Malware Analysis Report

2024-10-18 21:36

Sample ID 231117-ghey3afh24
Target xxx_exe_13013236406.zip
SHA256 20382d589462ca1865ad112db93060fdd1b067fcf35debb6db5da2c377596fdc
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20382d589462ca1865ad112db93060fdd1b067fcf35debb6db5da2c377596fdc

Threat Level: Known bad

The file xxx_exe_13013236406.zip was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (7307) files with added filename extension

Renames multiple (8429) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-17 05:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-17 05:48

Reported

2023-11-17 05:53

Platform

win7-20231023-en

Max time kernel

302s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8429) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3425689832-2386927309-2650718742-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200189.WMF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.INF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OFFXML.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BDRTKFUL.POC.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\jaccess.jar.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239997.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.XML.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe

"C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe"

Network

N/A

Files

memory/1752-0-0x00000000001A0000-0x00000000001CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3425689832-2386927309-2650718742-1000\desktop.ini

MD5 b949e4fb2a7cc24a9fe940443af50c13
SHA1 f1e3ff7d3dcbf88331f32041d4c70d29458ff0ee
SHA256 8359595ebd979260ddbffed37c9472886e3fbd83d92055b830f0efcad3ada0f2
SHA512 1c037099cb958251fbd0cc768bfc6aa2dba708887620d58e2098549be49d5afd3e244990db09541871ea250fd5ec5381a75fe1bd856b0aae6b758df5d21f6674

C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

MD5 355ba5a49a636c0cf0fb4c3053ad7595
SHA1 37fbb966e7c7de45af6e36bdd72ebb9e4c6d5d81
SHA256 770cac5f002bd3c5e2328db02a7bc98097aeedf83eb7e879d491886b3624beff
SHA512 377c2247a061686aeb259d60ec0b5852786bd5a77a61e3f6680135c93770df9fe163630c3924c8513db52ae1d1da575d6747e5e0d7ea9e41b2d86c671f75ff12

C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

MD5 5348a0d3a3bc319873a5bbd4dbb9cfd0
SHA1 cf8b2ed306c762a6ade9c363a10a4fc0bd143299
SHA256 a4c269c0cefa2ec32e6389914c922644973680741ea921d3a9b5eef9775b518b
SHA512 0a54cae4ff936ba4b2c2e6250ec99a3da1fbe0e4833c9e6c922e9920457c418e76164c3fd4d6ce73f2a4810de23cc47bd70e6fd5ad89fd14de395d5cb29f3c5b

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

MD5 30afc6d443880ac9969ee35279aa3dd9
SHA1 38f2cf0062685f6411dfc45bbf51167c8253de25
SHA256 c0983ce60f231d8e36838715c7cce3dbca34f80065ca51361172329383ef4c50
SHA512 49143e0e5f94096c2dcf40d631a22e7cf6109a977c4fa5c9ccbbb175603ef8afaa72e44fb3742f73b1f20c890064a4520716b68aa97ab5cb5e72546d1850d182

C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

MD5 ac554d6b2507957d45327ca3b2321dc1
SHA1 b81e742be1b552d9bcb465dda1473307578d8c5d
SHA256 07c26adc3445527aa56c44fd6e6d5993db08846825fa994080ac88a0e7c5ae59
SHA512 9647efe8d3ea3b4074f20029eff5745241fc56cbae85cdcf13db61083b6b1e66cedae20dbd506561955ba37f33183278f04857c2f1be05e1addd317f60877659

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 e40733a059ed14d7a59b3f9c592d7151
SHA1 da4532b69fa1d1e11626438e447f3ce54e004577
SHA256 70039ed119a4472505103c8063eabb59d168746cc39e2d9a0d09995b77c2e88e
SHA512 f90a76d12d6244f6d3ed3b42b0a8d9640407b7130d18ddaafc981a87a5cafabbd047288b211300212032060235067abda42796b05d5f9cee4992fcba0c62857b

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 6e104c9daeda8b41f6dabe51cd03fdc5
SHA1 4e6d988ac4cd9afba8dedf6dc5b9bee43039faf8
SHA256 fb360b9ea6e5f9791ce4cd8d743fc5ca80b4f8f94ea973a4c2c7e5fff27c97cf
SHA512 34854d7c8bbbeb913c40b6389ac5441512b8206d6e178b3da3dc16e66d86d04ca316c47af8bfbdc2bde5cd835c82c5918d8c8fa9ceffd031bb84e6ea4b700222

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 9c0175e21163d69d3b1d3cfb69b9a16d
SHA1 98a0fc66664dbdec0061b5fb177f7edf38d2980b
SHA256 b3d37e95146553cfbe4f5a0fd9c88ed533996ad539b77a8b2d29fc19eb2fc2c1
SHA512 ba050169d40aadfdf79cddc7983baa494046cb4c4ea6d12e60d8c5a94cc4303549e78db81bcd9e490d1b50f97cca9bcde360d509720a9a728d26ab13c1dbabc2

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 35567f9ce00fca9a9afcc20f05371977
SHA1 58d7c6807e6f73e503386a8f9f5e18214659c7f1
SHA256 7718a5276cea298438bcb2a3e09bbced63e541931359fbc8801ba0cb5220caa8
SHA512 1de3490baa4deb547e137ec0b0948aff21c8f0c69535e139b387a3e6bd8b853b583d2bb8fce516fbc02b5f2ff2fe549427da8ad155cae3a6f6ba93c1d76f944b

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 9dc605f2df5ffbf6c0fdd10f63006f84
SHA1 dbe07c880476cc75ce353bd347205eacc6b23cf6
SHA256 4ae4d02b5518677d69792e1419abe971d6fd4f112458ff1f0fed0f256b869575
SHA512 5c0fa67def2e4c8f9b0e1af0daa8e9b8d7e6362012fe0ba2ee5d87aab4c176ed37d62da5aea7e683d2bd6ceadb6d37ac7be3cb26204aebeeb95d4760d574dc42

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 fccd38fff06c6e840ed02de1bb62ac65
SHA1 b7b5c4f319d25099dec8e13ce18b347f936229f3
SHA256 cce6ea877697ecd8f3ec1d40414d933b05f76dd1f4ec330de6eb51f3ee43b352
SHA512 ad1bd64574c4907e6282537ad6db32e067007901da131219ada8ad08d86d1af4d083a27c0d4401cd5d1573e88e0275c72428645d54858db39d5e157902367d1f

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 12dc738a36991e6300720f216e724447
SHA1 ec1f1cfdafa9e8eed77a717c5c923c9538346f8a
SHA256 cf5e5c2f7fd2370dedb80c043aa81c6d75177b2d4910952b8bf4546be40f34df
SHA512 51586074df9bfaf709349915e8028c1b9e1f9e7c6c18f7b1fe82c4ad88af0ae80b82e7609f75e365ad8f917850a4fe717f78e349d3ecc9b3ba4c73373666dc73

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 af02456c94a68fe0c81a685bb070a990
SHA1 4b33f3a33a74d69cb2c53d4ae9e6177551d99797
SHA256 d44374f1c417b72c9492eed49328ddce4fade3bc9f114455ee8c3e043bb124ef
SHA512 60f21889977e01448f4ae2f97dcd270be5181f0ab3f9449242be3dad89ff7b095ff4197f6a233a7b08763223f2b8a232e615ea3634486d0af7f2ce210cc339d6

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 9b6b929c3ad4c09f018fbe0d922a13ec
SHA1 7a953b8bfe73bd89f402b0bc0dd1b637be10a48b
SHA256 72aa28a8964778e9df871cbf8866fb7c9b0369c5c7b096208ae8053eff536457
SHA512 aeef1646580a8a1c1fe9d5d26fa2eabe79abaa95719018f381d5e393a7d30c6ad4988f5b1ae5cea39aea6092048b45954d5a301a2d56f669c8f48e96ab034577

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 1bac47cb7866b6b08ccc78bd28961d17
SHA1 2106a0546be937a0ff498aa497a25e4431f3ac7c
SHA256 7abfab8ebeb79ade15a5181948f6e4fabd04ab0e5fa404f8d0977d04c49e7dcf
SHA512 a16930697e80f60b51c602496f410bb6b54ffaed1be88ed2010316c1d01dbb4aafb4453d2e59882bd8b5223b9d22472583b5d2cbcb9907d8e0322bd5f95cd806

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 ec74228d75eb6579c0759885a11408ee
SHA1 693f0892a2e6d3e7fc253106efa1bf920dc1f758
SHA256 a19ade2ac4b7c983a04e12d5cf4074b41fc9d54fc21c2a55f94ee2de61e355ec
SHA512 23886cd06534b7922533fb44b060ef327a2977c71f2e75421d5826fe0705157077421d9f44f29853c79dea9229d82fc14f958ae2a633b1f6e66b143434a65bcb

C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

MD5 25877a1e0e0016118f0ec00a47a41758
SHA1 6000eb9201a0ad1b629e905db3c738018e42e541
SHA256 764e1b845bf87ff7a75946cb09a41cf53fc50cdf9cd2283f92710a166faba2f7
SHA512 eec25cb34b6363ea4e367b1fbf3d64501d42d76d26129d546797c653318f8d34dca03b69c483a327baa848955aef470632954b9d29c21a0bfff3b35e4d36fead

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

MD5 587025a594430dd26e0ee587ce0b07c9
SHA1 751ac81199a8b8f2fc4722d3bb2d149d9d20626f
SHA256 e97e0b233a603f94685290278c5dc89598f717f691ee827689d32291b2b66654
SHA512 69c5e9dfcc0a914d77d8fd8739485f67242667d8c1e88ad09b596647345493b382de1c64bc94a2be14dd6bf5d7c28f24f3d89098072823ea4ca1c4d139ae3225

C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

MD5 2f1b8a417f82716f67446c6bc070dc84
SHA1 3fe0b280d228466ba05eea4f28f2091aac2f7799
SHA256 6b1824eb5b97a748881511d38440567478910dbb4505047a10e6ce6fd65dc7ba
SHA512 a1cbb1b0f0e35330b5d79eab04108b72750e167534f751f2fa21de4c9eca1e5bfb4afc452aacdd48a91855cfcfa8565bfcb61f8914307eaabe144fa1577cb70c

C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

MD5 1ec58e8d9931613675769cba444d9fe1
SHA1 bb085b5519935ecfe731c5c0b24a177e5896018b
SHA256 c84700d6b205375d3e3a161e66431bf51249cc46debd70efc58acafd0fef6a5e
SHA512 2a959ab5b5a28233db1f9d24cce4e35e9fddc286107dabafb548ca0ff3e0e58704a27339be91713ae5ce05abe101ba01ed55fe2fbd278962c80d53c9311c984f

C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

MD5 4719cac17b2bfbd1f6f5f50522d268cc
SHA1 c137d602c44e3c85c7ad337367cdc298551479ae
SHA256 9c319e05a9329ccfb9f44b3748b3836797879331ffc4a933f71264163d1d69ef
SHA512 f64bb3d014ab1e29c9f11b8cf956351ef1e4711bb746d0ab3dd1a2e094da6f97c15580f4148fa9bb04dadaad68a2419216c2729fbc4d766125badaa1845192b2

C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

MD5 8a19d7fd44829db500586b6037228179
SHA1 5c71639533378c3680f2db3333dcab64c76490cd
SHA256 b9fbac7296b03d5465a4ba650b674e5091f7d498ba9bff0eea9aca719e349edd
SHA512 9efe6011bac38c70333a94eaf45c99a061ccba11105ee48b7e16b01fca0a1a79ce1bc61ccd0ec2bc7895b019b948a185942e6d6c81dd5930fbcb883704c8d9c0

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

MD5 679c192aba1c52bba3aa6f5b2aae5164
SHA1 cf22330bf3ab4e457b387872264cfae4d0b650b1
SHA256 1874ae31b9c9187da8edb5d4598e402b1452058e911b32be562b8a1521e7d158
SHA512 a1f6f3f2a2661eeb9e971ef33155879e25076ec1a2002395cf399285f842a7b422d73108bc406a90dbd539e5e49110d4016aca783e29c894765aa244a722b8ea

C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

MD5 6471147bc31f4520d7581dc6e6678140
SHA1 895db7eddaabc25347fae52d5813f774ea07cf55
SHA256 53090b5eddce25baee1693546464738eebde267399b1c45534d40dace179a214
SHA512 20a0e2ff5b95537d8c7d238e469565f60ec4a36446dbb90caac1c1eecc81c15c0cddc4ebaae88ed9f0ec1ecb8cf5007920ccc8a565eba85a8f1fbae66f740128

C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

MD5 74d67afd73b7188833adb4b043093443
SHA1 cf2f26e1b35c33e97af533cca0f79b88247affde
SHA256 7d565ed247703b7f59f674407291e0eb54ba7f5701b0ff3c980db9dcf9c6d76c
SHA512 9f5490396e540c91abe7aa7c62d0c314a281877df1725f0f481b59c6a25cc24ffb26d51d4f7003b01942f422de34497674c0afde0f6cbe8a36aa2f8d13c4d93d

C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

MD5 869afb5df55e6081bcb66028a55b8d22
SHA1 0147155a687b7318c2247ef090d358a5a3235410
SHA256 839858bdaeb67d6c35d2f76d8006f9b481f49509095089ddb2aa213962148577
SHA512 66be6d811853bff3ada932386712eee7b187f0fb9781a02fccd59d83440a3394e1d7919042f011a85a7b8e80b79ae437b2f8103e5feb92b610dcd3d0fdccf735

C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

MD5 283b289d1f0bdb9fc434f0d59d0c60e6
SHA1 ba593a7c2418d2398991d6940b257095e6ed8e0a
SHA256 0fa9eb37b9b77b02ee05eb8a68181cb6c1d81ed213c43690e51dc03edbbe101c
SHA512 f87ae7a727e81facaee3c156feadd873aad1b61501e2383bc8511e27d7fad17064faa50c204dc0f6e9e8421473ab815bca14caeb226119c985e5fa831dbc6424

C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

MD5 090b2fc737b369aafd9d14daf85238be
SHA1 a940ab8dde695fb596281a65845bd1e766a3f9bd
SHA256 5834fe458d3124cb766c61e45889efe76ca03f46947efaeed7feffaab21b3f23
SHA512 7823af1ec0e3d5abca92d6d262dbbc1adbf0bc8c4df9e5000835e351cc5410fdbe9f428d5db103f67b08d6bc132ab712b8b63a68e8d07676afbe0725e28532d5

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

MD5 6f67054e7cd000f7e1826f8fd35d84db
SHA1 66ebaef406fcc96289d106b4bc03b1d1d96ed22b
SHA256 1e59769c1b2a1b6e5579a1bdfc2d9755568495222bae962ee214681ba61f9a60
SHA512 ec5c0d0a73cc42761321302b0990be67eba433f8ba4de04a2e27bff7e761341889192eae97f8309436c5f41f9c31249f04e800bc954fe051bec743ecd56e643b

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 07fea0b87107f072f23f5c998bd86964
SHA1 d9eceb2eb05b5613b2af4012ff32216ee0762c8c
SHA256 fe639a3bcc748630d2e00f33bf5f6e9039361b582b93dd851c2f928922d364b7
SHA512 dd4832c878b648f71c1e040ab4f25cf95483d21ae5e574f318fdaea527e7ec59247d2a14bb21d214b95fde689a31d8991c755e1ac5049ae460255658c0c7bfb0

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 4f56146c1c1fcdc758bf546a720b7ec2
SHA1 36bcf1a835afc867d1f0231484fa6c839c33429f
SHA256 58bf4e84eb67bc3929c23a95e179848b6e8b184b3f9a7d566e7b56dc39c23886
SHA512 f0aa10aa599f273b2d9b498ede7632a91251d03e71362258ee573c31018f0f46fbbbba37047880b163a38364ffd4ec37a403df59cce8a8e26e4a73f96ec90ced

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 48d038a1842cb9046a53cb428ad5f593
SHA1 783e14ae7def81b7ab6aacf35727f9ccae182b4d
SHA256 bae43b3a9f7315f64118fbc1fc2e565c25c94fa6f58f96056caaf0c7599f2b0f
SHA512 406733101c054a4f269ff9cb305274eee7ced13d2442d5b9aaab70b98904dbb40cc51b8abebab7692d435e468e0c5bf3ebf63478947d812ab779a6e9c9f9e726

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 465a5650ccf6ed0adefd765b32941c8b
SHA1 5705472ed15c4a9e02c8112b6fccd5018b6922f0
SHA256 49490bc54c062c4a17abbbac5309d042df5b9d6c361a1a63c7152b8408a9e14f
SHA512 250a75a6608df4c6e3abfb96c5de1140c7877dc19ee58a9ff5a3610da2f8ebfe2f52db10d9935a61bca267dfe496ea82182e946059c03b89873d8f1eaeb7bea2

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 2668c5fc57ec9babc99ca3594861ac39
SHA1 a3b9fc37dde08f9a380c5487b27d8bd0ae188db9
SHA256 ebd84043fc295938809eb852caea7f97d49c10e72504faea0e964cf7e7ac7140
SHA512 00e4368a0072f7580b6e29452ac0490551abe62bc811b776402c9689fc3450d7352f8caf6b2b6e3bd48f2ae33905b89e7e6c1e0ac798a0783de4b3a5fd66355c

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 504251d244842a2cfc7cda28c1f73ae0
SHA1 c0acc2a49d5455ff8601126f056a71d651f70ba5
SHA256 d5cf3d9fab4f4e587e8cde8487ab7d413c0d4f9131fe9d07438c70cab3aa9166
SHA512 2453485bbb70f99eb119292c59b9c8a9e39cbd64e6b3e354a3b3adb2ef74b57d85da8ad63cf6a3eb3946e9219a5f6364e8bf3a58267a31b0b75d9a43f9d51f29

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 03eba47e3a0f6973c7071dd9b6e8f551
SHA1 9e0e92afa2bb34573864c5b468c21eaadee95948
SHA256 4bad637e45b53a8ecb5ddbe0516e288528f576a5efdb7f53823f7a348d31c21a
SHA512 71ed6e63e1ccd65c29ce9b30d44d19e724a9ca486c9f19f60c141e3fff41888173cd1704c9f672c82c4b34c7aa5b407d02041aec28faf8b7be123f6fce71f7f0

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 73e339e979afbe3c1695d013182f43ab
SHA1 8a1284c3effce64c18c71123854f188305b804f1
SHA256 96ad10f59eb05a6f0af7ae15d172568974813eef0c6e21f96c667187cd20d237
SHA512 d03193863b0eda7140db1afce12c2214b5cb7292f87af846b573ba119cf790313e22d42000d5ada222cdc6110ee69e39c9773582d73b228b1fe9bd6497deeb4c

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

MD5 6d8f5e10fc3fd9fec710ab17011e4f20
SHA1 e6bca4d0c7b9e591200b0842429779b55dc26f4a
SHA256 6333d8eb71a8c52d232316151dc3f5e4909c6486414ef8c354f7b95417b3c47b
SHA512 f82e581106cfb062ecd47c11397fa00932a8564ca36299d31cfe3c951545e1aa70d2a537a6fe2def38274769d1b16473c3e901db5bf1ab6d27900dd38644ab71

C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

MD5 a0923eee7c92b381f5974d0fe79e163b
SHA1 4bc1e47419d62327ae61226ad2520172ccbb5366
SHA256 09d963ef3fb6ed63cf0b1ccb77fbf8503004c1e77cbad208096cbc456ee9db9f
SHA512 681cccdcb3f451a1677307ada55cec1c0700d8b847c8c9a2f0b9d805e3b1d59aeea1cb8b3057f418bac5d3d6de04bca298697d219d3777ecd65914c09cebb80a

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

MD5 a7d2d32cb7e89893647098b7a6204426
SHA1 96fb46695d6992fb6839253716ef4aa269046af8
SHA256 ba264036ae1531bcd8ddef85a5f88627caa845f8d030009c7b202daa51ba373d
SHA512 6a8cc1dcb3c994e2fa22e493a92e6bfb8f55b945f207d68d87232bd0f6d3c788a091159587fd8e608fdd4e5bf7b27f5a92ac14ab9c3d465f303fdc92e49384d2

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

MD5 f6171b029c448752964ace0470ce171b
SHA1 9c38d40f8ea68a0f6626f2842eede58037c60bcb
SHA256 de46db410bb38bfcbbf27f77a73b6886d3da6af5771ed6f53b77c61489a19b01
SHA512 c1fbd5dae7d79f40629e8cd5c6ace753db67bea77ec4ce9a32cf2f17d2163baef1e9471839955182cb36d9ce250ef3aed3ba2a5ba16796e60329725b7b5a972c

C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

MD5 65ee29a890ad40b960d1951a85dbd029
SHA1 c796c003c42d557f9fd671af5ea46cfaad406d59
SHA256 ba8b65140090daf73a7f71d51b765db3553f6f87bfb8456f7517c002e65bd3fc
SHA512 a2c3079a5f1decc5bad981eab9c1d8e113258df227cfc5b4c7ba30a2921b491d390173112cf2ed909225868307fa60614bf7744a7af1507a6b3ed0a4b691841a

C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

MD5 a4552714d821bfaa564be3419da6c941
SHA1 d7fdceaf99c7ea8c7e11ac92ad8ca8815a03aec6
SHA256 29225d24ce8d30f4fe391a3c8eb3357444d761904eda0fc332944cb46e23034a
SHA512 5965fc9d7d163ae56223c89d0e179ca5e87ee6c193f8be656d8231ffd8891dc61c487fde94e0315a2f1608005e04a22d486efd5a7f99e870a62bf9a3ac02122b

C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

MD5 efbed07bed36a2cfffb6c19081542a5b
SHA1 e9f798a79a4f2edf5e2a8ae8860e74b0f17c74e2
SHA256 b5e7a99afc8a698671af5a06b3942d7bd4d34fb1890e2ac70b5ae49fb5a08345
SHA512 175d6e0358593ba430fb241f74f51462dd75bc311292672e46283b885d20d7af5a0fc5913f1b72e1e77d90af09a4ee3e8dcd88eb67b6551e3cc3ef7a54239cfb

C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

MD5 2b2abdbd87d792b7161ae077b42ad6cb
SHA1 02b299c9685555d4a08cce654aadc61c7167a77c
SHA256 b00df73d40a4b1523d803e20fb8c09a1b49d92b0346ad90262ab384b1faf154f
SHA512 558b1ab73c4c8d6c870220069505dfa1547c14ced619a07fa941a8c76fee08f31c7fac984f8e370ebe1a3e769d93ff6d46cd3053c7de6209bb5a1178595df0de

C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

MD5 a58509cdc8ed783c44ebb277c3773096
SHA1 03e119a810176313f32d236d4fe935339809cebc
SHA256 fd44e2e9de0eb57d0c91bb9b3f820003fdcc44753ede2c7cb7bdd7ebb1ca214c
SHA512 902ddfb612a67799521e4504c5cd6b42f3969b0b0d375840d8802303a2295d5313d0df7d43da76b4651bc3497703875f3e27c8f1ab7c03831947404ead283e48

C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

MD5 f1a12467f341ec9c478f18eedabf0c2b
SHA1 4e29000cb766d79b2ec24a0a77b2413fcbe36975
SHA256 e8d725365da3e53182eb0ecaa353e0bc98946ac5f9e4ba99ef88395ca5495438
SHA512 fb9c6ab79f29f99bbc3575ca10f65c1a7797d2ef7f037e0bafb8fea0657e9d27ba87015052b81215082d1354caa8d9bfe2b710994d4a5e580f2322ee4edc6cd1

C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

MD5 84afc5ad350f9389c7bb74df01f25bca
SHA1 6c0a281444e2912d0bbde1d352cb314772ee69ef
SHA256 b7997e16b50b2b5f7b2a23df31534f8498fd70059eda455e08b98ecf6f939dbc
SHA512 f974c1142bf35bc54a9cb815f1dfe0ecd16310481aaaad6a1e41f7ebfc2bb2be633b5f0738b8fd0a65ca4f5debdba59fc64bc8985caaf90bc756b2eee9f0f120

C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

MD5 450f307cef04ff3519906ebe1273b631
SHA1 ebd5c63ffb1f6d031e055c4ddedf248880ae04d9
SHA256 e7538aab029b28717d3b91a45290bf4a09d920c3f9d63f80f72664f74e0ced7b
SHA512 3b01c480d45e893f41f22e8b6ba754950c43b913de9fc6c4985d6ff5b99e29ba98e1cc263c3365477ec088aae04f9755d58cbfc5514619c19dbdcf62fc81cf9a

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

MD5 1041d740b78518e5bdcee3b6c98c7947
SHA1 1b063f085f4dc5cacada3d58896d332cc99ad8e7
SHA256 8cb591e0ae586eab6357705c6e83ea8df36893624597622f103f079e5846757d
SHA512 aee848f0ba063ad234c1d128484a09f8e9a6f47a1bfb66ac59acf9fda43ad1b3997f6933143963774f1af46d74c264b83245438c2f8bc800a7632b076b54e2ff

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-17 05:48

Reported

2023-11-17 05:53

Platform

win10v2004-20231020-en

Max time kernel

300s

Max time network

274s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7307) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Moustache.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\Error.svg C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\plugin.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-100.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS4.bin C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\torch1x.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe

"C:\Users\Admin\AppData\Local\Temp\0436a5b53c6ca0a443bdd3a806a77e4101480d4599dbd670d1ebd36ce4aa16f1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1388-0-0x0000000002720000-0x000000000274C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini

MD5 238c0874914e335021153e59af625aec
SHA1 4c32d237dea56a193fc2e1dab1bce820919ea51a
SHA256 67ded29b723ad36416242e35cee51310676c9196f954cc5d062d86b06ff9dfe4
SHA512 7a8397a2748bac38ba5dd184c72d34fac341487a45617a84ee7bc7d2d5081406768841c6df9fd8618f78728db698d27cfa91b921274048424496b2e3bd73dec9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 8756f1c9b58bc86744defb0f70552132
SHA1 cfbef6d0ab98565eeae65633feb8d3e2b404373c
SHA256 dc662e2be2f5ff5323240f1ab67e7dc2a06eb3fca8e4a8942ba3116959cfe9dd
SHA512 4a87903c11e7a4b10982c48dad5ee0474afe7065eb6403366483490b5929967860d88b2088c5d11dc166d5ce4facdeb15dc70232184381624ae625fc3c772dae

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 0b391fd83f097c69662890768adf7c5e
SHA1 35e41336c1c51336410f7e67720a73d8e6ebe2b2
SHA256 40054ed20337b4c74089aa60cb5d845ea1e5fa8a06a0bb8a1254fa427b9822bf
SHA512 d140a69606ad7f08e29545215981fc5b3c25692fe1a9f005fc7885cb8f5928ac5956a8bdeb06f5dc6af34e85e029a1dc277e5dfd035deb74de4913c684b3d819

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 21dd654c0d5363dff4b2f1b38a33214d
SHA1 77a2b1e49aff654ac0db7d6b6b1f90a5c46df9ec
SHA256 8a6953acecf79d9c064da6ada744181b29eb98e3f9c247eec6e924e223b390e0
SHA512 3feb6bfd61d11f0b9dbee7e5e15640e7c01fb7c638378aa866b6f4a04fc680fe49bfc76ea6413608bd6bd72e67f66315f975ae8595d22fdac150a46809bafaba

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 a84d1de3d471ca4cadd12df6029e48d3
SHA1 cf54fb06546a5105a9d6ba8439808032d992f0e6
SHA256 42337df7735e0b5a4565e573a3d9bab8e2ffe737c4f595b19682b83c7b5ce1ac
SHA512 cf6d42bf733a73bc1514b99bbd7220e392b90482a91826200b4240dbeba9b37b50c8d4ed437cdf416843f0c88b9073911dcd4138906a38da68bcaceb905d41d3

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 c52d450a2ed1c39b18172530921ffb2a
SHA1 3c1f9ee9f893ab661abdf789e557c8380a18fdad
SHA256 dec5f9ed1e2a2a0149812443610b507565af7510768e87216dbc76851f2797bc
SHA512 97276a9ed00df75efc66da922f474b6a783b544bae8fdb595bccb5422021f1abd8865a50e79da220afe548f3d24c9fad5fb9e5eec6987d4f7adc1703029fde8f

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 80c9d51259d23d3ffc8335c1da2bfe32
SHA1 79d5a36b9dae3cba17311e8e1cfeb15a024c618d
SHA256 993777d38d04512f485222526904cc39508d8ae6af8266de4970c987621311c1
SHA512 50e78da41765cd8ff0096dc35515ec5ccf38f53a090a34fe92e5bb01a6dc5bcc699ae3c4725a547abd446ca2a177ab6681b68b546caf3f0f839f133b1ed5f10d

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 d510c63c925eddd5e67254571dcdf071
SHA1 9e2b93a16277092b5f7ee53b1da03e5192da7231
SHA256 7fd54455b082b81fa285e4048fabb5506b9da45a68fcfeb51b19ba32abe5a5c9
SHA512 261fff4aa337fbf760ac49561aab93c10e88021dfa62efc986677558f90c29eb76d12864753c0e43b3195cecf647b90fcc07a198198f8cfcc2aa9cec76e0dbeb

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 a4ed2a70a882e7484448c9dc78cbab31
SHA1 6d51f9b62a1e694874e861b2cfe7d797357c00cc
SHA256 77196049cbeb3eda68150bd354473faf602c621a4791eb862c203290e4d314d4
SHA512 342107d1b7e6ea64a2cfca97902b69c4158373d1c108c52d2915eba2887ed413690570f6a3d676d865f226f95d6cf55d9ef08ae6a562afbab31019ad789aff88

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 d8568d3258ec2fdc5266db49e71d8c8a
SHA1 4ff1fa29e4bb6276b18fbc65614241b39153ad3d
SHA256 33fa606c2eab0294e4cc5a8aba50d49b63dd454d5d2ff3c2f3dbfad5e366217c
SHA512 7bb4610596679121a654240a15ba47c3bd7c0ca51e59448823d0b666df1620c5e499e3502b251d988d7687e5c9dc71e717e43848d7776ecd889ec72adf9f02fc

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 970d69462eae773ba42f6479aa245ecf
SHA1 5a9f9556ce2833c67cefd429a811f2e7e601813a
SHA256 f34e066400460cea2948a09350898af0fdc00a3052ec6aac274e3a946a83a2ad
SHA512 85d28a665974c197b86779bf6fce83a8cfa521e9948f357eacd379c83469060ae5fab50d85cb8a6859c57c19ac0e682ac98624cefb66196b9e6df1c25c2ae4d3

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 ec29232611c071ccff12ea6235cd5ab8
SHA1 51a2873b0b1d286904926153805b26696c5ccbfc
SHA256 b9029d7b9f12dd39eb1d141af09123ce0367f2921e11a52a6fc330927eaaf712
SHA512 aa2cd4ed0c5bca93f040703dcfae37f43a12b41b4d4cb46e5895b5bd7972039c3a7d941b15191fbc0a635d3b99c12f8fabf53dadd1ed615bb62393d67b3bff18

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 8ff0d6ad31b0838fc1112dd37ac095b6
SHA1 9cb9df2036d57cb4ec0183b5d69cf12726ae10e7
SHA256 40c214d2a28a7a321b1f615ccb08fc5f0a46c36aa910c71fe580482e56b93f31
SHA512 b56e31943c4fa464de2f6e854fd67264b4bc4745e15d5523fe433d3472a8cbebac65993563505fa643d0150f833e34ccd2d0ccb614879c1cece335cc0a05ab28

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 44f15cb607f50b1a70c1ad811d1ef746
SHA1 050490f30bc38d908ca39b50c0b2ae7494bf1904
SHA256 e79430449bfa1f9e35e371445b1c03a0dbd72fc09044d42f4309b4f4674f1c40
SHA512 25a0129f3804ef99776661ed038b435a68a1e59ebb47addd9cb46a21f039b415bfc290644bb57ef5ebabf369f93cd55d34dbbe287ed8f7c027d7778ef132a909

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d371fa7cce796ae9d0b4a8f336e491b1
SHA1 56ba2d2d31cd30da6cb334d2cae1cfd72b98a4c4
SHA256 c98ac208a00487e97dc464667eae75e519840565f28754ef8bdbd3a2c80aa31e
SHA512 358b957ad53ee417e1bfd2e872c3fd19cd630e956b5c640e48a4f0bcc82ec8f936d569ddfe8ee1e0076873db0cab9ab91d8eb879a389550cc9d490c849f7fa87

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 ec92944585650ea1b61a4b0e3fe9aa0c
SHA1 b1af84d3c18074e9f0415f1bb9042b3db962466d
SHA256 295a8447e013ae6f40f9351a8e5621720a5cc6a9eb228fa78bf2d5bced196be7
SHA512 c7ed1b30a8ef3947c14ba3dc7db45dc5190dece226318704006bee0d4350b1cf776872d4d18bc5fd79a1e514bb9879962138211edfd51e9a8f7f3d769855eceb

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ee7dc25919e77e795ccf37860d3e8ae0
SHA1 306d6d9754a51f2f6f93d9a7d974cb4b7fe4c3f6
SHA256 546041fb2c5e45dd1f785f952e7e3981aaa1629d1f7514b656265933a0669424
SHA512 5431dcd90f939996545735ca9bf23d9e18b0a32e8ad9528084ee5e47eb8552123a66997a691f1b09181f66630091eb737b6d6ebbdb1d60e5122d43afc4e70da4

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 beabfbc1ad8843c0530704efee62007e
SHA1 9d2ea70579455356ecadd2f26f72b4fdbb11aa8a
SHA256 5b1650f8e8cd676001e79737b60ed950d9dc3765cc3163098781bde13fffee4d
SHA512 b72a09937631e2bd8b3b05a55c9eb471143ee2118ab6891490710008a66ca4fe3a9922a7dd4d01b5a2b442cbbee727ee0f90aea6d2f1c90fe8f27f8e9d9f5eba

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 84f46c37b8729e9a8a63ed7c68eb4b4d
SHA1 d5ce47cdaadaa8e7d080b6fa94c99d12f94c192a
SHA256 183ff37757392e3f47d204111bdfbc1c7df2bf02ac2ac87dd20ee51d8aae8406
SHA512 5e85561984bbdd39ae30708e566423e05f72efba05f804a9e1227b60e32c607f6f5e8c9c0ec610a674b721048fa502a719cf24c6dffa5d4de026d59cdde4ba8e

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 e7cc1317ade791a377bfeded918883a4
SHA1 29ca8c66751c83b324484134d46f9b5d07725ade
SHA256 30f8dfef2ad96e0940b212d487c01192c5569ebcee1f48dc0225edc0a67e999e
SHA512 008b6fd10e9bfc22790cdcece7d8ebe3555396c92fbe42c0411969d17d7e382949c0e18dca7a0adce580c7eb91b7a7dbb7758f2512aa25de1744f4112e6d4d28

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 e55ca69048a3c67b0defb0ba8eed29b0
SHA1 f1becd711db1bb9a4949fd5900744c94d5c0afe2
SHA256 24278ed57a6af6ce49165b514efed3fb6d897af605aa0cbb5e4d2c8eca83a2d7
SHA512 96649aac65b559c410134f4ff99f790e311285bb7e37bca57a61fb2b7ce720f4dd9c0ffe5ce5a08372e256fd71e796ce4a632c6f0117126e7daf2decc57a56cd

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 bf1f7273b286ceabea43faa10b3abb2f
SHA1 fbd83b8b1dda1a7e1b20daddd66a004638fba91d
SHA256 bc5afb1ab45648d4774a1b83916096c8218557ee4da597c45bd67331ef03dff9
SHA512 b5bae0bfbb958d2679c7d8121b9680f2d634e40031eeb3d3fbc662d34c32964e23cf6e5b805f96bdc661405edcd11617cb33268bc37dafcae8203f93be24b5b4

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 82d8e1ac6eada823592345709ddf6dda
SHA1 75d44641feed877574353f5e950b699e05ef5600
SHA256 84e32d1ffd268ed2d404e3f0d93a56db7cd0f91b333ad6ad274ad994b353bca0
SHA512 599d71713c5996dd20428129f3af5e0437b3730c6ea2cadb140a05d38c2629117c3370facd969dc429715ce5e1c5d7a84d6d4406988c9d594b4e4df523869481

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 f65198e9f3372f37bac9f81c7453c2bf
SHA1 c437bcc7f88616a5568d7387d4f0d8f22e9c0d20
SHA256 7f3630997bf6d718c8bd10a23421785bff0c65079e7979ebd127f8d7c672b49b
SHA512 e13646f7e578e3ca3d8dcb69e13830219114a982844568c9f26a924205d677e2939dfa392c8dbbaad0e5164cfeed953db47253d671b9048a43a7cfb61efad726

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 96e5a78046ae45b9728fe113e65b6abe
SHA1 5def035162ebfad6bb654c3975d9ec050acc32cb
SHA256 cdeb00980a6fa7b558ea8747997ac50867a0a3c50968377d6fe824d017c9b4d7
SHA512 9dbed1ad8eb1d0c23f50300ed350b19d2e34d6d7c7c7a758dfba42de90a6139ac7af9df95f2c32c9fba5b825239658d492ec39793062b6b93e671b4955f0eed3

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 56f81e4a2f10cdcf79ee33d70ccf8afc
SHA1 2252808c0c6c8b7a881595c50c8266fa3b2cfba8
SHA256 69e7aa807e8baa17c35ae6eadeacba6aece9cd5d7a37bdb2f7dfe19e2a2b2eaa
SHA512 e745f888a70edd1eddacf034e0e4b829f70d79b1480415e8b621ac7d41ee1e10624c0760525e6f2a80d190f0fbeb977c2cd0439653574c16def315b75a21d100

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 7c6e1b5139f7b7ce115947a5b8a44445
SHA1 0f33fa9c116d3f44f69c4606e0a443c40117fd99
SHA256 de57320603c8352c1c282055f9db8b67043ee0b7374031dddd75bc25701c47a1
SHA512 48cfd6975c9ae9f75a42261b59dadc577f7b3079d1274ce9bf51496c3dfe91c129720e95e484b3540c7cddbba7d2afefbe99e1cca2836cfcf4363d4e71cc3760

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 9ece87cbd8fd9bb7ed0f138577275d8b
SHA1 2256867d8c511e3b1a83ecaae080a5fbfe26fc47
SHA256 c69a2cda0a1677b604240c28927eea7c7ae8b4c0639fe3f520491b3918c18384
SHA512 d8387423be112f29e395087b42e91122efc0476736e8d3db3e2dd4dbf891a68525f6b8094e3c57822dad958640401bf75f25751a3aa233ce2f82671886ccb82d

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 2d59fbddca6c4ee148ebede832d1eb78
SHA1 46796e12b28583f981348511fa7418ffa01e86a1
SHA256 44ad3596c2d981958df4310147da5c8fd1f190ea6b005a672445780d53219f38
SHA512 0bb69ad48925bef0685a2d4bf99deaf2fdb7e0ab95e13e88a026f75e6cb24191e95055b4646e625546a5a16bf1d4e994ce04aae50b7b6f2b6f52bf9abe431619