13587e2ce33aafb89aab78412dcda5b0b5d98b31f1c67e485096fa2bf3a67a849cb410436f4ce9b7547d24f3d895af345bee27afb22202ca74ed728a1abb2969

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

MD5 0f6a6c8c973883b3415b536e8ab0668e
SHA1 ad8f32d5b1d156b4e6a5d9a40ce58e5221161282
SHA256 2d8ecd9b060736eb0a4c109934b35095a47f508cea33ff031e2868a286c55918
SHA512 9b6f3dfe0dc7d646b49daff227e0bc3a21c57419b8075c2b6060f17cf10329051d532320baa21ca0e54002a897d94a2f58463fe022e5be257f4f60a96a95bec7

C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

MD5 e5a69866bed66fd67f5c74354d31a70a
SHA1 43704dc506bfe4de34a8cc4b78e524ecebf53109
SHA256 e53a05990b92c786e100be4c3822b713292ae365a935a2b54f27550635cf4b4b
SHA512 cf67867cd703968fe9868eea7faa889bdc68c707e3303bcdb1069620d6e26248c59357d29575342457ba7e45069d299a4f32bd1dc159356d639cc69bbf137f76

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

MD5 27cf17a14d2f115c32ab619fd9f40819
SHA1 18fb1424f89171124dc401ff688dcf7aa470f0a4
SHA256 111df73e1d6ff11db4b37a884949900d116c611a56e64e473052f58ba7e830e3
SHA512 e2d3244f8e9db8893c16859744b14224ac54c993dd1f0d647ba3a80816593e80a057a4a49f7034e8da80571fe8bfb62db12d9c61f9b534ef9a05eb0498b1a9f8

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 14:12

Reported

2023-06-28 14:14

Platform

win10v2004-20230621-en

Max time kernel

77s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8230) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ResumeShow.tiff => C:\Users\Admin\Pictures\ResumeShow.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableInstall.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeShow.tiff C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\ReadConfirm.raw => C:\Users\Admin\Pictures\ReadConfirm.raw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\DisableInstall.tiff => C:\Users\Admin\Pictures\DisableInstall.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File renamed C:\Users\Admin\Pictures\ExitUnlock.crw => C:\Users\Admin\Pictures\ExitUnlock.crw.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adobe_logo.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_2_travel.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.nuspec C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba286.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/5028-133-0x0000000002990000-0x00000000029BC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini

MD5 1f8bbf4edb5f262faff8cdf4195649d0
SHA1 ab326af1f1045146398c5e68c6fb005ee18fcc70
SHA256 fc440f72a28ca231f10533f2905621bc4a085b21de483cf0ef6f68136ae8c56c
SHA512 110a976f23a7f9954e061b6fcf2154571a27e0148ae7a34c55b752bdfb2a70c199550956f47ef857ee0e4da88449003ddc027962999e9da44cef64795c36bdfd