Malware Analysis Report

2024-10-18 21:37

Sample ID 231219-xspt1saack
Target 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
SHA256 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags
ransomware play spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

Threat Level: Known bad

The file 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe was found to be: Known bad.

Malicious Activity Summary

ransomware play spyware stealer

PLAY Ransomware, PlayCrypt

Play family

Play ransomware payload

Renames multiple (7317) files with added filename extension

Renames multiple (8486) files with added filename extension

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 19:07

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 19:07

Reported

2023-12-19 19:13

Platform

win7-20231215-en

Max time kernel

330s

Max time network

318s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8486) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXT.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\resources.jar.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Taipei C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\CompleteConvertTo.mp3.PLAY

Network

N/A

Files

memory/1132-0-0x0000000000180000-0x00000000001AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini

MD5 18b6ad674d9773c32fdc96dd5154663f
SHA1 ad145c5a1017c5786e5260acb6c84478e020ffc4
SHA256 ed8d8ac929024497298667a830a578c53c5367f4e8992460a51cfc5c3f3375d8
SHA512 947a03c11bf7fbda76abab3a756c0a2a0e5187f00bf8a15944a24b3298a11c51bd40681463c2f1fa40eddd5526beeb47fbe2670d7d2d94c7cad1e64f6b3129af

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 a62639b74fa8189294ca0adbf9b68bb7
SHA1 cb588eb67c233125302b34d8ed88a87e05af962a
SHA256 678af79c83a93befa60612f18be87a319565a8db6f3f54ad965577cccda2cc8f
SHA512 648808a3c4a688b9b2381ffcc98c167a0695aa8d16496c03d4102abca2b6150ea4251bacb84fa43686afd80ed13b3ee78b5a6c764f48da7990695b323db2ea73

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 40b4771f3d91be52ef5f6923a9767630
SHA1 bb82213acc6204d41ae3f9c6c4eeb1b14742cf15
SHA256 ec5a4841f3571c16f35bc46b8ad64119c96b41e74ddf74d84ed13147851b870b
SHA512 5319dd835c9ed4feb8621f621ad3874789ab0a9dc14c69384a9a4eba09bfebe4494d89f44475307dac4926b79bd1774d7db1fc6d7e5054c3cb0318a648b6e507

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 9b495b7eff1a25af6053c684323f1c46
SHA1 9664049390fce48de728c36ba297c3bdba235a37
SHA256 c5b46f290c3df202f9b82d762fc898dccd2e1e6dacba1f13d00c1d8a7d8e1e85
SHA512 d1688cdace490c727b2f2de025b5ce730ef5febaa9fbd769ba054323b0d8ba30f7a2f6b9f564fd2474b1a4266fb85ba31361b16a49e39812317af0ddb6fb2879

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 a4063a652044d2ca86b866a90ffa66d4
SHA1 e3e1c024c679a916a957c26e78ea675565a88e7a
SHA256 6d4725eecc16308bf1991953013e4e7654c80d084e27fc991b04f61f3af75c15
SHA512 d6db3ae2445171cb3f6bbd3cfbc5ccbaed949f3b95fef5327f80f24fc88a7b1b29bf83e14a255bce147d0ee926d2ea7a8c583345bc06c3a72b5122205dc028a4

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 5ed4cf90130c73a1053fc2d5be91e5cc
SHA1 63847d11186f0bde716c07c0e44620d33fce1b26
SHA256 46f5829691842178eac25215db7fd95d3625e1f9b5fdd78bff95d51e53783d1e
SHA512 12d04495b5cc929269b6de8e4f31009fc9085f3bece76010e7e24c23e455ff44d7d9027a23aa61f7073c0379822389b7fa3dcd7f072e0eacb2b27f48ca97b4b1

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 4b3beac6049440f57093b5e66101eeec
SHA1 bec7a663b6bfe2ff335ec1c970d4dd4beb57cf51
SHA256 ba1f0ff4a345219b67c8694e0da6163dbf0210854d711206a27b0739d22f54cf
SHA512 f375aed553e7b49c242446c930c309bc8e02a44ecc067a01156a894200000fd28499f81834e1ccf45c7f9509185ba7975bc4b928dcc64fc3486b72b9ca581acd

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 c5273485416b70072b69c2d8274f7568
SHA1 b1465e07214642c4532cfbcb01ee721bcca42d48
SHA256 699096fc3bd21c5b0fa5d85abd5738685d8bb0ff79987e62cb1ec7969c3f578d
SHA512 e966bd32479e9e5b042ea7d00fa210d1e0f9d79750438b63598df0097131f0c53b981b5592a7bd475202a4318ae3849fc27502867b77a23cbdcd8a237d75b931

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 af69b51d60fa16e146d24e8fdbcc2fff
SHA1 960ff3cf92d1d37f35cea9b77c57b604ab161b6c
SHA256 2c5e1f3f324d2d199db21369e4c056ff174ee50794dc4853168fed810385c019
SHA512 efdcc3f684da36891fe70abb32236529870ef13bd89b1c0ffc5f6230e1c65d62e93b78f3672238368f2a3cd21e51961834d6cf1d04e5921f1f6b4fdf203f357b

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 808b58b9522ae02d73ddd9d6eeb3b43f
SHA1 62a9d0f39d6bcb1a511a2d94b507681cf76afbc6
SHA256 ed18a8c7632f4e53626a68ad07681f21ed876d99b29fe559cd86c6c2d1ea9b90
SHA512 7d61cc8d81e1912d6c6190cf19de102b8ca3ca8c9d40687e4f332dfd5a03ac20507396c54eace7d328c2947c4ac78ba1b757aa5b06d6c9e71e62d94db94d82e0

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 8aa7c28d95878486f4c13dcc9c3a57df
SHA1 4e6c10ee442516681907b065c4e0fd0260b144ec
SHA256 33ea96e4ff4146dad0f9f218a68f47c4c17e30c1506a8b7e646df353b14cec6c
SHA512 9e839c89832e6f72db14bf75a96280d6c6b9510f30137f4597f0a84b8be9f3c5455bf5a0fa21bd83cb5045677275080ba74fe8aef11257a87467021482054402

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 779cb4da0a98dd44939d3a70158d4f0d
SHA1 d3fbc97deaa5bbe5919250d598fb3b9948ea84fe
SHA256 cecd66741c04f486336616fd7108b8f5fb095ac4be118d3b7a495702213286a2
SHA512 b1417cee4f9b9f4fc47725204437d4176216401cf9d25e0e9f9485614530c0c1b8d7d5ba492b042dc1d479b3a7108e382ea9f8086465cfc814c6cdcb1b154d88

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 440a6b38dc9b7fa474d4489a9bb0f3e9
SHA1 020c4fc71e9f5b2d23185d596eb3857e399dd01e
SHA256 6c84d042725d939b5575e9598ef1d2d4e2c604da0b61c093e815b47025f1be14
SHA512 3e2a51d3268a38b78d9999b876a3225143edc52a62386d8c4d393041ceb0f5bd03630c6e1304f4d72da00e6decd1ffedfa95afeb23d9783355fce09d10ffb803

C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

MD5 76eae2964cdadb558ae9945e3006478d
SHA1 fef01fd4888108c8a3482572c23bb404c502de97
SHA256 2e2b6ccdaa39103eaf7f081a7716a5502dd46c71ea5b5a5ea56879f57a8906af
SHA512 5fdb5727d04d87f687711663ca6706842d147aa8867f4f72859e351e3b5404c7960230068054d285f2034c4f03938636c86625cb277b08ec6c97610fa9cf117d

C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

MD5 36a59ea0e7d0d4cbdfd282deef4144f8
SHA1 42b881d8ad3d5ce8da81a28b9413c6d331012ebb
SHA256 cabafa929632701965cf11f076820b6e0fa62aa5a485c8707c75f7c03e41ee80
SHA512 f8d1b0864a7fdef72164f8e5c7e636e4df1da0d0226d206ca0e342158d64cd110801eeaef85a27911e86a6debc01a0ae44c5fcb62b1fe16e2dbe5435c5dc0f39

C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

MD5 811224053e3b71cda1fa98518e0663c9
SHA1 bf180194cd4a7c927d67ac3350749df5a403a214
SHA256 a82c046bbe9bafbfd818e7415537457b3489bfd5ed757de948b457133721086a
SHA512 deaf6a818758f43a5ebff67f404713c2cc4cd466aedbbcce4a4cae52a03056d503d4185445797f8c1a47c43321f671861eb8379666c1d7da0c126adbe47676a5

C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

MD5 52b1930765010e59b9d27f9fedef5c20
SHA1 9e270d45335e108f760a25341e157550bbbeecd3
SHA256 9152ac45784ceacf08df09f32501d2ef759edee5ee5635f2b546019e6aefe65b
SHA512 cfc2e44679072d8b90d54c29d37664deba21327091f5b1f20575ef9c1e0ad28478e51ece103fc1ce0b1f1ad1778c894fec0b5edd56e69aee52b68048abf39554

C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

MD5 70a377df3ccd729ca69b38f7de435ad7
SHA1 8015dcbf47bf2a67923cb6db04b6e16eaf92e4d2
SHA256 fe4e9c722ada1de6dbf53657591effa866dc4ade06a192fca048aa38d231fcc8
SHA512 c77a50ebe53dec9c28c9abf7b69a1e0a031aaa041d9be2be911603e8eafdbeb841742bc25e89124aee660eb38912cc72413c50c1609bd772ebfb95be0219aa81

C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

MD5 e14f8e0de1c0f29d2fb21d79018f831f
SHA1 a9a75590c0a8d7a30f737cf35f0ac680c683181d
SHA256 bba78555b10ab473df71f629408916f266f43b6e882bbd842b5a770edd607c04
SHA512 5d6c27deb5ab482870a4e069e029e25c98b05051d61dfa4cbf7b2710a697dcbdd976f2a44486445071e17e70bde0a7570fbf784f1fb4da6e448c469872a13750

C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

MD5 4e50d8ab554b3b650a375e65fb1d6f96
SHA1 58df99a83410128a8fabfe223030b6535afaa09c
SHA256 359ea08d581d0ee5e47f4c5676121edfafc72dfd09c898265932680e50a2c1c6
SHA512 09ad1011e3e7f3e5fa8d07932872991b626a32b8a60f49337e48a1d514f9468a628d3348952bc03d12efeac84ab4053427863e579ec6a21a605004692c2374b0

C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

MD5 33f30963d20674a54c15c04c282443c8
SHA1 ece9422ca4ff88cba174e250a47e29ebb320cd4d
SHA256 94b9845051f085b7ccca45b4829e277db3bd3abe0a920b8cab870991fdd1191b
SHA512 b3598bc3c401f5a2840ad07888d4079ffb16d7aa2cf01c855cf0c56095525b7708d2a7c6e8e34860139d30a0ff356480e09581c5154268441f14adb2b24aedfd

C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

MD5 df010e990b4c40103c5aaae8e2e38bb2
SHA1 1ff90810c3d03d67eb7b24741d11d8504e2d15df
SHA256 20e33ca9f59171c4033176761c8b43ceea1a1f5601dcef69db3263b53832fc85
SHA512 d7d18d5e9c34fb743c14df20efb9f61c24ed62c1b18386461c7873af4c9038c358365a08c948da5edfb7a72a1b9d412bc607121ceff29a0d04e8404e5b2fe1f9

C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

MD5 e46e2f57e8d6cdc404dd59d9be4dd50d
SHA1 7b5b7bbd0d4bfc693ea61fe1878cd7ccb9404f0e
SHA256 78b27366cc7fec651206417fc04b1503ffada13bbe4a2ab446af2588f74232d1
SHA512 99183c0e116a3545fba5f3f47612f97b76b0b221f480405330eed1d36fd7e32c76b7f0dfd426717c73e9240ab7b60ae60dfc5b36bc43c353fb05e222796dbe78

C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

MD5 c4d3ea7f736fc9c6b584cb894ea91610
SHA1 d0ba90b73a05160d74ed00931bf8f551fefc120a
SHA256 f78a8720e0e3d09f140d3cf7c51acac55d5300ad228f1b4289fe4a50294ac356
SHA512 0f44813504fa11a3c78b3b288659cdb249074250df5273061f7fe299abba890997eb417f6e4b9e042a213eb43f62faa6666e8914480a77a8a05797d74caf655c

C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

MD5 9ba24d40e9c5021d284e6001593b107c
SHA1 5f84f6bef20d5d05eff559d82323e522f9331d87
SHA256 e1ed28444ab0c9c38ea147da219859a9b94a446b8a7814cd22061841703efcf8
SHA512 76f947edfcbb949dd5ac68856c58823e4133846bae8e45ab81dfa8c3a0fc647dcd236c449d3e582d3aeeddf7634f754c673a813f42eb51ef5cece5a12889d438

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

MD5 b92246e1241090b578cde42f11cb9b05
SHA1 1f6d22ebdafbe0e0dd77ea6cd337a91dbd3c681b
SHA256 70601c7b56a7f67f23288c60b6b81232ce4b746bd6828012df7a7e0321cdc2dd
SHA512 edb067988078a6619c1617e15fe29aebe49123cefbb09446f2a339737b30ea13b3e47f4a02b96a92c3910c85c4cf24082def90eb99dad1859761c5ff87e8993e

C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

MD5 104acd2ab10ed21b3da1d5ccc352647a
SHA1 73f5f03fba9d05914de289d9f03e260c5c512c19
SHA256 210b8bb9a92d9ed40da0ff63ddccdcae2704742848f7b70bb02bfce45afefc6a
SHA512 85df8ca2fc0489ae1720b310339ac5f4772da2de3a3b9376a5d43f72c7080cdcc413fce1c4252d4837529a2eb72c19ad69ec31df87a0154bc3fea8bc83e7db09

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 34e4b8b2fb0e5e735a22c5c668564b5f
SHA1 8a3213498620314d175ec62ba4ffe8767a37f6bc
SHA256 1a8e9da5cbec60b6a72368221ab474ddb5ad8ce5215ad2a5561ba9f9b2902ff1
SHA512 eb5aa8227b899134a1e366d27fc90139342f065c5930f81a1a9da64aef0d2e491810d450c3768647cb4126d1d19a8423b8e141602e3278f86eec1f5d94436745

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d04143ef766693b38207bbd1f682db52
SHA1 906b65f7d5a2f372b1fcda8e8fda57d06e4053a0
SHA256 a89aa9456b32d7c974277ba208fd588939ead91bfe135d391d5bc0defda3c38b
SHA512 2ff6d59828f452c6075a6609f649602083b01f983c4fcc507530eefffacf22cddd471f3510025f250d736460d0947557e651091c100caaa963735ce27e7ae524

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d1d5b0ae490f084286505d5e6333e9ed
SHA1 4de3c44713173665860810527bed821667549621
SHA256 b1dde6713ace3608af199a7556c228e43eea70dfef3bf5cc4e02dd033c75f3e5
SHA512 c814e3a2752474f08b9795d08a6cc11a706b70ee396ea8817284664211469bea92fe400552fba7830a5e4bae53a8b5429c40b061932289e0877f59e4180216f5

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 e86da03deb7bb184d849f8c40235a117
SHA1 1f78722867a809fcfd080c6feda24dca6a463c96
SHA256 c9779b6a2d4b9372952a020eec1efe50efea948b2b0d2564794d70778b55fdd9
SHA512 18728b219d195f5a07132a42fad83fe2193d718bbdfa7a63363cbf24891e1e65530703bc8660eacb5a80d3d17c5e76215462de3218fcb1095cc6ffca2dd9f8fd

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 35052d63371684b363f3203e9465154c
SHA1 0d3e0ab1579c1f3baf38becfe00f8b883b2380d2
SHA256 499c278f28ca14e28fd8e5ae14cac7bf00a4e501ac3e40474ce93ceb2c286648
SHA512 73011d6f4b48b98df64296c9123376d6197dd73fd07ee571c141d19f38029333132b97e38eecaa838b068bcb58d7f5c9c4aa2155f5940c0e72cbc6f265db5351

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 33c824c49a0b0aa7c818ea427a89dceb
SHA1 cd5ce8b6e0201efdc28cd11707d14a5e629c00d4
SHA256 28cb4cca77c145862d673de93a93f27f2bdf4bd78c15464f38cd0bcaf2bd51bd
SHA512 e9b4e807d427e8e66f1fe7495a1df88d27736a29df2b6394fcebb06946d7895b834129ccda66fbbd47a36984de03150b3d65fb8e7627f3cd171300f578447cd1

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

MD5 ac5ed2c8420d9cdd39c1971422c1a941
SHA1 0a80a5009eaaf180ec865cac0f3f01fbccfb3730
SHA256 1fc572888c0c8536d43b3e03a315d1df0e745763adf3669084be71383773d05f
SHA512 0c306abaf50964626a3a914df47953c66d610a9932a4ea292baa97fec2acc399ed0dfd7d9d6b723725dfed4b8636d8ab850b037be2d6facdfbaa6b66e59a09e7

C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

MD5 b83751940472d7ce49c3639125ec29d5
SHA1 fa542042ed853c5391fa2420a89d64851ea48f7b
SHA256 c549701d780f43af2036af392bf31a97d15ca67c2cc3aa3617cc7fc95f10a3c5
SHA512 5578875fac275c64284047d55bedf3d940225b5b9a44ffe61ab539fc1c2d37d43196c6c68a5d3bb76c60f15faa3d1dceb24ec7735dc9725bbf31156938a0e5ce

C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

MD5 dcbebf6020494c8896e90a35cb7c14b3
SHA1 e688bcf9c13ce4accb8dec65ef5d255a33c8b805
SHA256 3ab5dc5a6a1ddc8978a7c44be61af45b7225b3daea289f0f64350dc0ff071cf2
SHA512 bfec2af56e54c0fe7ad34f71796d0a6c34b27c289da56cf79b2835b406afbd3797f2afc381077512c780a3e3fd01080772bcb9b0e8c984c079d1e81c99e58d74

C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

MD5 d861f09bd5104239f1f23bde1e147976
SHA1 ca34388cdaafa6656d07afdf746075f413d902d7
SHA256 4a5d65d1655bf6614deaba221ce5f2d8b813cdfbdd410f1f02542a9c251f13f5
SHA512 34cce0db46e3eeca85c66ef31e46431dc9050579c4282a0c1c13c9bd9fd17b3ae937337ae07b58c4e37867b04fcd1191a48c0312d2bab359c2844a3d1cb48ddc

C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

MD5 9c244e7289c010eaf5ea44d77a973f5b
SHA1 5cc878c79d43d5b7725a960639c840d57944e3e8
SHA256 dd4ecf492f12c492cf4f2e06d463934142eaff56e2676807394e87240c4f93f0
SHA512 a7b0b258d019a321608f7d339486c527ccc0e6aecadc6574cf522fc5b26125ff3134e8358e64b08a7b7986344a1137eef55cf6c0e26c506272fa52073c445e9d

C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

MD5 7ddfe5ffadd90892bd001b66bdd2b1a9
SHA1 662bb95e02b427d02ce4d1ec1a383bdb79f7e245
SHA256 e1d6d20653d6af0bb6e5c8c1dc0952e0c0e7bac1f13df19841774bfd80199c3c
SHA512 78e4e6e3924ec060aa0890f953e8c3ae3c8b2ea4fc74f5e3e6f67bd21301d30428488e5364556b478a90c8793a24cc3ddf0ea42526cc0b0548533979e719d89a

C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

MD5 e553d36e2c19dbc07d7200919bf3b233
SHA1 c2b7c7192efcec7eed6ecee2e7b9f080435dc6b4
SHA256 7d33d505f052621b10c6923bbbc0bdd822de10b558f3dcb821c926d90a80d642
SHA512 7aa2dc3fe1d615bc6dc3200810be7de7af89e776456b53ac1e515e3ad0038bec8f4027f1817ae19edf7f3b71875fb778643ec5e71e80f284e4171b8c17322c42

C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

MD5 adadf92109fc9ec6621678ab8bf52a1f
SHA1 b49f3fa6bb48ff4d5c7447fab7a391ce79a0b655
SHA256 60b1f82c9f34e0090fbedbec2c3a7a897282d777285d68de34f37402c656bbf0
SHA512 e00b52687e6a553080cc17c4362e046471768e33f10af8d819fdc36ad5d398a7e625cc61fab5e56794155cc0a847b012cbf06f8204db287b79b6233e39c97e40

C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

MD5 3a0a3524419d2564537e6059b46b0034
SHA1 a2f510b97c10b89d33907386cb1c31bf670d16d1
SHA256 5c828e453429470a13ee75c31593b343d3a6eabc3f266a09fc0f9c07a32287c0
SHA512 3632054f0a28818639834084a0d5de69c072978483c68f8aed8bfe9174e1174f761cae89ef9a6f49640c3325211693a81de348bbc3731d655a31d48ba4d5ad53

C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

MD5 033ce878e76d00fff4db0a15e66bf17f
SHA1 64872428ba4a001a5599acb243cbd423f0c6a4ef
SHA256 2b330544509f91b300470496d7221ea4469ef65d3cef690b980d3a570556e298
SHA512 92371d34c8205d8c6c9a5451765e14879039c5772e005b211424bc6caa77d99bec1674a6dc2b6c35c52f163eb799ac9c123db8b8ca0f2e87f6f7d0bc1a72832f

C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

MD5 cfd4b155042d34285e8905e9d91bf753
SHA1 af0840fa011626b43371fa2837998b6dacc28177
SHA256 45ef44d77eb011a31ff8d34f0e5c2cc927a8459c605a28a484269ad7d75ab783
SHA512 3d7fd10a201c38136dc567b61e7cc12ebbe835c24316fd3e0a2fb6b47ac8bc3c1a6e302b0657b5e7839d01622264931ff4cf1cf34d3510de94998565e5aa9ac5

C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

MD5 d983f1dfb2c239599562a00dfc1a32b7
SHA1 7cc3c74314746ce62ba23ac31305b05fb1f0eca4
SHA256 114e357d678691960035827b8b9a4b2bc3dc0e8177fda47b8375f5cadcf2db71
SHA512 4784c35bfd985357da9f824538c792a20db46d59e3ecb603ad8458c953138ec9f9130da15f328bd8819bb26095c054ec96a7c7613bb6dac201a9357b973e723b

C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

MD5 ad933e360cb9003603e214e1582464e0
SHA1 f883b6818a364c8b6a51a362cb46266b189a6d76
SHA256 d195fae7129c703f4f6abdeb1bcc1f5a485eb3426d4179cd6c1e6e056bc70db4
SHA512 9324247133f01eab07e3baee46acbab27e64a025c2c458536ce0bd8cac2a9ee2408ac45cd4f9e7d585d65b63176dec31c3d75dd7baf990a8db89bcea958a4400

C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

MD5 fb2a4f7257ca3472cc9a4e0963bf2f21
SHA1 094e13303b968143f9a892d779fa89d76ca700c5
SHA256 f720fc6984337bafde72f09e71408c86e5cb0f0e4acbddad90ede9254fbbb4a6
SHA512 c65562e6949b878e202af917611c4d62331cd88794f09e3f700684a5c2d3e74931bb17857a180fe0ca084f6c830a00dc165f79563ae797d97f6f84c6517f5583

C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

MD5 46ad0a16b95c7b00e3113f0a78374813
SHA1 1cd8405a0c43a31e12b4e5e37d7fa0f352baeb90
SHA256 cd162a647ac2c0bc2a20bd6b9670b1ebc60e58c354225fded8cff0f5e46c4c95
SHA512 164b11c7a46daa90345d5796f44d4067c2e2499e02d19b6b603257beb31f77012f600942f96133e2453ded6a85cf8c59917676d722613709294d64ad832edf9d

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

MD5 2ff718c89e02cae624b6b8642697e1c4
SHA1 9180b0a0a169f9a3ecbfe03e1661d256b0bcc04a
SHA256 aa441f0cab16ad666b3435fd2b2958533e212082e8de1ab1c94bfd93946ec7f3
SHA512 f319073ed31f24cd9cf508119f2bedba7f687676075c0bae584203088e3fdd287373d811f3787aa74855ada721d5b910db8deffdcbe6dabb731eb6c946e52cf1

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 19:07

Reported

2023-12-19 19:10

Platform

win10v2004-20231215-en

Max time kernel

115s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7317) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_WorriedEye.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_cs.json C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1 C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\ReadResume.mov.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-100.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Moonlight.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-hk_get.svg C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.PLAY C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/5012-0-0x0000000002F40000-0x0000000002F6C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini

MD5 7697a649888f7699d2b031b37efec78b
SHA1 0dc3c35ae1b5bc27ec14b1b8fe17a6cee49a6947
SHA256 e0cbf26bf57105715d9293161238bda0c9d8fc528ed1caee130c5de2d8d5cdc3
SHA512 83af040b410cf7557343b01707e7018d2d8ede6c25a76f3c516db85eb3b0b24a3d4b3a0db82e58d80563ca66b3917689e30ae5ea3952e9856b81f1aeb045d2d7

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 32504c2e0861cd66850be9b0fbf0f657
SHA1 a5197bef6897722a19ea5dee9fd750a8dcb618b4
SHA256 286bb66cdedaab3e65e96ceccf57ebcd4065444f427941ec4583e5caf383ea20
SHA512 1ea34cd2388be4ba84cbc14db1e28d0de1a9d29d93372ba6687b63c5552a5f84c9cc2fb26f45f5b04d11c2baceb45c46d4f81000a8f578afb3d6bb254918f4ab

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 b5beaf4413b8548e4a23cf35c004ab01
SHA1 f0ea3d692c0dcf70684da963f43fff1da3fab0bf
SHA256 111602fa83575682d057ece3291c6cd476389079a6cd1a59b9378f3048b47794
SHA512 1a7085620063fbeb03647a0d51ae45852a3ef40d87808d8f5c415532a7efbfd7700980adcd5dfd6f91e69aa747b7fa8d8a540c44ad5a810003589798b202747a

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 13b8947341e6c59563dfc3689427ff47
SHA1 33034e0d6421bdc8fb4c420b098cb49619555ff9
SHA256 3f33f83b1592612b989141ca381dd6ff2113aac3b76fba0f338b5f0ac9410a57
SHA512 149920fc68cbcccba40ee24f53ab4227982ecb342ad3cc67b5a9816e7b9beb0dc6030770d7c86f4b1a9463531abd171e3b3acd98e91fba3717656eeb8361367e

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 0be0bec9bdcd453fec305f2ebb7f84c1
SHA1 ae19c7aeef2a8c792874c6bb368fb6bfb795d68a
SHA256 04c22330bbd764b211a9757562626e3ee50348d7ed7edd575dcaf9303c0f4414
SHA512 4625101a3208e5e5c1509e90ef986875f41228ac83cf5f5f2dded588812a3efb387d1c65216049012a4c8a94230f1c9e3d7c75afffa521063c1543a0477f73ab

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 4006b64aaccde443f68a1bd4dbffc3b5
SHA1 d4f9c6d48278548fb0e5740bafac9d0b1db2247e
SHA256 8f613eda1c9c8bc7e2ca6acbb7959d4c7b0d5b4a1be32516475936ca28716882
SHA512 f81d572bea0d1d3a16c67a53b4ac41321cb102e98a6fa25f0d4edec06eec4faf75f786f76142cc0190bbef05f32e104c5c2d452c961f6781c35087ea912ec60f

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 cd53bacb565a4b2dc3805c43303f47ff
SHA1 30df974d00ccd09043ee345944abfae159aaa6fa
SHA256 2613d0ca7eee7e1effa916481c4f0b192ef4496d15e6399ee7c43fa141fe43d6
SHA512 3eb8e45b67b48217b802ed5a715af93d1964e937e1117f0bfc5ce736284a8abffd9127404383ab612e25b3b72064d41d6b0eb36c1310d78a80a856a5b1bf657e

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 c898c6785d18ee43a7244005d2a30f50
SHA1 e4b451b29874b0d706dd0e89388abb58cf0755b5
SHA256 64941decdbed93d52dc0ad52fcd383173624d00baa08a5a47cfeb3700bc0f2fb
SHA512 b77e425b7c54f877bd7944cc202f47342a129ca1393683cb601febbf00843576eb2128d84b7b423b91379724cb5a23452322b72398f051676e38f9999681c63c

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 616cb951c49ab1d5c72f57909e634f62
SHA1 13bfde60d1791233ee7043b6ca792c1696656a0a
SHA256 c1b9489d0c1dfbf68c0beb6dd7ac6e4d5a6dcd4f7c77e600c7104189b6121ad1
SHA512 fb24130c79ea71ab17df1b224480048a8c6266c4d72f4ab9326de377bb470dfa454cc093b05423082d469b9428b30a75ab9656c1abf9ef82b921831d43a91f6b

C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\state.rsm.PLAY

MD5 2045fd524044709e612b73ca3655008d
SHA1 73d79a9e0e9d1949bb60c0c3fd6d45415d306657
SHA256 828b2d2bfbc4dbe8074eed77fe826e00fc251a7be74be036efe33aab3d24c30d
SHA512 ebfb8b9c745909a7bda3e0f42e8bf07f343a29cfc7ff2e3885e749a721899deaf768be93c2188b9d3ec05506984e2714d4a10237e428ff02f358efb3621d7d5f

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 d43ae36e61d2c1e85621a69ddffb7779
SHA1 58e4f0d6dbc2c36899304b8768217de8ab3119cf
SHA256 c5542d6f549d366da3ade4a8927b777bc1045da33ae7a2f0b60f1fed7996be03
SHA512 78c4b5f8d1745f1fbad49129f6ac58b1ef389d65d3de4909d8b79de6af12c5a2863193e3ddb3da9f6a8f889b770254e0560ebeaa793a344cc98b8e4d803afaf5

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 c77e996a2566707c3560ed4a09f8e84e
SHA1 7637e880a9599fb2e8f62c461ad693431d06e9c8
SHA256 97d80bf6091000715557d1af1d369bed5f3bb015997ebbcb2d507b5d8c2bbfcb
SHA512 8ded628b159f2c34434992fb767f9f26654b63922850a98d25ecebc38a52cbaf7b86a2671bddb6f43494d7260b40309ac1a908c8ce8f7f8cd5be41c548d4a4fb

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 ac4a1f32bd72051369f92ddb2ab4a45b
SHA1 1d30d9c638c9e4095ae9ee556da7950ecb6e246f
SHA256 970178141989bbc046afdfb3486b00b03ed1652c00ae90dc3aab04bea2530e9f
SHA512 3be6db5072b09764d819bdccea9f0914bde1cd15b063c4b8eaf1a5b4f50342c157465578754157d2205e7efb01c1089b2e518874442faa2f15dfecd328c02c6e

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 4e1345cb554e3ae74a41c9cdd087708b
SHA1 a31e1ece97ea282a6a00334c4d7e70928aa75455
SHA256 065788381dc1bd7be1654d8cb55025785eaa3879fcddbb2d04d9bb129063bce7
SHA512 ee4ebff0e7be5c04bba84b7660ca4eb3c378b98e2e8c46608c55b7ecc28fffb21746f457f1b89c016f30d0354f6f822084ea4337f306bef673a26031bc920976

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 cc75d5103df1b0205b5ca5f770321fe2
SHA1 9ef1bb0dd45198035a5e7dd5446b1c38ba599f81
SHA256 8946cf7149720b751b63231fccbe509f0255cd63abc9f74b7927bf1d28977693
SHA512 2b5c5750a4ae3ecf0160e7e5d105d8abaf66d27b1bf46f73e2eb2a0f402ae6060b372ac825d7a876347c5a93b17ac5885ca183c8be466eb1fdb644581f5e98a5

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 5372a4f6585862bd91466bcdab97a62d
SHA1 fd31c08f256a54dcd103be66bcf8628ed1248699
SHA256 2a6d3a50a57d4b330fa668289b529270ebbe10abcbefb2c56111170322b16dd4
SHA512 d84b7fafe5d1e60dbd7ec8b28131405fe80f698f332e61912d387c225de887907cdc6f520877ca7d9fcb310406783821b7ddd0466faa0a6a51a8a1a118d430ea

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 7150cd9b65692ffbdcf567bea18f50bf
SHA1 cebb1b69c371d60876970b331c8daa0af67d09c2
SHA256 0a4bd8345df92ec9a7f009569d685a5cb936841590f596b143bb4669fb70665a
SHA512 be9d943faad0bf358e4738c54cad69ae467d0ef81a303f2b500921993be1a315a925e87469190c360e88913572a2c2702b046c53f087c29a36a7fd61d421cb68

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 40033e8168827d21128cdad69006dfb6
SHA1 7bf66bd958ecb03baf727d24e61a44daf1ad9a08
SHA256 fdbe882aeb42a5f3ab256960fe301dea9b6311fabca420a7bf56f5d2f30b9b02
SHA512 1b8d18275efbc0bc515cd4d95ffc8d072208e1dbd56359129bb8f5f894b44d5ca9f78e1bde792bdbd35c4a0d6bf35c45fb8073dc74c6458430990a5eb3e0f517

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 92751eb169233ee514bfdc7ca9281869
SHA1 0f777f1cf41db1a625df83c8fb17cd0e44497ea9
SHA256 c88230540b9789491a8bce32587ffec1d2fb45f3d7903fc32cdd0821c2a803ec
SHA512 a76fe940340cd989e5480e27a1bb4e5803bd5c52bba1076051df7645f825d0f519f2ba46080fee1eaedba54eebe66884b667a283a9c66babb204731b295a00f1

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 fbe587d1ea10e1b109d26fbeb4ac4f1a
SHA1 39bafbd6f949ed5959d1f2da6b6cb9c95d1a71ec
SHA256 3370ec6dbf0b8a858f913d52ac35570df0fd87f0200394eb3458fea04a0b0576
SHA512 27fbf774963c564468402c06d5b5ac0bf20be73c9a9ec36c2cd644e8a26492553d781fa4bca93ca156fefc2904105d6e67d70872654e42590914c671dd3350c9

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 6005b64447dc90b3c5843347aa557d6b
SHA1 257df95020ab81754ab814fd1ce9e4414ad8849b
SHA256 7615400d2b78e85be12e9c6ec7ba67ad9c0208504b713861e26e7a0154bde160
SHA512 7f257e5ead06111db7d547887ce7adef6cdac89853cf5cb5d3f8e26badd4243803f739d7f2c25fd448660e4117c05dd4eeea801bf89bc0c55fa49713a77417e5

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 8b76e1130bbc628778e4a1ea77bbe857
SHA1 8b574c0d1d0e3f9d2a8d95fa88f04bd5c261b28b
SHA256 7052e22c047e1f7377c72dbf993b66cb413f5967b838d7d0cc7918559a46b8c7
SHA512 d3e027d2b2ae6200946ff437f4491c8ab2ea5b8719a9ed1b51af73765d81ac26aebfac3fb0e157aadcea28eb2f14cb176664e6219ba23deab96ccb2250b4a7c5

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 877e8a00d54f72e754a16748c3159283
SHA1 18fe62929dd83402207179841a0ad36adcedbc95
SHA256 1015376e5109ed613d4b223daf4f0c0dc320196cf133d1d5d9c4ee6e6ec40ebf
SHA512 12a88a16cc31a77698e5e26f7a8ef0a3b9d687d73ea85ba13fdeb45a7640c6a9113006a44ad24b3ceeaed025b802bb4f2bba23d7138d144fb4609308cf9b5614

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 4a8208ec72f596f2babe5aa4959b92e2
SHA1 38e389367674d3b0bc3ed0b8538f9f0da4eeaa7a
SHA256 9ce9c2db985fbe6f66d79277b3129d16a7070316072a25a3032b907a888561bd
SHA512 62f8b9bced75e1d6b401510c14fe60f96b72961d27d36bcf5d24d856bbcf77e153890d0ca5f57b39330d7f17fc909a81de11868037f47adbfd3bc42c66b8d63a

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 30ceb35f059bbcd3b9c27f991cebc5ca
SHA1 874bfafaa5a69af1174943cd4dde00b4aa93049e
SHA256 854061f68b74ba03b6cb44f61a2a75b92865792d95978f3d35a9f230fd899075
SHA512 61adf57364aad24b6cd528a97a93b722de49347b04cee7b6b314cb9d4f029fc059e4e65861b3cef7ee162d240fc8e650fabd32f772876bf1513e3697da4b003f

C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\state.rsm.PLAY

MD5 6717cfa2d042856e0f143e17f6acacb4
SHA1 d8a3b436a37db544e1d812ded45c381bb94ff229
SHA256 b6bf2720427f360122771e2f1315dcfe2f26375b72a1c065ab3aa8fcd8ea8552
SHA512 1c3c65cfe4c09b10891d1028d6d9b00497f9cd4bd4fb4b08047940d1b9c4f1ecc2f2b014d4e0012bec0b0047d3968a2f9fc20a98a7ea100d4d84e71e55434594

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 2d19fd94aabf1a18f4ba9721b3d49779
SHA1 e0942cfd9a87d5adaa7550215aefe1974fb5b02c
SHA256 1c0b20b59cf5bec751b89f733075949f38c7b2e6a59313de806f604e3375d0a7
SHA512 0e81e2fde2a610702911c59242c6805a101e6416715a74c983789c07903501c368dfea009cde45732b713069ceca5abcda5a7146d2abbf086adbf52ccbfe6cbf

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 b1b0d101370d4d4eac2e3ff1b7533830
SHA1 c001d160722cbc63a64d834d6c6034ec9c4602a1
SHA256 80313d69fb3f9f93201ad0704f21d9b3743a8242c8c0c158cd5dbfe8973f9e0a
SHA512 7691702d3ae1bfdb81aaad4295d4e2e1cc1ac279ad7730a792ce5cc6ecdff82b32d00e8deb7436ca43a6216d9c4ad1b93fa241e2e0cc6d02c68a8e50fa635543

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 bf96f53334eda5457ad9eb7a55a78339
SHA1 46317ff9d4eaf896ebde5845ea47fcef92fcab3b
SHA256 01f7c98bc19e52c0c1206659981d17510bf6ad4b6a3ae78daa21e71ecfcf4017
SHA512 d64171a47b1a0ac38c6282ea7725468541be328a90c909b95e62b91da57df47f158ea530ea0a894df14b8b418f4f767d5e9534b618c54bc4afaf3533685c274b

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 f805780bd7038a031e59986449a8a542
SHA1 3936749c7fe2e449f13d3fb68bb1b0931e1fc508
SHA256 ac54ab415b88ab35041414f314e96806b97a069fa928a5c9406879d79d1c7072
SHA512 da82abb6a7055bcc8f1cf9746e21732cb222ce1aaed87a9fad75e5255f7cf82484ceb23914f62c393ecf3cb502845c586c1b478732911e2f6ee5ba6ce451e2d2

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 48c051c0fd093e244db5b9a345ba0f34
SHA1 166941d545fcebef711cf984f01b2a1204eb75d6
SHA256 39b70f478934ccbaf8f33ecbd6bc4b0f09cfaa7b06e9c2f45df29cb500dded49
SHA512 1b434eb2dab1705922074a0fed115fa0e92b5351eaa1aa96a982127a4e39880d880a77337d8c87023edc441ac0e453c3815a173e445506f84bebdc85a833013f