Malware Analysis Report

2024-10-18 21:36

Sample ID 230730-h3cj4shd6v
Target 14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72
SHA256 14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72

Threat Level: Known bad

The file 14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72 was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (8306) files with added filename extension

Renames multiple (8426) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 07:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 07:15

Reported

2023-07-30 07:17

Platform

win7-20230712-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8426) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQS.ICO.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCL.ICO.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCOLKI.DLL C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\RemoveRevoke.xlt.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

"C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe"

Network

N/A

Files

memory/2564-53-0x00000000001A0000-0x00000000001CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini

MD5 daeaa739dd4fefd57574bba66db14573
SHA1 a048b291d51c7350588e389e66d689682a096f5b
SHA256 aa58bba1341edff46d985304c6b95f37254b7816546998cc8224454d9cae797a
SHA512 38b43b48a13b6bca0e230ca272d6b8e3c2109cb59d676d919d4983c9d6e93ba5ee9e9d291bd6963e5d6b4908861273e3473845e6aed927073d05f3fc33f3c615

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

MD5 4bef5b8ca7f3c656346b7a8f81803bbe
SHA1 a80b93cd04ddddc8e8fa97f5c4df37f63be097ea
SHA256 008fced0375ac3b15a015c1aac6016c94e9808549edfcc3f3ae958713361c856
SHA512 768d5d7b568a13b5fa6a7fdcef2e8df48ce1fae0ccf70b557ab5cc97160a55cec7f20d7d0ea5c68152a23105da77e7456139d244c810564116a1e49b2de63a2f

C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

MD5 4f82c111e3754cb27394586a53edeae0
SHA1 d303ed1abb744c21a4673c07f325ffcaa950bce1
SHA256 312c01425cac8cf041bbf046799714a49fd7c1c5057d7ab4dce4ae5ef2c88594
SHA512 b2bdb1a7fd3e6415754e5c3736e7ce90b9f9dba1f35933e4af6dc1dda613e21b36091efa875d0671ac00d04cb7605d88936d2c70b0e8cd898a8ced02d25c0246

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

MD5 004351bceb85793f9df8e1cb271cde9a
SHA1 867929a819a61e4f021cd98789e46f6e59b6badf
SHA256 2201028eb25a082134e74fbb1b1918579c2e6c2b0d09448b7d6491c991ccbea1
SHA512 b8575caa2fdeeaaabd1a0e99368845cf1dab649fa039c9746bece0d8456b6d959d16a6e5dd9865bc43fc690bc41f210d62247b030daa0c260f471eec45dc163b

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 a429930fcf4ad945be59da8dcf4195b3
SHA1 579591710f4f5d02b748b19b2262f536305bb280
SHA256 cae27003a084e5d9307eaf4b877b054782ea14b98180343e4188d059a0827505
SHA512 ef054217d1c930b1a3a3a26d8f8519c248168a2fd33529e3710f7ac836a6944e88d084c84bb0bba63280e5714799b29c4bf6cf14ae5a50c73cb9d395bae35497

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 7c26c48ac501e9fd3260f26d55bcecfe
SHA1 5d37b52042cbfff2c041c0ad67e37f871439b3fb
SHA256 61e960366eb4755ae013815df312277f5f7e9d748994b2ff5db8852f76b33448
SHA512 c0c3eb74a17fef778b7799a33fa9528b40ee8511985c5a0f6efcfe88bc9d65d522f6d541153dd37c87d96ed12c6a1d2e204f2959f464a567ba4329c36cbaf7fd

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 82b536ecd306728bbee120e9dc1aa205
SHA1 76e72d0310b4a30af03b0cbf189ea4509340c96d
SHA256 d05a74ea04f5ffc474af6b8415b12623fc481b478188dfb6e8c8e1beff7bc264
SHA512 b6321a885021af38495656d2db94410cd173a2500ca7238eb20951072b6363948ccb155fbb7ec7b20009a188efd630fd4c1fb4da099f6013acee8c26e7064c4c

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 1e53401f53952b0193eb60e9510f55d1
SHA1 e032da68008984fe6f8ef765b00315edc2516d6c
SHA256 8133e01ed1faa9decf3c7798562c890f0d14183289a7ba4a711f3ee97c06c2cb
SHA512 b3d710b22d54c17318ba301fd783457f0f0855635d1af80ef90e52a7aeb28b7de88da1f2989a53b6a549bd818561002e3eedff3ffafa593e3675292b92757bde

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 acc43db99839306c30265f32392edb92
SHA1 fa2ec4edd6343d8222be3048731f305a3ae4cb85
SHA256 bc7d68c001fc127fb737f3996ccc2539fde8cf2c2ea9e79ee4a5d87ad5d31b31
SHA512 eb1abb1fe375c00f230869b04f82f9dffa5cc7e1eeba234a08fecb4cabcb5bc17ee8f11e0eca7f372794dbba51e657d63e49c4d397d8d58a0a36f63c825c0ddf

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 2b238a695a170abe83d2445dcf677aea
SHA1 adbebd8c274f753a3796d133b419a926af5b6675
SHA256 45b0f0dcd6921acb89c3aabddeb89195542541eccdc6766d3e509bd6c44c723a
SHA512 42bff8855e7e22658dc83c91d8bf45623c06178c919fac7aab62ab41d19650df4591e9636486d0666d18b4086ab4d8e385f56d7d2ec24d508ae2c822dec4cd62

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 cd253c6246264322f8628192f2d588c6
SHA1 be666aff8b1b852a439528b3caa081794a0cd39f
SHA256 2fa20ba61c2c76ce6aca67e35d21bf86563c991fa0238c95d1ee7490dafc341a
SHA512 56881b5704acf38f7fc231331341adf8210b6c135f2cd1853078da17daa8abb4cc1c35e5ef63e150e3c62c24aa693fdbdfecf1097e594413919c25431bc50567

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 5b25070191815c9909e8a98cffe879d7
SHA1 07945a77468e901e9d539aefdf00e4584e641955
SHA256 6da937c618aec7255723c85476c389bf7bda20364def6f329a12ab03fbf5bd63
SHA512 623d1cce40bad74333590cc43a6ec4ffa0af7eeeac90c9277ff99ff7b513a4696e174ce95f1716777b1bcd79f5077b63e29ccd3194fe52ff65d480f089a14f03

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 c1ac6426f9c66bfa72336a788ee1b571
SHA1 3f67d5756975b74dce36e5ee976f43daf03931ae
SHA256 f807ee58b83f53a833ace2145857725f887e0c4458c1b3b0bcacb015fb92e4af
SHA512 99601d279fb8f7f5207a85eccb59cf69c6d331829d5262bfc8aa0bc6b759919bced1b19381a9f43065a6648e584d23811474bab163cf047f01ccabc2748d9574

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 2f35254a0e39affcd99c12e705b2ffd9
SHA1 fad8aa31a0fa4b9cae94de8ee44180b1bc9ca062
SHA256 b3655922b43abe7e6b1c9685f07657c7dc8fd4acab21a1e6910db3fbd8dd7e77
SHA512 dcb82eda9b8ca7ed9de473cf149fd07faed38e00111b4d49105355f33a9b316e5e87e6f9cb10850937d61cbfd3933e8c6585c375b6f355a413b4711c6eb1a0a6

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 c38fe2f742f39e5c9b68188bf6ef9877
SHA1 2e8a69c03fea273ffc9e728e61378cc6bb6e8746
SHA256 9a4918c4dd34ed5a61a97299032c15908207a17c6abaee853eece9485d394075
SHA512 6c00f7c649c0ace09c7fb7ceb6c9399c4de96b7fdef27c2e3b8836bd17d76cd6dc6a1c4351b691a59dfcbeba8d323100a04c30de7ec33bc671907da315ff8fca

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 fc5e53698d1011b15b251fdcbadc0e40
SHA1 1ffae8804f73039a02356f28520718c9e289e744
SHA256 6a58fc2db7aa90c6b02d9a76bfadea4bf950ae9784df8b770f8462f20efba66e
SHA512 815091750823429d14b2e22e91503d62f4a09450938c7c8badb4500df439d38ba54b1af8f6136342a748dd661fa15b7fa679cedc5fbf33faa5110d6171216f8b

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 bd9c871828acaf316d936dff0c42264a
SHA1 f737d93d6ae5ff9b9b26df86b4e3ac07e2c3f6a8
SHA256 07c500a96a193de983a94340a0e760945f142dc20f9b0086ee6357e7bda4514d
SHA512 e1c69f1e3ec63ba8a4cdd826b0055a572a6c6681ab01888e5f89d08dfa55559fe963010c9f67360196392ec787bbe49e484d897b97ae9caf116670eeb6e4ae92

C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

MD5 39e5ebf4b30550b646bb267bc17bb47d
SHA1 bdc69978f7dc211afa88b07fd0c6c7a662bc7d4d
SHA256 e06002739d9ee769103a72baddb8910e8cea9165216c59c2ab0a83808de8ae6e
SHA512 c311968ac61c13b6367af57d5965cbf9f121fcd8ca06e7739f301e288ffaf92735cd24c123e1745cfca865804bf8fcc8f99c364871e7b630e7cd694bb4ad346d

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

MD5 35db8a88f9221e374ddc9a14d0075e1f
SHA1 b2a9121512c6a389706e28786c3892961a2f02b8
SHA256 6c68429de0045c8db62703cf119d6b4b4b87185b6740db1b9c72085111190da1
SHA512 08283eecbbd9b475f72a388fd84ce3d9c9f9c7c3afc076bdbb96d3a7899f70fc725c384056af043c992cb72a6e2f7decd0db154486169838e4610695893e6fd8

C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

MD5 79fce6d50af8bea54ebe2db04cc122ce
SHA1 581cacfe4d016fd4f857a08ba9a8864a98134c0d
SHA256 7a2c1091a6ec9da17a6167d73756c12a37f1300993199a523fa4a12be3670ea5
SHA512 e49e2ccdffb4e35e1ddc20c44ce9bd05e4af5a849a772dcbe6766ec0cd3bbbfc86ebded581e03c8d4614dddf355a9c3b614128e6493cfd2030fcc1225d2046c4

C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

MD5 aaeec876754b92f99e3865f6de09429a
SHA1 679db0b061c1e3ad1e894950f123cd34ebde1e0d
SHA256 30d0dd0f1a7725334d6752ba2270db9d1a5ad1cb27e55702cc2468c4bfcb05a5
SHA512 35d0bc8ca912f0b55b60b16438a99686c88b69bfa37bb65bbb3dc3c704e93499c6861799068c696d6796ea5c7d3380157274bfa49ec8c8e46daf5489153c4848

C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

MD5 5e0e310ba5b7aaeddf695b428f0076a0
SHA1 f885d091362482104bcebdd81c86a54081e1ac8b
SHA256 7760a9ce599bf747ef8cf26a42d302444c630571a42096857fa78bcc975abe85
SHA512 048a8b780c04f2da645a79d1b7cde536b1d2221a8dec3ae8489e2e641a03dc7819c5e57bc3715a50127ddb9f0c4ad1f91fd88ee770cb2c8b04500f6a6cd132e0

C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

MD5 a010a6cb26d42c79abff811bb72efbb8
SHA1 e3326d2efd28c75fd787dbf392dc78257f684821
SHA256 6f13588e4bf0d62392c9fd6cef7e91a88fd7c5d86ad2e29d56f3d8c864dee4a0
SHA512 9ff6092fc1bb152f21043091788a8ae9ebd30c2f554506bdc0a437e8a362a08da951053dd6606ac472cba945db53ba1794e9ef07b67bc167d5b7e0f178de4c14

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

MD5 74690dc696eaa5833fbedc693e16f71d
SHA1 844ce50249cf88c8bdedcb5036c246875aac04e0
SHA256 28ca1c92e547a40dd2fa4e7e9904c261c62d3aeb571e1e3ada8a8763e1179b56
SHA512 10a1c0e5e80dd41ffc313758491c32ee0414f44cdf7e3ec7b717cb68d5700c957c986dd2da8e2d35ef92a914cc130c69516342dddd49cd9af8191169a7122aeb

C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

MD5 a2cc544b24b1a961388ff245e570adbb
SHA1 1d37bd9d6e28544101341f3a1362b09c94577b2d
SHA256 5123276e12766bafde33103c9267d73d38e2137527b538709c2e1f701f46a376
SHA512 a7ed5ce6c972ac1194b8b7cef4af4e6ce1acb5fae301534091c04c8909fdb57881a28bcc8c06e881c6b01c58380dbd189346867a2be955cd802efec689f46787

C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

MD5 684e120d96c4af1c9854f0c19a8667e3
SHA1 d3533c6d85587e976cf843b043ad6795e35ff023
SHA256 7ddf69130c2399f34bfffbbc18c90660933b939181a6b20851870e80dcb8f10c
SHA512 8a7e47e7cdc6bb7494372b715f22559d5820a987bb7846e6af1fdd734d08a46770615a63f114401ee906f7fd343eaaacf071ed88ad622e0da9961b931da4f724

C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

MD5 5b65b8954c7bab05099cc3594162fb60
SHA1 f9171c20480c99ee9b0de77eab570cb85d2dbc6a
SHA256 b612875aa8a469c4fadda582398e41866185a5cf7e60f37da91fba402e4c1625
SHA512 85dbbe540a361e0869981dee20361fad0e1c65567bef4bcc9eb315549ac36d565ac897fca6dd789560d86f9775570c7f9f3670adc62e87bd2dcad9c7db9d2ac6

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 0dfd6710464af88078f685f4ed308c3c
SHA1 324ebe9925dc2ee265ee94042e73174529b7aa3c
SHA256 fe56d7eacb3c4b9e0c0fcc5154212e187f391159d3f52810b3d61afdff95f5f9
SHA512 0b8a96796527c83d0c12b39c043bae7166d3224196e66a413a22a102b9b9cab2ba007cfd80b3d225306c2f9e178dab0655050e819e5824d0b9d8558c7f99da3f

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 5a234be53f48932b8fc88c4fc94a4b24
SHA1 527177a0c919fbe8fa2cadf5194fe88ca24cf5a4
SHA256 1a84d1f5d3160732953dbec16b5f8fe2dec67eb22c25442187343e3bc87878c0
SHA512 80f0d73aaafb00d0feff76408d10ead67477c05a1680fa0a8416f92899c30297767cafa8f4f579660fdf1d659a1736c9afac8d36a5e2f26347dff7e06e59d7f1

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 4f3c40b61684ab69862e9b868818a1a0
SHA1 2c825876bfe3e340614a18a368549a960f83cc7b
SHA256 646437f7477dd534f0c8bac25ac3127c5750b8d8f2c978b00dbbf0caf0025ab3
SHA512 d871b8a10a11b764bd4e5eea312ee9f571a8e074d134db5d311be4945f98459e66645f619d4e1c8d1f16c5f6b421988a8384975a0e0f949c4c7ca28a31e96e20

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 dddd84a99e53342de39d0244ffb16f84
SHA1 cb51ff68772dfb0226f0f65f5ed5a05fa7b29dc2
SHA256 628952f304383e4b63fd33e70800b11c45a9310c3cf4146d56b84c6cb8b711c0
SHA512 06bfc2a954f26d03a2d293c958ad36352623eac9ad6c33c4935c2e420e3a322c75c32c901de1e58b48a315959d28d1abdf85fd8e7f13ae41fe8c695704e70348

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 249aa3729bdad678ecf323bc7b835137
SHA1 4443a936d46cae2bc2de1ef913e631b35691c4b9
SHA256 5086fd59346739904d8869ce28e6dfc06df7ebf39384dd83451edfab5effda97
SHA512 27c8cfa885eb1ebe6a84197dc188e2008aeba5e54656887555953a3e17b8ddc12b9642326d7f2fa57d673898979ebca2b8779f46b59659273ed45e44b3cb0040

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 1945618c3245ed220a666b74dab3bbe7
SHA1 f7331c20b9847e0349b35d2fc0beb37a894350ed
SHA256 9a49d08e4b5c2f14222083edfc7edf3a338964b23e02a85c9a735f8b31e6287d
SHA512 13d9086990534759172c04fec712c45640d964f74b3427546945ac625d9ec4c7563bf125354cb5025b41667b9a0d950bf0058cf7e971f13b0726ce64b5e79595

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

MD5 293af9cf5aa83238a6cd7d2eac32a2a3
SHA1 858030f4523322f03c35561154a505379ff894c2
SHA256 9289e6defc720e3f74ca8009ac4d049b35b7150fe5a609c686a54b7dba182772
SHA512 384b26164bc0e0158040bf80a98b9a6d4925bc6379882b9c17a3056e34928215f13942a9ed198ce95d386d8dffcb142aa730a3ac58a7c70fc648be03c2ab5c50

C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

MD5 16efe1c9d7790ca41b44327e24a70dcb
SHA1 84ef9495a4bb9b250511a9b9b33b8271e16f19d0
SHA256 39e7388820e4321344100d564cbe89842c66e2fcbeda5142953ec1c46ce9669a
SHA512 3b14e8f9e85ee8d1ea838db4db14c5d398f9acb27ea030f18901448f3b85125765e073ac4aff4d2ed1da0cff6636d8c42ba1c3c20ca3a413d76eabcf9552d1b4

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

MD5 e8e1935f500f17566daa1f3f7770a15a
SHA1 5f9bfe1c076d03460e8d06f6429dd7ec71873772
SHA256 ac40803fcb571f742e93ae768c707a90768489974588d8f1001087e774323c3d
SHA512 29f1a22c448adaa93335b92483d2c5ccad2510cee0c2b3d0c8595ec978a3456ab25ed81af30c25a3c7bac5ced4b776ed307ce8f74f6b7627f1c8c36b50a473e2

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

MD5 ec282cad791a3c1635bd631c46225eed
SHA1 62f4e179ecf1b0e629b6a5b2be16c8b5696f689c
SHA256 76d5657b2476a9bbdd65f0bb43482b6d0c964bb1a12c65939d7e8543410a30ec
SHA512 7657e5a9ba291a5a6edfccf03873bfdc1fffbc116d586394e1d22654f17e0871f478243cabd75166ff8832432a3dd9cf9c81b19b188ec8665b22ee404549507a

C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

MD5 a8a681f72a2464b1e586f35c6b36dbbb
SHA1 6c8eb8623f6f8f745d6620c1d17ccd84f0b45ba3
SHA256 b1744025e53e7a464615392a69f58e031ddf05adac4b24846aabc49518edfdae
SHA512 b6386177d95e012fa6f26ba91d492b2a27d00173c4bffca7a3a2c2f52abcf35826b1c6233acefd4a9a8e76e750500b6606f76adb0e05ad4743dc97f81479a118

C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

MD5 edd446eb5fa054bcd826ab0492ffc3ff
SHA1 b175cf87cb4b65b2f2a34574e7614abaa76b4bfb
SHA256 8f5d781567e6615ebc9021023a3d214baa3e24e1b0257a59cd48f4df95cc63ba
SHA512 5fc34e75d738393ecf9c0403001a274afe22545f98df11b2d5a83727f67afcb67d0bc74d5e3dce23b263e50b89510ef05b4ee9128d5e1e057a8907ac2e2a534c

C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

MD5 6c6959bb9d6823ee1d45e0c69d23b6f0
SHA1 b30469e99695825d6bf3a255a0bd8cfd07439cb4
SHA256 c1c96c6d02eabc8cce11faf4ac1b788506756ba6aa3bac2f0a3b8776c8ae6595
SHA512 81646f0974f51111231fa7fb55feaa50bb4bad437ca95bbfde77d784ba508c5a64b4dd113bbc8cf1af6e2c002dc5781e555996db1a09e55c33b7eb73748b2710

C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

MD5 39c6933f97f00f64ce9c28704e55af04
SHA1 98fbe8fb618abfffad6340160603bab65717652c
SHA256 4ac1cd4e71814437beccde6314373292488d3d2a1dc5e110192f75ab0a7092e2
SHA512 1629153da4a98248a7f7ed272bb1e2f47099d9ecfe82f83c71f4b74b2ef64d1f2342f77c0b737ea0ec29d4a6e178e2833903f1b2fed51dea36e16caf996d580e

C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

MD5 796cbae96cc8dc843fd2916131c05517
SHA1 5beec832b92824f1675c914051f43fa54c567a4b
SHA256 ca00c21721b5e2d201c58b979d9a7d43c9177f883cdb40adb8fdd5df6995fa45
SHA512 e499e98b49e61c380011a3b9a54439baf86f03ca6dc1781f727ae57cd81a09cb6ff40ffebdc48b575d2ee19f31c07303bdf008621097e1aaf4d075d20e96b763

C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

MD5 ee46412dccf4d508665861bae86af6d8
SHA1 b0a698d2caeb82db6a67fd2068d01f9415072649
SHA256 2b8b69b01b777dd55382fa5d9a54f31a2d3b7bcd91286a24ca9c58dc4e2d0a73
SHA512 9419f9dee5a6e64e4f23cdfd085723abd150d017ba5d6e09610ff98e495f721cb643d37a5ec5b173278895bdcadf4b61318f4e2d2fc9e91c887888ac79fde972

C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

MD5 65bdf30ecc342d06eb76ac54a199f496
SHA1 960e1cad1c9154e7dc50e5a6aa1db6d569df2e10
SHA256 f6f1c36f1eb0e3161961772ddbb89406d6c75db7bb0837b111c0ea48a4a4a6fc
SHA512 27b416111e6d2041d167130bb5ea2c58c30c9ed2958a2f27f0fb66d98bbbfbb73d12441d3b12883f76bf7c70e11b30c0525563b2f3ac188cb5fa01f18c44f965

C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

MD5 a2179c9c7e59e11b27786505993c46c9
SHA1 2cce0fff38cdec7b8da94801efbf0814015b090a
SHA256 e2ff650d418ba19a671de953269323c72462c533ecc9e6ec734e14ba7c532c8d
SHA512 a92bfffc840c5a4687fd5969067dc276a213f879375dd2199407e25b0c3382b944f7fdda794c7cf91684baeb3f16eec79719eb501bb3f4bf8f776a94db6e7188

C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

MD5 38f5658d567a3caff15fd7ffd8328b13
SHA1 f5cd84f78bcc9dc9417c146ef575be02b2752a0f
SHA256 8596a9d8011d6db04ee87ce93355b529378b635f78da97110b2cf15b747b2083
SHA512 15be1b131fd3915fcd746c7eabca4454c6f0fd0b4e9f4b47cc10a16e97c1cc80dbbcb2c7413712c561824022133d4f4531c7a8a1fbe0e517d6e78c10f483c5b6

C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

MD5 c1315e78a27b123b7562e2c75a41f963
SHA1 5033e267fb1373b8ab927bef1f1990c039353de3
SHA256 0f12b76a125a5d9a336633b910423a66afb8f935ddfea5aed0366994181f831c
SHA512 3de7dc44bc0af35cb244fb6a6000373a04d31b735479ea6b8652f258544fd7465f0496208ba87485220016ac63509999eafc9068076e8287bf68b8b792fe2dbd

C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

MD5 8422cd76a78024bb6cd8335cea616cf6
SHA1 44f263c9234e66616c6d436d288b86aafece123e
SHA256 e1545d1389352623bc7e3f3904750feac2a5188c3d8dce76ccd4aed799ba0f99
SHA512 9ade5026a76d213aba75099eabc2bc426e31eebf73fb860056e5df8a4923cfcc3980b99be28928bd18d2647d9e2ada682b6862c9c0e8e9cb27c87b9c609b5cfe

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

MD5 48fc7a0793fead8470d877a998ca2ee9
SHA1 e51bbb933fb942a980eb20c6525525333bef9ed1
SHA256 9f018f7d3c43c5f2a1b215b6a93c24179abe0845b9fde7045f923da1e966d0ca
SHA512 25a77c9a6c14ec30ed0b26e352a5140cc6c9114453d44f46b5a7a10052198b4704e47e8d87ff50a9862f34f41fda6096a5fb7ecb3a4de2158ad93d97ea7776b7

C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

MD5 59ffd87a54c8d668b34a0379e7719291
SHA1 0f7e78b46ddb447748eca683b9554053ab014835
SHA256 73302224428eca777af1a2f8ccaeafa51eed310712dd4cf3bf892ce987e37a0c
SHA512 49f208cb019621b1030f71ea5eac7d9dd4d160fda9042cdd6428bfcf40f8805bba16194a169b2465ebab3782a99b835b90ae80e6e396c8c49a8dbab580207eee

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-30 07:15

Reported

2023-07-30 07:17

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8306) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\quickreplysend.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\sound.properties.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-125.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\6.jpg C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.ttf C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\cursors.properties.PLAY C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

"C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4712-133-0x0000000002F80000-0x0000000002FAC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini

MD5 d5a7f3c7c6869c970bd5ccfaf1a7789c
SHA1 68fa46bcd9310a169a3e1170252dc36bcd95f83c
SHA256 0e9aaca593182010e29829cf1720c5e3eeb5498ee62d5e7a669151b457e41517
SHA512 c5495fc77f2dad7a3b748f1512b9109c64c08046147e9b4128ce31b6650ef2cb12988224ab7bc5e1b438d270e0a5cd4ca4c4976ff8afb6743d9b2e4c4fdb885a

C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini

MD5 e363f25c820ae05a7df7aafba69ccd1d
SHA1 cb8e6b13b58ddc8baea3a6995cf183d66db3c93d
SHA256 a94edf5b7cf6094cc7085f00dd20f1e134e7aeb44788dc2339d5fcc0a1a8248a
SHA512 f0243632e42ee42302c5a55b9902be09e3d1ebe000735ebf1d511a04176a43f4dc7ae50c352b5a65ddc927ee2d52326e10de8e91554b4eb80c10999757ef8f6f

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 f0384d88d091b45d3bd49869745c5f26
SHA1 3f6c59e493667fd84179b77bbfae5a895ba9b419
SHA256 85fa02d041218ed610eea806fdceb83400f64633eb098735d4d050d4b25eb0b6
SHA512 422b69d04eef4bcb5d377ead5d84e9d6762f5885ebf26d9d048616b7534c0991098099fb003cdf8454b9e3b7033a4bdac05af46e2df83edc52d9764a5efa944c

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 7986a1107eede2e09f30bfcd98dbbd0e
SHA1 8dd6dfd05e9f146d6c3eb18e6a1eaa5247db3d88
SHA256 92e12a25c0c6cb9abc5b79c219e3570bcc5071d4bea85eef4b7e7b558e2ee22b
SHA512 9deaf2f2df7ec7a46f53fd2880a6f681f50f66527f3c5d0578ea66b9a0edb6cda9664bf30a3e6fc0086721b203081cf3098d1f7fe94dd266b26eead0759a203a

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 51a6d3b44035e1a6e8309b3dba937686
SHA1 5b555991beb95b01f05b60e64a489c0d65ce296c
SHA256 73499d55b92ee4c56f29b28127fa2b7830e3da94eb6bd32a77bbeaae65643d34
SHA512 fbe9221bd2e4c640ffed6648cb318aedafb59f5f88126a13ed0fafdc700e46fef6d2ffb6fd6324538186d908e5083d9ffff5497e26e7d68ee9c16a05ef0de949

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 6f1942638d952ce9bc5e9baa11f21b53
SHA1 c8a337bf8487f0b599af6f5af7956eff5b5c1711
SHA256 f8c0a92fa126ddf984c87844e370becc6c427da6d40d0e5882c681604526dd2b
SHA512 d797b6f1a271ffbd2e40acc05b6e722fe3e6f2b3932efebfccb1cd46407194195ed0d8ad96a586f63dc764492c045fd05c509c8b6e2d5327552efcd9877f7f86

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 f2a31b254882f415946213e909b7e499
SHA1 48789c2a6ae7bd5dfb8f89c82f481fcddd1ea873
SHA256 1078bd6f491b408ef461514e5c31067506bdb4e3113ac2e7c97c2db51cf995f4
SHA512 5551c419704c14a220db5758030ad0d5fa9ce3387fe39df8dc15a32aa6f0922bf6345eb73891cf414f3aa49031928ea5a3f443602ba5b1a846940d2daf110c0b

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 f5581aec090a41ad97dcd19e2c3e144e
SHA1 b8c6d90f2d4022e2c6d9ebce2768214df6712d01
SHA256 840bbc6b61102916aecea30f8afdf8f0be529b8879a2af8ee68c4a0203734391
SHA512 cea03dc3e263307e923ad62b6fc4f07af92079047546ba62b36be0f57578352636ceb500d01eeae027268324647dc481f6e8875f2647e382356d29621234da1c

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 f8d765ea6a6e4951f534bda1c2362d31
SHA1 5c958a74ee7fee89df290ba0298177937f9f4086
SHA256 d78b53ec717a8b23717e33cf9afad7e1f3e6ca1a73e59844ba6a1f5266f2089a
SHA512 c177dce9b8916e96a0c8963f1cf4e87009110c356d2c2398ce6eea623f9418abc7c8c6824c0e49e96ec2e5b7753b32a25d871d5e57365d0c57853e5380ce7645

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 b353e441b545ab58c8bc5d2e7d5095e2
SHA1 603da935d1716ba5723633051862c94a77a7252f
SHA256 ade27faad5753e7273ab461965f532773e2b73e556ff5055e85f361d6923c227
SHA512 6bcded27353ca288a139f266bb8631359b27e7677dca4c0290b9286f16e419ecf201de4962aa4765232975c024ccb910be5189dd61f0b9f3d6b74dcceddbaabb

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 97fa62baeddeee28b5fae12b79befeb7
SHA1 ccb3b2d5da785d37bd96578c674619aba9dd5458
SHA256 5bcbeeb11a34aa2423d767f864afdf79455ab839da70d5cefae7a3945f5e6528
SHA512 9685a11fc9d1faac6586b370394a21d14592df40729220bb743d3b05c916f21f96fd03708713b3336401d7d093e537fca8f5c93ebfc1ef46ea420256c3d8c447

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 65467d10f03377e3e113919f9b6d1526
SHA1 3d39cc159152c9ee398e10811c65bde52d2ff457
SHA256 1be0ea695459a2353fae6727911330ba2dc1936b264dec182aec2a8914224403
SHA512 a0a1a45de04290f3861b2c1716551c6272bbd34c83f009333b0a62c035501d31ea8e3fecea345c1668006c19f895c7fcca0e6ec2af48971082bb3b0b7f36cbe7

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 5c222573b4ade9b126acc3cf774bb6e2
SHA1 611a58a6c0ca803d018fdae12e46e0722816b764
SHA256 763387be02e235c3f20f387322bb6a626e4c79549fa9abcad19d21054481bf03
SHA512 e7bc302537e62fb50d1c143e62c29329689d19c992b1aa9711e7e10597308dd6ab5128d2360c67196fd3086a4d192ab388b342e3b043f1501fdd5e81b68813a4

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 b6a640c3e0831d1f6962f3afdc71c006
SHA1 fc1f772d088327f1b4d868c7c22ba75b7fc2e5e9
SHA256 7f0420395c89d55909a4413ee95be5b9c77be5f451ff14d39e0a277530a440de
SHA512 11fbff4ad27bb00341fd6b9e44d0d8fc215ca6fa0f5e2e86a7003361cc74042888bc740d7126e8c766b297d93fa3649263776cf20eeb169cf02492bb1f847a5c

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 7fefa8b7d14329bc492c4bca1e10bb2b
SHA1 36e40b8ef58cb319190cde97674b1ac7836eb7b8
SHA256 17399984ab06421375ff3f54be4fad218b617b7a4e9b08e5b36604f7d43233a1
SHA512 8c8ba9de4cb04b8d27cc14b539b117aa50cfabbbab17be242c52026ca1a75515be4a39f2eb41d7ac1d6d7ff9f48f451c9c7b8d72cd350dda087c4b84408170c0

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 01069f41c729c5da86c41a7b54283177
SHA1 4a4e183f2ef98d36369917a1b7c2849237f7264c
SHA256 67c2fe0f01373d9cfb4ae4d679b45ae7ce3a0a41e9ff2c7a236399d652b79fc3
SHA512 8bc2aaad36feb8cfe77f93b4a56e23b1006b614a3c37e077bcb7d890a60c551d8273a10dd3f4e0164188b53611413e945aad10a542f11f9d8c259724eea90b19

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d5f90299954809e701e45f4a82be9a8f
SHA1 62a8803a130c690f9af25b5a5b7129df2268b331
SHA256 a8c6f1e8884460d02fc08f05613369b564b2b639776f067331b48cc89f8a1538
SHA512 dac6ea6806793611b384f005ba169d525b07d9c96973f389df7485816e6ebafe9c65d6102a689b5c15cb70dfabb5c0dab5a1f2986fa12a53530204b1c75cfe0a

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 7daa310facea877feb70a78e963d4444
SHA1 cc7a6619057b5b2d5771c99c7cbf6c2e3e53e36a
SHA256 95d35756e24289e34458beb6f27aaf3ea4c7e723f83062459af68bd9df1bc9ac
SHA512 1ff5a8663030f3ab49bb00ca8ca5d2bb20ed4287fe76b1bb701442883559c0a0882f13dad5e4bc0a3d54de176f486f04d5813ab129e99d3e06f3551717b2ca43

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 308c211ac000497f126b650a93ba0475
SHA1 6d02e450ddfc734185630f4cc7c8d478f56b7d4a
SHA256 f4758631e782b6c3f4be972fefbacb3bc5c2c18c57913dc9ec5fb65381f2de2d
SHA512 8a36eac3da0bba0ce0cc468ef3947eb0c761f2796b659605d812056425357e24aa5f52bc228144392fbc529887c8656aa6bd00db944c00952db3d57914294837

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 770a335bcf94d626acfe65008499d9ca
SHA1 02954ec8c2b12f9eb6589d92a0a09cbf586c5d1f
SHA256 cedf0797659654f3529f8f1509b254e68fec34b9bb27dd607321e9fcca7b512a
SHA512 de68be5cec20aaf0fdb12e843fde0fcc874f711e3d394b54abf17f2ee460dcc424f056837911220d17263aa8e2b75e28a5ac1196febfeb4b96f0feb9c91ad65a

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 d46d3e963488957ebecdefb90e29567a
SHA1 b278d810f94403d1a0a829d14cfefe46c590e22d
SHA256 9b71de0f577c32c16b4d2a70baa1eb4f0d88c6f8234bb0e89f72b753e9bcc768
SHA512 cfaae570560b73731195b3058ad91300307c64efc68a2e743bb6ade33ef3c8297ddd19abbe150c54bd87a8b5199b4439045a9216cb2b6a8f3d3fc733969cdb15

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 0eacf61b566f59187818979850751976
SHA1 b33bd46557c070c429af0086ae3f442dbdfe0367
SHA256 6708711c5556f25276e60d99a9ee20e798883cb8c58ec6546f77786803daa462
SHA512 f5ab0d01edbbbd208ca6444d2bf0b3ad68f1f0d604732a175794089493900c6f6d7b1716d329f2b99ecd0043a6c6d15e6e251d708bced6ee5bc0af43b2c11876

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 7a53b1a610826a353295063e9909d30c
SHA1 d4df0eebbe719f024eb166c5acbe1d7ed9041bdb
SHA256 992be4bd2d8479a61f3cc5d0ee64d6064899ba5d5622ae5f61bd93ff4b12eeb1
SHA512 e7e7acbdf88501dc0ea23150112990de9def0add7a407e53c4f92c99a9e783680eb6c67fb60ff6ac00776187089a79fd491d5fc18c0436cc4b1e9d5db2e370c8

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 7aed826f194d10161ac6c1c305490243
SHA1 eafaf367c88bc587ee6d898ff47cf9cb5a6aff14
SHA256 3f0865f6609310f77fdc7a0d2e1361e322da4bff3c8dc560aa21c7f6b40844c5
SHA512 eb971389ddb178cc79d1ec084bb8fcebdbf5dd92701cb39de91c6212038f818e0f8230ab6f6481dfcf3690220e84d427fed068a6b81d94a63f7e7e6107d43244

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 cfeca727971170492fd5e7a7770db46d
SHA1 a13f8a9946d7e4c55ab2853705de9fff89745950
SHA256 7644fd667c2d796a1b4977611ad57eed2c5af6a1c7c63bb3795d48fa6dc072f6
SHA512 a6d967c430150e3c446ee3905d527b4ce86b9ffba9c27f589834137ee742306738a3b42985dafffa3bdacb8980423abc381966a636a4f1e9a616dca5582bc67d

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 e3e5e06247aa4c0e007bf6ca7841110c
SHA1 fa7dd1a38bc76a8e981be07fe136e57d2926a426
SHA256 88638bfb79bb7016c6253d4e33ccbfebd4dd000a377e2add1cb9c315f6a01435
SHA512 fc0a076dd3e622f635287bdc32142957ce6bf0c3cd515dc8d239da81a0155f3517cce8749299532eeec54ce58f729cf947976d1430df24d7f0cca881719dd1a7

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 bd30aca941d998fe2f7bfa208e6ff932
SHA1 13767e9d129a468d296618d815a0c3cda0e6c540
SHA256 262323898f170942b275831296ee33fc5a3db635a17922220ad260b86b609982
SHA512 eb79c2920fade7fa9171af45be77235ceab58aa54a35e5dcf7ec4cbbc95b27316a952633780f938818b44724101c26f9150db74da876f4ecfabe51301e5d940d

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 691e0bf58d11af83ae39b5a4c45fbd99
SHA1 5cd9a795b2237ce6564a27fe40ac347de75d675d
SHA256 b73ad61ca362d2790cd1e1a3b6a1ab4236a5385366a26294bcf521d516a834d6
SHA512 2982dffe4a58a413dcea798c20065d3a1b30c176041eee8a8cb8aa0779d8909fef3cd2b080276782620810bc625b1fc72dda0af8dea25c97374336355987cfc3

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 713be5135358e9e00753532eefcb16d5
SHA1 548c0e2597e150d35a24dac41c918aed8ce92676
SHA256 eb7867a9ebcb5d318d48590328bd00717e66f4735f0755bf8242c25feb5011e0
SHA512 812dc52389e798d6bf29f55fcd75e649d5995a043db5dea88d04bc9a1e3304321fd4c2c4609a7974b84d0ad8b99f4c868b0930b6e77af5dcf99c6048c6738514

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 46de0090ddde1959b58ca303159d6ce3
SHA1 173f77cdad4e07abee9e350bddaa303dfb9d6de3
SHA256 c2ae2a92505ee973167c4c6b6b82aee6acf5c40ef5e14f121e220de29df8aae0
SHA512 6eaa2a321be97229861b2af473505b2c63c8d0755c8bf07c133d688407e6aabbaabbf54421ce21c37d8d0ec5ecc89998348dbb51d519e016f491a31493830b6f

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 52dbfbbb85a64bd8188609bfcbe2d976
SHA1 32d5c908871fb29e82b2cf024229abb0d33a5789
SHA256 328124abc6473c8ccdfdc042b5a5fc0b1c3945bb3ca186bf0c0693fa6ccb7dc3
SHA512 2c55887d667f9ba3e3c0424ad50cba966ee05e698412a33ae354c9cd2eca5d11ee1487408824f7cb434630d75f128c0a1556fb4215402cc40c007ccb5f9361f4

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 ff01d0f2b7f5e39736db9765821d164e
SHA1 50177b9bba330b86ae823103969c5756a9995680
SHA256 c46c92f122ede91a20f7279f22af693961c349dcbddab1f52efa489aec4e39b0
SHA512 74392c9ff95a8dc2db79877f01dd38256616dab4200d405ca113bf809edce9a0a2d3438647b221875645321c76b33df8377932a76992ea5c6bfa0ba9a46095ad