Malware Analysis Report

2024-10-18 21:36

Sample ID 230628-rshstaah4t
Target 952fec5f9e7137951700d7e42.exe
SHA256 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f

Threat Level: Known bad

The file 952fec5f9e7137951700d7e42.exe was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (8472) files with added filename extension

Renames multiple (8341) files with added filename extension

Modifies extensions of user files

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 14:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 14:27

Reported

2023-06-28 14:29

Platform

win7-20230621-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8472) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExitRequest.png => C:\Users\Admin\Pictures\ExitRequest.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitDisconnect.tiff => C:\Users\Admin\Pictures\SubmitDisconnect.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\DebugAssert.raw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitDisconnect.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\DisableLock.tiff => C:\Users\Admin\Pictures\DisableLock.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableLock.tiff C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitDisconnect.tiff C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableLock.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitRequest.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\DebugAssert.raw => C:\Users\Admin\Pictures\DebugAssert.raw.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3419557010-3639509551-242374962-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWSHM.POC C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROG98.POC.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00005_.WMF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01569_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Newsprint.thmx.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304861.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe"

Network

N/A

Files

memory/1040-54-0x0000000000120000-0x000000000014C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3419557010-3639509551-242374962-1000\desktop.ini

MD5 92c30dae67e517279947b93fbeda1d08
SHA1 a6fa53a3f9cf2d6db71509031e559d5018124563
SHA256 4bdb926d2c3be2f3eeffa62e2e409feab914265fc28ab208ea19c1393292e872
SHA512 902ca307e9e4766df4142c11293671ceaaf99e1c661f8554232680e146c7d6132e43870217486b8fde874556b35b524a86c3c6e00b4eb65ecfa96903561aaff4

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

MD5 c6a25d40360253a3bb3306e8e482941a
SHA1 f7526cc16c909f967e2bc3c421a59809c374f33e
SHA256 cbf4b64a09548341979113335d5007ac0a591f325dc1683f47ffaec3a7fa6b3a
SHA512 4127837a0c17fa901e5aa312206587ec6740fde510887eeb5deca0a73da2a8f7c7af3d910df098bb88aafd4333bbc19ad21727e672e1eeb128bfecc9d0795674

C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

MD5 054b1d0d1c97a4611baaf13c788689f4
SHA1 ae8f03ab7b64f21e69abc3bc10a1892213077769
SHA256 94ee11a87fa7fecdd7cd80d6452740a5ebd3b58d624d6a7107fc06227d914bec
SHA512 3868dbf00d74cd65ab092b33e99157bd1e3402f9a6a972e267ea22a974352f429c69788943321da1fb8d3377bddadcecdd937f9158b04e02e1867c73b2ca789c

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 2849266b7bbba1f82c2e899b1606d17b
SHA1 3b23284749c333921e95546da964096a6bb6710e
SHA256 51b3b2d56b9b88c8e3d75aef05f6e0e94b4fad369c9d00cf6577d5544a1c3500
SHA512 0535c7209f2cc3c3b67f911246aca135526f5fb4aa8985469b9a3c878cd04c1475f0e756e7d39a5413775a758f7914c9bae39fff0bf1c0a9ada25d802397dcd8

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 adf49eb840be346a2d9eeaf6edcdee29
SHA1 8e237311e374d59190a9b60e6d43832bbe2e8b70
SHA256 286b06b27abf4a3905ed6293f0e12877f2f5100e1232a56740b03b5c578bb691
SHA512 4c14bbcd965f7bf33efc7f4b5fa37511e266d8bc0ce17529c5a83de9a9ffe043cfad9828cbec1cabbc5624485225a12436a0e9cf8695fa9148486e34d4c2b22d

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 7513f8a050c3883dd7451357327b7eed
SHA1 6caf4c04df300480e71811d48e9b5fdf6a479bea
SHA256 9491b36b02b766e2000cf73d8622c226514b97636d66ba880b79130ffecae6c5
SHA512 2d495e6a15ec0aa308521fa01264a27d45f485ea2bdc22b2442730ed26974e5e2355a6fc02e6711db1bd40d43da3501683f91f3564aa27d62b65977eed5714e7

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 d4719b737ca7ceb2f0b7b40e60331f58
SHA1 b3f33f9f3d8402d937466a1d8074510424cc0f9c
SHA256 c79bacc49c46a6b2c756300013de46e2223f268e88dc70497ed4ca1921e4dfbf
SHA512 ed53bc9e73b289ea415ad663bf3d80d39621b3f5cd6e393c6529fca267f7d996c1a8e5fb1868f7eebc2807eda465e7ff4cac8a4905fbea502dde022fb5e0d01d

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 2e3187f91b25e69d876015e62bbab0e2
SHA1 c72296f56cf8495c745802b531f4ae761fc53651
SHA256 51576cb4b936296d36c6b57c052a8840384c44d6f4a55fca5bf6e6575e3367c1
SHA512 4d7eeff49a0a9161f1a2d8ad7ead7c8cbc83761898a828007cbf6600f3fbee8416f7f292e7bd1ec843f0d22ff0319c35ebdf2ab2950e8524f28f746e03f4b03d

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 5539b78089cf233c08ac1e1ac30783bc
SHA1 86679b070d720e6c1865f49d437c6445160bcdbe
SHA256 3c7c36f228236490cfd977bcd57152b48d8f95828224f2aa5d3d45d102af50c4
SHA512 8537039e91e6b5192861dfc880dffc92d45fb2911bd5a082e3ca6cda035bbb455826988be867d2cff7be531db845bec805486074c82edcfad6d6cfe772d2031e

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 ff885bee2ec8b2862e2cb44bc3c01f08
SHA1 e4912943d643ba62763ddca583b01b8a6e0819bc
SHA256 d8b66372e55637f48d45809a9a5ac8e1f23708593e8c17ebe0f47ac6d243fabb
SHA512 9c8289e423cd777ca4a1245c00f3ed191b63b55ad03815a538bc5f5f6a8662a3d14891eeef60e03788a9b4d96bcf81467e693dcfcdfad1a21fc92f87672af58e

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 42b0c22cef86b86bea333bad510f834a
SHA1 888846a270a7a8b1f6e3cc5e5581856a0921231a
SHA256 6cf7b2f3eb20940c8830ebbad6a093b02c90b426fca65d798c16521f7a6bc541
SHA512 5e02bdc32c2281dad22d0c5f59abcb34a2a60bfafb005e559123c7248e39267abaaaba7df8e8bf98b7de352b3e2d635587b8e5c9a883ebb3053fcea4af78309c

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 adac03f3abc13fffe9351ea0ef6cf8b8
SHA1 417bd22e2bd0e4e34957051e17e1862600e2f4ce
SHA256 807dfa01d607b27f0480762879690e6229c40e69ee07f559032e4e0a1b3bf271
SHA512 3def18cd24441eb030c711c4e60049332bff67901fd316c4fcea609ab253a78a354a15754031baae6550b1cc1a7f94e7667cfae16bc141725e91c750db7f7d9e

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 03717ca9045bc950104a6d466b0ca5e1
SHA1 8fdf7c0615010a460903afcc840d4642ee1c841c
SHA256 4aa58e9aeee681d14eb44ee8836629756a11de99c4a22e3bf10849448b9ea968
SHA512 05b3abcf088084ef79bcdc84142127cad2de3203a5391dd68269c6bed2bf0e6cd1451a0afce3dc681c24016b97363ce8a30a77c705a6a8fb832b8ccbc39e9e48

C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

MD5 15c2b466f0e860d929ce207612603c89
SHA1 cd9e3a2c2ef89b98a73e29f799e93c91fa7dcacb
SHA256 c604703b050686a7fa7fee5f30f98d9f4e51c4c29fd6c0d41497450dead0e49d
SHA512 19a935c8945e18b8711c16d86fec9dc20773fc37889d63eb13f836c6afe059d8565f524a6bc1fffcddcfbe9ebd6ae7f77955adb127fb61a266d42ef1b9d43fdf

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

MD5 cf97b42d21cec87b094ad007c5ac4b9b
SHA1 1c0bf866b62d8ebc6206b916abfff7d26b5869b5
SHA256 965d9e27b1f30259aa6c61a2dcb414d5e56cedc2374551c63d4c9136b69c7923
SHA512 76b5e8f806ef2e70c5063badff490492bb9e901280b59f1869faeba1681907ef9eb89e9a8a0ededa65a986b03b6eb612e77dc0a0244fccfa72d6033cf8871c70

C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

MD5 5c6692aa02c79c365d6be0283a23423c
SHA1 908e4d584c27907c8f11ad266f0279c682726742
SHA256 f2a881b3d8b99555482e1d72d4ff8888f0636dcdda7fc6bb1638ba29b132d70f
SHA512 3fc1ab6c4386c7651db783fb72df154314f5a554942028d59960c61b875f645af46cb2b6cdfc477191dc07a96ffaf288b1916220d7a99407bb645ea561c9cfde

C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

MD5 265cb8ac97efd1dba89d33761f125188
SHA1 6fd60fc9b44e4801ee40bd53212c437d49cc7dfb
SHA256 69a8d5b7b1c7916225dc91597fb20036f86b06cb0defc41b1fd88797190e45b7
SHA512 3b9cc7245c936148210094a8d985a5a1b467b4dc95a2e62057aabcd2773825ad2643bc97b2bcdddd6e5ed61ec8dd3cfb984accfde8a456cffafa8a047842dcd8

C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

MD5 83dc401572d77bc00079daeedd728f7e
SHA1 a3e32553d2954516c298d5945317af417e24050a
SHA256 9056ac155baa7c71315195223429f1b5e611ad600d424a14186c5e537e1bd6b0
SHA512 463f52e69af80fea2487854819cd35a935ffa2e680348c0001ff5d869040c144fd57c7f9ef2d93ac466bc2f943782ee270580a8e2ae505897cb6d1a75d7df54f

C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

MD5 fe488f4ca4f47098eece4d70f8abea6a
SHA1 c5dc797503bc8875592bd6fdeaa2af8032134850
SHA256 aa81505eafe86b022e5ad5f4a2f0e95db5103b2260afc0df279694b17774906e
SHA512 d4b586f3427b89466fea0e99538c5cf6316fc0d6644f9ff34e313c2fa4bc6417fc0a1eda2dc3e248e42942c3f164169ca61d30c6a4a28846d2c7a05ba7db5184

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

MD5 56b3bfe451d81249353845576193f96f
SHA1 c19bc004a5176a8ad264e77b64b8f4c9ca20e797
SHA256 bddaceaaa216d53af6b596e2bdafb2f51fc54a843d693247fc2cf725fc86ac3c
SHA512 157191c8dcdb26639d820356227a3fd830c75c7a242609fd2983011ee6c659bd63bb0ec3cdc5f80e4e11f3c995ba94493054dc4f52dee5ee42dc9d5fa7ce49cc

C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

MD5 c627772843f6e9b0deb369ec00c44d30
SHA1 aa9bfc9ba545693123bf5dd8393596d05b808c34
SHA256 54d4a1bdb3208cc6a7edc806aa5f7b113498902cf2ea74a5c7beba9507a407dd
SHA512 2299a12d1c5a43a6e2ab293aa1b04679774729ab5280dcff3cb50a21e46cd93e7b7707b689fe162cfbf50ebefbaca041c50eef5cb1c840a0d88a7996fc0dcea5

C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

MD5 cc9dff8f5f4a3e3a2a1b51c3c9930002
SHA1 5663f57538fa3c4a584e8f68ba11000c2dcdd421
SHA256 91f43deaa86f39d10889fa607b7830527b4b98a163f09d788c71d4d7e215afb4
SHA512 1045b1e55c05c224f88c1cfb18ddda75010c0a8436b60b1c959663d2dcf187e10c3076ecb0f564561997e7ca213f25e2162aa9e6c121dbec26e151580b208ecc

C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

MD5 47e2ec915a99e0e565eb75028577b143
SHA1 5850c4d58cd519c3624c80b4eae9951bb1a8699f
SHA256 b0cd80594a7b8a4c764e5a38e76279696d005322e96805b329196085c01fa4f5
SHA512 7e624f30bd7ef328ae3a62b9b41d93568f1a6c24fb666e3ff0c8c4208ffbc71e10c4adc29ce60a53209629a55305eac2b00b2b599be5d4656f172df82f54dcea

C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

MD5 d26563f9c523c27ac078fb33cb0c8c85
SHA1 3d0d24be7436205dea6d00afcf144d8ab123215e
SHA256 0cad4083645422908bffc56664bde67781f551e4cd488ff6a31f239cff33a668
SHA512 de3e9f34b579e80ab35ac0c53c5323dbd596aa37b8f0c0fb1c4195123e7581fa0ac2409001f0ae0876e6fb9e99f0e21afc3f138ab5e42a2fdf689ed38b1174d4

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

MD5 da51354ae0d9ee58721225140b835b47
SHA1 711ee44f34335f2995d313c6aacd4671e45871b3
SHA256 b36b2f8064593b4bbfd78992e3e46d22e20999d1df030f77a61a88cd83cdf2e9
SHA512 dd34a5284bfc50b48c336abdc292411dfed6eb21723a0f6969bd37d52f6ea2ed1d50cf402a4e64e9004a54ed20baba02be0018dde10d681a20097ebdf4e0ed50

C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

MD5 8325e3adc9bf90a86de300653777bd3b
SHA1 9d97d9096a886a09f4c66b294d13831ef4024d14
SHA256 b178cb12be24e0724d1bd3208c167bd7a6d4edef32a4d6bf0e411a71aadb4bd9
SHA512 695ea18c7af50d2c1292f35687c9ae3bce542d100ea274ffced24200afb0717f5cd4253ff6cd8706248cd68ec2c7500a1b50a7cb43b5ad7e826d5de5359b10a9

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 8c5e6e690d39f61885fe15cb850f7a21
SHA1 73f3a8dc82e260887bf07fecca5a69e5c2e0a10d
SHA256 48566a925aa7f1a5fb77c9f082e540fe206628b66633d1662bc02157bc73e06f
SHA512 f8e35fc41a51bd7a3fd731770d80f2976fccbd63ec18abe5e89d58ff4490a10278b5460f67879739fff05cc0f38615f8cb9332dc2e3d6d48ffded90a1767f953

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 375a705e684d95db19fae888a61b1ab2
SHA1 be6257cd74135ebe207e9978f6eb5ddba4a4f8f6
SHA256 1a91d47c74a7eceb1b7973c6667f956cd6d0e6bf78e8e080b9b9df830a3b5a29
SHA512 c96812a4ac438aa47c8ce7c73b026536187946240cca48e2d619b68361404d9fa3d9b96185857b6f6f96ebb8e72d1aff4861ac6516c94348de12b107a58856b6

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 8105fdc95e36f6f22f2002936b1a947b
SHA1 4653c674ab3d9e0e038c49ea312d2d5af5582e2b
SHA256 ff6288dd2e22727b9972d2dca2dd0ba2b3130710806698cf372c131c0ece6175
SHA512 2d375691c7a32d7e082266fa3e100f909889f1c6d9e0f5e27f1e70adcf7f427dce92e9987fcf357e6204ad96668aba220cdd0316cb62550c9c9c5ffadda5f495

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 c1745e8600a42bd613299ce6adc4b1e2
SHA1 5da34ee6f77cd697adc311f487533e9b44983e19
SHA256 bd42ae4b70e5d0c7ae58c0e6c12f98c2fac81691d0d740dba3ccb678cabaf4f7
SHA512 63f2ec765a5a2ded8cbd8d7e67e7111e679b2c1fc26a690cfc89e1cfd0cc210e9f1e48e4c4ecb21a975e2910fb32e2d35eabdb8bb359c27c362547a2898faa3b

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ee51b8cdb9a1e67aac5a55de1fb74c6d
SHA1 16d1f1ee3e5fcc54e15dca6fbd0877fff215c12f
SHA256 ae031009fbbbf59489981f5619d52aaa6423f821cb2083b7e99c2a3f8e249a95
SHA512 56b653bbfeb99bc7f9421e28fa50f1df7279818d37c2489a34a93ec2d761536de7f2eeb831432f85d4e293d7d83dbdb5e1529f95e3ae1a419c3fbf20c5d80a62

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 92c69fa8c7193ac8d772a21a459dfad5
SHA1 8924e4ab91e51e1f15022b920c8043b0ede78c92
SHA256 836f1e83e6de277e01d3009649647af46093303a47a4a4f1157e58dba01ef7bc
SHA512 d9d6e313401f22e13acbae0c93b303650ddb55d0b67879c6d1212777e81c0c40501cd5f43acb64d01ee385181da64e1b21bc643564428d149b3d4dfdee3593f2

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 2fa89766e59873accfccb121723e3dfa
SHA1 7a724920f2b1d6fa8a5cf73c4df38288d0b3305f
SHA256 2a4ff1559e0b2c8f8c63b6af1a7cedd741cf30ebe34652c66ee32cd556ce1f7c
SHA512 ca51f2307eaa3a774d9d71f3a4370ca84d3353a97578333f31648b2d7c28ae1f609c8dcf282ed047c670246d4d541f9331968239a3c60cac2e9806fdb04e5475

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 abdaa7033144302ae032997a10b99c67
SHA1 8e63a83c4d00a16264b73f8ba12598bababfbe22
SHA256 88086a65fc4d155069ef89c9407105e12042cb82cf7e57307d9a03d563c32635
SHA512 47349a72dffd4f2309da13053559d171c5bb45b76237aa754ae6078ac72605db4065d5e7070415bab9cdc2e7b3665aa81075c9b98889e75042bf2b0e9ad47b3b

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

MD5 0f5454abc5b4c43dc99142278af0dc11
SHA1 96c7c8ca43e6acdfcd621a4e40265fb8f489aecb
SHA256 56c3c24553fabf70beabd1025514576220ff2e3b50e71f6c7deb01a70bdaaebd
SHA512 f48edf713f70729527cdbf297524c2dcc65b2cf8efd2b948faa108d23afc278154f0824f8dec736281918e1fd8dc98039b6684982e3ba2136548200563a8181b

C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

MD5 5427475d7f2e311cea3c084938746494
SHA1 c79f8ef9d7ef7fb76cad8f3cbd4ab14d95a850eb
SHA256 cc2b4e2ec6512cdb8048a38bba938fbb4329d9322084532aa16bc9dd4b0ac74f
SHA512 d3f6edabf292de41fbd4def69bedbc30d8b444bb47946d4d2437f6e45d84c351b4e71ec9810b1a6edf654e78e335deabae7cf0ad35edc7d907ddffa632546c15

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

MD5 05ca3ad556745281b5c9b719859cd1f9
SHA1 796939627de7267711a50dc29d733f015e1c2d51
SHA256 3bde68da8f0f93f321d58f40107790e912c06928388c26b95bb4b91927425d6c
SHA512 712967d02421178a0f3951977c8855ab58f5836d951beee126525a3cd4fbccd68427962fcfcb6d6ca623a8bbb59e46bdb3015fbaa5efe41d75ac9b11d1c9c889

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

MD5 f3903d3be848878fc0c4a3d2e1c11387
SHA1 564237b462c0b96a8f469887d81db62a435320dc
SHA256 152358f3f5419b0d203b84097057abda29c0aa908cfede0bdd74e386ebd105b3
SHA512 5e34d018e29af5ec73685ac0e3f9cae1d97a114f65fd80e3177a14858b1259bc600085a0818c5b9f675c4a7903da6efcdd800211010eb47bb062927a9753f2fa

C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

MD5 4c62a88189cc5013f600e5693240d5fb
SHA1 4f7f2b0a0da05226d715bda0d76537b3db0b3bdd
SHA256 cfc72a689ef440fc44aa27a501ef02dd65fbe61206287fdff4d377df2f81be58
SHA512 a1cd4500097b78b13e2867b8357f7cf4d4776eebd5a7311a11865e9a41fab8524be6fdf66a222c5e62eaf0c4c8b8c4ad5ad3a1c631d5207556bf058e07daa04c

C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

MD5 5acb4c2259d0d8fb34a9360d4a89d082
SHA1 729aa304922ea2f3443ba6a97f68f4e6b5fce694
SHA256 378bd86b19f9a559758e5791870f42b62ea785ee0bb0821c9e34b360f38d6886
SHA512 4d1c9ab376621cfa2cdfc1d45ca0699f5f5140351c7bc81f882c4e7ee7288c08934f6c73cdb90b91fc6eea757d69d46befa3688f19bb1ff0f23641f362b8a8b7

C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

MD5 99e9eca5879ea28f69e2650d27a3b81c
SHA1 4e7fee36103849c80f55120dffeb97e7743b0874
SHA256 2f6832e23e60933930b785e2d99e29dd2e1fe1e2ab759966a241f5f1b6cc1bae
SHA512 3094db74fd59240c1fdcbb84ec6dc82734c1afd80287bb3e250caa32c048885b1c3689d26c184e8c8a843ff51c0941ba61535d668dd703d67a56047deae9545b

C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

MD5 9d5f06a0f74ed20d64883973ccab9d79
SHA1 40061b1c1a7e435b4c640384fd6f5f418c72dd3b
SHA256 621bf81e25d62c857f1dca9f1144d4b5797b8d3a7d0714dbecc83c938f03e26c
SHA512 affa9bf445d4e1cf0708908dc1d25cb1e3065cec3cc9187f98e5645722b6594651708ed9a7fa8676386806198f9ad0827ba93e78ccef004e97d8b282b997e71f

C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

MD5 3e5898ee95a86e8532bc5be002c750ea
SHA1 ac2a58811ffd20887e033d7f94f62305fb569c29
SHA256 5ee59055e6dc67d6557aedb3b575553b1267e0d836c14b7754f6d79cb18c0074
SHA512 80f624294dbd37aa411e99b93a9f3913353afb7839390d53f55fed9a52b0a402be89731c6ed17a6ffcde95de14ba36c3dd083f0f32380c05d8fb39ad68be4ca2

C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

MD5 ca3774b21e751686246e1a99bee37d52
SHA1 20abf7e2388edc75efc6471ccee9796fbe34b629
SHA256 cf11f9e52431f631dd5b4f404c603f5e0db1bb075e9dc55ed4c02de7bf22a9b0
SHA512 a0cf7eb4e00906637438f28ca60d0af9e0eb1f3985845ef43ecec5e64af39bc588f9311249b10eab977d4452a6eaf5d6176736c261d98c865fd876ab93d092d4

C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

MD5 35d9c2bdcba2544fae921d0ea6717746
SHA1 02af1d4e053bbefe3f7f2270e159f30c3bc3ef11
SHA256 ea74ed77e3b65c75d0726b1714121eded89fd0b4f1cff0d03bd6cfde3d3e7cc9
SHA512 3d33680b078bd8f6f309db9908c3dd41919605b6411f5e396e1de4b92d162b55b6399922eda09df13f7736f96ffc3b7ccd2261eb8f6c8633bc6cca76230f4d67

C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

MD5 72ea6e211a2b1aa7a4e4e28983bb1cd3
SHA1 2e60c37afa890fa053392c535f1cc656fa567cfa
SHA256 d45ec0ba5dbc807865d9c4fb252ad3b698aa1b9fbc159a468f2eb7ef584e2985
SHA512 cc8cc9b8f1612e7758fa86cffe8f48dca3d0223a3c0eac435dcfc123fe20d675eedc906f542e4c0d651448e62a4f8c7d067a1e100e303e4e54db889b30e1e96e

C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

MD5 712527dbe5ad24177f68dea10c97fd15
SHA1 a218a3b49e8346083b08f68614d51021299cafe5
SHA256 b698a3660277ffb087cd814f12085a0949d54f4eed72419fa2c8474327438b80
SHA512 3f33d08f88754f91768de8f1491d9bcf3893a813b86f78d8942161e90ef06ad4ad1d408d3ca6e67d146df087ceb1b9ac3ab6474b81a0f9bc29dfff122d437daa

C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

MD5 e5100862314f7199219e12c680a85a40
SHA1 49dc40dc64c6c9ea9cc391a364fcd3a6afccd6fa
SHA256 b163f8c29b5806403bf0730523d04d3ce7948365c5f534fda722830803b3960b
SHA512 acbf5001e9f535788ad412a0459a037300347cd2db052b2fe994eaa304cb9d3e6070f022ddc3631d517be8bc00e1fb1e6166cb3c01ff8debe33ee1056a6c0d9a

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

MD5 53d0dfcbafe02e0b43172a3b3fbd7cb6
SHA1 7ed762d5005abd81848b7871a01d870cd3632900
SHA256 4065d8a23d1bc34d4e61ea9b443298ed67882659e7e93e9a8df15a19feceb5b1
SHA512 ac284fd4a88829c2a45cc8020a29ea726ead027694e9652c009e4c572dd6430fbb6ade68274eef0a411c490c386e17b68b04aebc9e18069ceb0ece0386e0ef50

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 8bfe01a4b905e9449741c75c2ab8b2ed
SHA1 b00e0754f3c290b1cacc728a1527f3c856ce402c
SHA256 c3d7b2fed78d7537a2ec4ec3759d62863c03bf4272df2e812974f2eadd6bb159
SHA512 1b5d586630901db17331f8f5df0686ac9a930dac673d445f14048e88ed0487af17a954d5a0fbc63ef82aedd1b521126359d0ccc1f65e438ecfe460cfc3752183

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 14:27

Reported

2023-06-28 14:29

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8341) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExpandEnable.tiff => C:\Users\Admin\Pictures\ExpandEnable.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandEnable.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenExpand.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectStep.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockCopy.tiff => C:\Users\Admin\Pictures\UnlockCopy.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveDismount.tif => C:\Users\Admin\Pictures\RemoveDismount.tif.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\RemoveDismount.tif.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandEnable.tiff C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectStep.tiff C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockCopy.tiff C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\OpenExpand.png => C:\Users\Admin\Pictures\OpenExpand.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File renamed C:\Users\Admin\Pictures\SelectStep.tiff => C:\Users\Admin\Pictures\SelectStep.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockCopy.tiff.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_tr.json C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-200.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Msg_Received.m4a C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\TimeAppService.winmd C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\platform.ini.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.PLAY C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe

"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 161.78.101.95.in-addr.arpa udp

Files

memory/5036-133-0x00000000026E0000-0x000000000270C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini

MD5 ce13c95caa03187f72e0d3b91dc91d9e
SHA1 aca6aa7a4d692774971c7e85a65f90cd19b81889
SHA256 6f8ef342c46d6b37e9ef01bd4d488f8fff14d5548a09117dcdc80447dd7ae494
SHA512 aa1d3eacbae65c49238d6e46cde056bb18663b3e44e1ccb8340d6d892efbe54f127c3bdb683a25d2b15fe780eb4bcb283a8a11574c67123e69a4200518cf3859

C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini

MD5 215db2a90dae256bb6971e886affba09
SHA1 4a3a16c63e3a40dc7f89ed0d6f5f7cc3ec020db0
SHA256 5abf842a32a837d146d17b7d42338143ac0d291184e836789048217f82a9f38b
SHA512 7d73dd05dc6935fc4965ec54a354564a63079b7dba1f79717d36a4abace173dc9a990a36fd4605dbc4333bf75cab74a9a76c1a2e2794d05b8daed746e8ba91b6

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 da652dde5bb95a916a6823afaed79041
SHA1 953075e2f609c6e4c42f26caff900883975655dc
SHA256 ed91e860e42d6b91a30a70bd4e17de4e4adcc97fc6d2a9910eea5b2a25461887
SHA512 380a6ed64e4aac728c9b728e8e8c5ea10a2e8d23bcef4c684ae60c7ab771fbe1963b6318617e23d55071d140872eecd204d8f9110baf27f6dd17566130df781f

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 b888f61892c180bbffd907431e5bb4ea
SHA1 fbb0ac5c07afd4c01b5466587eae4412bd18652d
SHA256 d441c8beecb58b123268197d3d26ed97710c4fac5fc026826407b0767b480bbf
SHA512 80bd06e68a01c1677a537e0c232b15f41a55196b23b3ce5963326817bd65bec489b98a05cf9982debcd59b890d8dcdb6c1c1ac2fcb44d70bc2568228b35e58d6

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 ddf2f3963219d0327bb640b3b0a7f66f
SHA1 0bb7e1bdeb5a508c9fba7cb42cfbd52e0e1c93bd
SHA256 c21e6bd47c7112398ce904c809e2babf98eb49114d3e52094408f9281bab2b57
SHA512 0e37337186b30806851765e81bb726fb1fdf98f59cae2d3b3c6c6b7df0ed4ec8d90f79546a78edc756d28c90771089127dba1c9f3a7f48e4b1ac369175debfa7

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 2d92ea152fc45a8f98d2bad829bc0f53
SHA1 bca0473de4c92dd80da29391f663962887655fce
SHA256 bcc67d3b142695ebd4a5e47208b0a53baab01dd8e6c992d497115fef301a59a4
SHA512 14499d91670e43f9d540fec98c571b8594f514c32a1aecaada4a1c61c894d23fe19896a02164dda85633579c4a438b3683aa22eb03eeb07bf23348cc92ee69e2

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 865a50164965aa47159ef294b5063138
SHA1 67cd9ac484486ab2b2ed71f6f916f0f4d8558c47
SHA256 b9820b5840e0bd2f2a12deebf3cb1941c8b50dcd73c7b875211ea9a16cc85661
SHA512 c443ddbd6ce2cc13a2fcdc9625c10566c06317f6d3a2cd4a511ed8499704ad38dddc965eb963e8675f8484370ad54a147abebacb9d00938b6c3981455a48a938

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 c772a885d843745d7bd54be24215b7a8
SHA1 82d94a0c98d51f949c99eb41a0be3d46abde13c6
SHA256 631cf8d04a6f4716dc64c6d72d91c4a29b072ee9fc7a507255d995b514772210
SHA512 2e1de296f4d2cbaea4347a8053fb2c419949cec06e3bb9ba087ace4bdaa815a6645c1fc7eb407c4d6850c3cec784504b486797f280ff08ee3384d367f64a00f7

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 9634713f25b06b15762f8013aced05a1
SHA1 f80d46e24e44399ac6bed1bd19269da35c922fd5
SHA256 18a4e6f288973a09febb00e3d03944f2cefe8dbd97d9b3e9395cb6e2a3dffa2c
SHA512 48d082263a621de06aa8c8f0246f241472b328aa78e35516eec1121b828cb9614227f3d310793394a233f1c41e937a34f803f2afb86b316b7ccdc02c9ba44d4c

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 6c9f656005589dbfec85e6794d8f9b67
SHA1 d60b6c75ff6100036bd1c9146b0b1fb7c177cc84
SHA256 9df16a39c932628622e388c310b363429f42d2fd963588fca3126114fdbf5ac7
SHA512 de93183482ca395b84e68614f7bed8f4bf4d76550c97fc16a709e4a04d3f20462af35fa6379da0c3565eda1fc090a61a501d7cae3057c865995d71bbf9ae5014

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 f12562d5351336fb3d36976da9755b66
SHA1 bdd6fb9e16ebdde02fbcd9f48fe2219cb9e728fb
SHA256 9edf3b28e101b1cf66d7f0a31398f423592c4595cc1329bc3628566dcbd1c3c7
SHA512 f3ac9db5453cd3438e62eb8aa5509163de074871af6b4747e33b145b73e56823df68ec499925863d52469e2367c296ca7dc4508d24a0fc1056501873a78906eb

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 d9f8379eefd0537908b3c28161850e99
SHA1 e422f977009f928a936d825e6ab7804b4880d3ea
SHA256 9dac9f27daf7fc81b71b5a27dc3cac0208475fbfff5129fa357ab0abf67d1974
SHA512 fd97ec69ca671088350b13ecffaf35951f6f8fb1e93709d70133ecf309508ecc9107083ebf4d9b4bc4b24cab519940faf8fb1fede2f64bde27cba8c6e87424d4

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 fb74be71bb34bd57aaaf5be20fb7e19a
SHA1 2732929b65048bcb92c81fcbca51bae62442827a
SHA256 7a404c9cf9bf67f776240189595171a37f63eda82b25ffe3014da2c592361c5a
SHA512 08361f83ab35bfb3b020e272cb9d9e743f02b3feff9f9c6e99cd5bc176bdce3ac5174a5bd98b1f260aefcfa92465f972c574484aef079279e99ead79f420a1f1

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 22265796b7f68c897d2dd269d70ba67d
SHA1 35d3a90bb8b6c30ff8cbd6b8594dbd2d7dc9b564
SHA256 c2b9bc00fb1857536ee5f4937180c33ea007eebedb1be4d0e5bba8f7623e99d0
SHA512 aa7c7af7c0e0b5d535734248bb58bbaba3bec0e9a5e00c335b813080a526bd309e06615f47ad1b61fc221efcff069bd420ae87f7d9bca35a3f663297834cdc78

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 fe634c95db90da594bc4f07671b03e5c
SHA1 6f55d91bb16a134d2f17209b379f2fde330ed833
SHA256 87476a1668ded5e9e5ee8d7ec9c056af255dbea439334e4ae7a9c49f200c6b6c
SHA512 ec2ab0a237e8f791e1c5bd52aebed3c1546442d87acbcdebcf0dd55f95d7281c81a59770a8687d27185decdf33872841c5ebb858632a33be5771f56e4984f398

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 b3f9aa59b775e9adae84b7e74455e128
SHA1 27aee0c66fa47ba4a28d9b02c0c9ea8a987db78c
SHA256 b453380d4b1b407076004bf628170daf75c557f6a4df873e3cda5a66cf12fc31
SHA512 b27109dff05ab4a04733f43c21ec95dcc9e9195f09881d1233ab028abad8619ca6b24a0c6130e947fe6dd8089bba0eeb3fab68d8f560c330e60c9a3a9ec4bf1a

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 f2390d89c87535e5bc4631727c8cefbe
SHA1 30f633a2849d4ea33d6a75d99902c6f1d8a6e394
SHA256 f87060c92a58a158cf58227ef7c2cebb95d91723e9087cae0212331a3e54c649
SHA512 4f1d89a142c8fb1b04792a905f52e31c01bc2cef0074190a77d310b0f6a905a996c568847d1fdbd2b89ab864ce31c6bc9e690f15462e16e7dba072ca363255cd

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 e071708a33263c3afc1ecf18f914936c
SHA1 f4388294929fc51983352e4ec10ad1e0b4034b40
SHA256 e261fc717fd7c1d98554120cdca7ed62d8f9c4ad7880766ce75f8ac207e27a4a
SHA512 778d4504f1af049d3f9155570b4b5ccb7ce691c431775f75c9b4a6056690e6eef747db603b931f21bdb11d6a2fd844bfafd1d041d86eb1dd384099afab5d38e1

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 300058a52ea7bc92d9a7726203c8b058
SHA1 a2b96a698311931e7edacc6bafdfdc145b4458c1
SHA256 331979e70159e29536641ed9692de2aee163bca57da5769203e8b1ca4707ff6a
SHA512 4edce46e2a749992a69530e0b163ad67946b313db2124d269460ebafba7df5f4be5fbeeb200e66aa2b9723478ebdf576d00054479bdacaa97d7010f2f8917aac

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 e741ed6797947adf6577b7163f0515ff
SHA1 8d440f0f5250264fbdbb852664df26dde4d74297
SHA256 104a96cdd9b32d1b55aa61f800c7407c16ea444cec51ed57c2c4cca4669e75af
SHA512 c75187f27bf20f4644bdcc9a847c25718053582437a5ddf8976ca783a25024e8bcd5044d6403b750c70e71989f6c7646f23df242c26f120aac21f2bd0e8351d3

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 b25d5d6d28277626593185692be03889
SHA1 fed797d2b994dbc896a581dbf854f77bd568b470
SHA256 015dc08f8ba0e5e83563b559ca4f3ec3c7cf0affcedef0d00914d068ef661bec
SHA512 6480a67ed89489646f4713bd814c590b8a8c9b62cc1580f3958416214a52282eae3f3cc36c211caa2461876504261afc6fef0fecc97cef5f4505ac297d5f32db

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 11caa3bbdc16911e3034831ac58835b1
SHA1 c877f12d8d1f1ce41bdd4d61830064df7ea3e600
SHA256 623aae6d6242b94100db5932897456bb8acdf33739668dda4d74e93b88d9c563
SHA512 21e9da6650bf741ea4fa35155493879b03456b56e193900f48c75605d0879627c3d48fef2537e0ae913b6dc66ed0a70f780408a34790a07000ea25ea6d5ccc2b

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 6c9851f32e93a6fa210a303026b9afdb
SHA1 84000f1191463253067c217d3ff7fb66253ab6c4
SHA256 1830f455d9b0b9faf3347db4da0a716140e9dbcdd3892d149c34a84db87baa16
SHA512 0f924da65946a9996ce9ef790ce8051e7c48186cbfe866ffea89b6daa21c43b429ad10773c9c06f8558b70ae82ea4536cab20d1ebd4a5a29e33ade246efff2c1

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 26ebdfcf2fab21592bddd96fa9b6dd1f
SHA1 b1f41170725ec28b10b7f58f7d3cfefe6488a3e7
SHA256 56de84e8330d2b9aa8ce727b88d63866836bcab389479a5025c15a8cb2e06d0c
SHA512 bdbf04052ece0158b5fe9664afefe6928c222295feb8f656d29dd5fd29892e943cff0eb6c1bcc8242cf3f89f0e4899c467f025635baef798f3b7800d1e095914

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 a097c585e6e310caf537b59dc8366bac
SHA1 e1e425988e14db88e2d2fce4c7d64ffef702c8da
SHA256 f432519c73b086a991733f96996046337c88fc94c9cc609d974ba229ee010925
SHA512 a682f2ffd0ac8e0de553ca055763db119f71d921e46f8e9133903f441f57192d1f9862a08060bb1f836fcfcb016b3724eb5f5798609c097b6401bb539f2b5bc6

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 d6a0cbcef1dd1aa068e0da3c2ad48189
SHA1 ddf6bde3e69ae7922814d4b770de5085f576686c
SHA256 f117406392391850fc06f0594da2bde5b61239af86688af0bace9656dd4c773b
SHA512 72de9390daee5e0181733bb87e26a08d287590f7e1f8806582c0b7bc31b13eb501839d72d30d72f0c49995cd96089acbbc0dacd43902125385fd17ce22515987

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 d20b4b911cc19dafc0793dc8361ef86c
SHA1 ef5cc93418224774db8e6c9879d06def27c91d8d
SHA256 25159c908a0fc5e3b49bcff5c64537b6a5d36891f03a7ad7e35c444411a5493c
SHA512 80c94fd763b46b82d2d63217a435d6928f0ff588f5d3a6cf3d331b1412315d4406b023b8810fdf41da10ad801aa227074237f4d509ad85810bff9e3dcffd1912

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 f935abcf27cf843aeb5bc113ba38983e
SHA1 0f61fc1b95c423d9bd965fa1fbe3c8c5a9239fc2
SHA256 eb4a54e168c75930a5f12aae7e6586c22feff5116efabe4a107d18c909ea344f
SHA512 2809712747f5534cfe36ef60363dccac428dea3608d9cc9eaa5de8504210274f69f5558e6e477316c251a5988313acd6519e828e624d23be8ea7487e4e52edcb

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 5265d0f8bbb07467b768ff0f1477c170
SHA1 d890a3b4ef9afc59e2848ac918fa13d1d8735e7f
SHA256 c40402460361f7b82e8c5e9cc7f7b9ad2f27ec34a73e1969d1720bc7ec34da6e
SHA512 9e5d378620a3adbe33c503622c79fe8216d6ac3bf95158a5c0f203cd060581a753130b68fc71482137bd348722ef9a1547746abe1136ea1684d112524840483d

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 2ed2493fab7d81158114dbbb269161a6
SHA1 3cc85b2e120a04fb3535407bc3e347dc1e04481b
SHA256 4a2eb32527f38f212b75774db7accbe640ecb8461c2bf439ba793db1f0c1b6b2
SHA512 cc734b05d70b4438849a2030b023c6b5793577f3d8371b8107fb23cfc30cda54ee0d39ce9e04d5e8acc7cb0aa1eb38b4cb027ecf04fe161f6edb887aff33b6ac

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 59b00e9bbffdde9da54d3b68448d2654
SHA1 e35ee90ee7571215682973f68e574eeb6e85d357
SHA256 48c304ebdb58b305d5fd7399ec8e7b4575668755a650b749be85f5df00179282
SHA512 1de69275332e8648c588bf172b8f2899b9f449fba403b61871a564f20280af829d12bbdb59699d60c29c4520a4573ae164b41a14fc2feff44a1e41e4e04248d6

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 82a80d21cca0f194acfe03ac69434e5a
SHA1 facf12230bef008bf7c0c2e0cf54e492c2ee9821
SHA256 2253ba1ffac0f84bb0e2a4ca00666e983c2705deff67c538d47d532242c72ed5
SHA512 60fcc127bcdbedede1969f126a63511f17377a37e6c4678f47ec22b5d10c9d6be70af927a1c8fef19ba452b1af593b7ac13be2f6b5eb5ff84872c9a8676154cb