Malware Analysis Report

2024-10-18 21:36

Sample ID 231011-yvle2sca73
Target ZYu4eR.exe.zip
SHA256 52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36
Tags
play ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36

Threat Level: Known bad

The file ZYu4eR.exe.zip was found to be: Known bad.

Malicious Activity Summary

play ransomware

PLAY Ransomware, PlayCrypt

Renames multiple (6566) files with added filename extension

Renames multiple (2936) files with added filename extension

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:06

Reported

2023-10-12 13:56

Platform

win7-20230831-en

Max time kernel

162s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (6566) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2180306848-1874213455-4093218721-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\oledbvbs.inc C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\net.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFINTL.DLL C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\ExpandSuspend.snd C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090070.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01843_.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guatemala C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00372_.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Network

N/A

Files

memory/2112-0-0x0000000000160000-0x000000000018C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2180306848-1874213455-4093218721-1000\desktop.ini

MD5 4089f82cd866f2327d7e147315693843
SHA1 8ebd83e4d9ca09170e5e3c952c3f3d4828a8955d
SHA256 74507db7c2c2d38ac70779ceaa2e449996d95200773457fb70c9a8631db30ded
SHA512 767c8a513f86022b3cc1b70b639fcef53ec9f6795c2ac94748819416a338bbdc6f9313c2897871b0513fc77aa051e26fe8998137fbf67c101cfebb63688f9f15

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:06

Reported

2023-10-12 13:55

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (2936) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

memory/3340-0-0x0000000002E70000-0x0000000002E9C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini

MD5 8496874598e6d7f8faf9f386d2831ced
SHA1 2212fa3422571cab1ed41508ccfd70f5d2ca13ea
SHA256 5989ca29da8defd7b0d9e0a212b6c8583d6b419927b044f378c6b34097dc8449
SHA512 880ad41cb04f79a6e4b7247ca64e29b2e888fc8fa6fd1f04a9c21fb2403d81e760186aa07bf50d6e959d283fc7f7473b442f27ec80c472eddd58a13793767a96