Malware Analysis Report

2024-10-18 21:36

Sample ID 240628-b5t4lsxbnp
Target bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
SHA256 bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
Tags
ransomware play spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Threat Level: Known bad

The file bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe was found to be: Known bad.

Malicious Activity Summary

ransomware play spyware stealer

PLAY Ransomware, PlayCrypt

Play family

Play ransomware payload

Renames multiple (8560) files with added filename extension

Renames multiple (7339) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:44

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:44

Reported

2024-06-28 01:46

Platform

win7-20240508-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8560) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\HST.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.ELM.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EST5EDT.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\RestartMerge.easmx C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMSXP32.DLL C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186364.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04355_.WMF C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\STSUCRES.DLL C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe

"C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe"

Network

N/A

Files

memory/1832-0-0x00000000001B0000-0x00000000001DC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini

MD5 5c3a661aa11d8fef8a26586f9205bb0c
SHA1 27041fcd10468e36177174608e562f5914dbfa38
SHA256 2779cfab0d6791095f2627af0e9fdd03a9d384b88e40dc11b17fd563a165d0f9
SHA512 9c681e0af9df9f2e35cf42500be64c4332e9e033aa6144ce98928249512575344723da01ba152b85888f7a081abe220f6fa9d52d416453418df3a4b7c29013ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 01:44

Reported

2024-06-28 01:46

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7339) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVertically.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\android-call-monitor-perm-illustration.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.ot C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\Windows Media Player\uk-UA\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe

"C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 23.41.178.65:443 www.bing.com tcp
US 8.8.8.8:53 65.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/536-0-0x0000000002A60000-0x0000000002A8C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini

MD5 49b93cbd8274090aea495c0481d16bb5
SHA1 559e793e2ce11203e33d6f0d7610c132c53be8e3
SHA256 6253ea25d501b57c4129087e632af3796b02ece22034a1feddd4df62559226cd
SHA512 fddea59708b504b2aa446d2e4002333270ca12a3d72f8e440a2f3371f1aea31299be76c4cf0ed7add349d9edc429f7326b613cb9ffdd971afcf25582d5e35976

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 c4bcc72aa49f15c0c829742669ef51d5
SHA1 22de6f62a5f3d813cd2406b867d3013da25ab41c
SHA256 3335c8f0236d5eb1b52b3df592b41838abf799729365116913caa142c77de529
SHA512 9a257a54b3a534c92c350b8bccadce8858706ece8598f7575085992764902bffef84d5aeb8cda4f30f75725eae5c2e1c95d0a2f9bf7ff376bca02256de643990

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 7b66394771f11ad6dcb8de84398fe374
SHA1 b3779060bd4d5ec126aa6552818c9de4f2bb53a4
SHA256 c68e91245b098b511f3cce414e8d0b7ec06f44cbf3d04560dddc1bfe6a6b0864
SHA512 e8119befe10671a09ca1affbd0465f3c803521b4dcbb4ca3f627635278b40e987266c7ac368a720eeb275d832a7c14d550bc9673f5bf7c6a74b031bc18def54e

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 523579e75541b9e45644285b944d414d
SHA1 7ea798f997bf4694c7d01a5191a839deea511373
SHA256 4fe879bfd5a379bc10afcf852a76819b370ca050281debd98607055ab2d37c83
SHA512 a6ef296fcbc8f5b378387b645541a4e1eab2ef51dd08e2bb7d109a98ae74c65f0399b3d019d715321b210e311c5ed637aa4409cb08ceb5cc4e194b65a0416c9e

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 2f8dc80da4bcc81c81e2bc393d8a2ba5
SHA1 c084ba917e1c021c21c8799c630f07950dcd3c3d
SHA256 b9f2440581d20327cda8d8aa66f6eb302c4d05768cb8766db78bd968cf4d6a41
SHA512 61b06ace1ffdd730acba1f8e8fbfb9653f5e53ab7e384fc6327d13bd84431eb3c0b6b8d399c7aebed34aa6e7acf0e7fe08a72353f27d0e36854831ee484d04a0

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm.PLAY

MD5 71d08abc7a8249e1c8c7c53ae64bfbc4
SHA1 d7ed2fb843a093b58192e6f3f2af273a86b588e3
SHA256 773d712aac475c7c8806deff04ae793552c2b87f7cafa8d733ac47b3dd9b0d8c
SHA512 7e29577de4e15b86cceacf84e9b4d79ced35e29eec5a287dda8f145ddac8b635d429125fa7dd4fb70032c30d038ffdf1298d89337f3fae952b34fd66ce9e4511

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 b166d1558344c6ea0123432019b181c8
SHA1 6954d432689c7ebb4db3c6852a40f91fcf2c6487
SHA256 a805dc79905014e68f390d372604a185a5bfb44f3700581154fe1a8b96b66f9a
SHA512 d9aace2ffa29598287d5a2c7b90d1b583f6a46e69ad11fd0c9a3b979c2a5965d780e93d932658bace9910d7a895d0e12b68d9720c9f07aea51e7196432bd3d39

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.PLAY

MD5 5b3bf7aac6fb9edbeb4342627b1ace6e
SHA1 02a29f5c74af71bccece14e446cde75d3c671aa8
SHA256 7c750b5b67373aad08cfc110b69730615ed98aaa5b04a529e2a0fb674158a8ec
SHA512 ef76cfbc6c0a8ce0904dc88733615882a243354911bc6f7f5bdb58dadd94fbc3fb8be65b14dc343dd3d6333cd7caea273218ff9f6689ef2c56e26869c6e93a68

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 a4ea3d876f3bdfd689dedb11b8413415
SHA1 c8a76b2ed3f358eb93869a78ed62918629c1d31a
SHA256 efb30013bb47de10184ea6c9d09e64b6bf48d48b4c9af4c784fe341822895039
SHA512 4f12145193d8e324b86fd657a66c23372409baf37618adf995d639796201341285cdddd7994ba6219b979d2c8e785ca943fa2343e56f427892517ade2860b040

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 68b58723693d6a15fe32dd9d66f41f7d
SHA1 a3e880150469e478f3071262da5abd8d767d9104
SHA256 33f16540c9fb60eaf6c9d2e2d0f11e42a306c922da1a1d8b18b681fff48238b0
SHA512 99e674d6703765dac2e593c684a72ba9fbea3bdb7d9c7d52fa039ff3611d21f204163a9546f9c1a708ac917fe391ef1c27d6eb668fe92c88f1e6b534bc05673e

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 7994468e41c654fba840c6983a7d4333
SHA1 619e94ac2e76b39ce5316a827adef3292812cfe0
SHA256 9aaca708a5f156b9f77970b09002a17456a4b8e7af09b87274ef432ec1047814
SHA512 b2564480901ab3305f8666227dd1d419b4636cb1d01514f902bb214225496087d54aeef48fa1d69baca3a642291798f8e14dd67913ca0f25a1f29c2ad47ebd23

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 f17e892c675b7a278dd7017e352072db
SHA1 1cdce4988233810440d6dc10add927cab7b25c83
SHA256 45b8d86342b86f8ad2b6d92715df2c1b7733523986d62d3b6d43a7cf582178b5
SHA512 e0edf4fdc492605946540ed58c31ddadf16cce92f6e18c4e244bd61412321b4d8a16154590d16cc427761a5de53a69c407a7108903ac6bc9a88f401eee6a20c5

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 8253aad0346fb67b1c58d94cb82350a8
SHA1 235b282155cb5b50b013057aa01bf3a42747098e
SHA256 954468cfd5c4e9940e3553554afc977c0c95ef4ee9a8f471bca5d54e8b59da31
SHA512 480d37558c6857c240817f680de9c4f4685a9a76595a09cc3bcb7157b11dbe6ed7239572622bf66cd1b32effb3095e50e66e81581b5cb37a04258f2c79a042ba

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 da13ed573a25dc6d9adaead8585612c0
SHA1 b04fdec6c9e8fa6b671d71a50e7c9531a3c70ac7
SHA256 097a0171e72b2feace0f3d2cf06247de072f2104f4a6617c6b21b6c8bb63fe67
SHA512 1a39f42b15a895ccbcc80198eddc4e10fe7ab3bf930fa8e74ebaaaa5097ddfde86c0f3bd7619cbe6f2863a61dfeef220a872c254765c2f755e14a4f7b8062d89

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 f2cbc3dd35de889cf0a5b926f61d8294
SHA1 442e33c89239357100a6f19f98dc066705d4273b
SHA256 132f48507ccfea83dd7bb91475876e2cfdd1bad4a172969f222c3d5338d892b2
SHA512 43cf4b75ad3d615126224eda0f40dd24cde26f9a236c4a2fc55e4b3d5a72e30bb42a393a25a0dbc438a8010d2937f401f0175dad5e7a59f3f6799a73c69778db

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 0f58030ffb4643f6465a049939eaefb4
SHA1 ff5cd422c6a85a3951df3ba6eac97bac97e2fc55
SHA256 c91b116101ad213ad41d998b26a49c0b76affc1effa21e6c3ac8016f910bccc6
SHA512 ad8fc8e758fdab640a433173368691895657f70add068b778cd2160e2f7a5034751d981d898d3f05a06ce8badc8b0a5060b2554b153dd6c7a99ec79bba9f8e2a

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 82f3f39d2f4d367c11b31098f2594a28
SHA1 952e719d515a024f35e08c5ab44dd61a606e28a6
SHA256 cdb2635ffcf8f6aabfe20f4e1a4d2f6c69e216e37993a30b2244f76d1c4d0dcb
SHA512 b30e63a85f0f24ffc62e0282d79d00923ed9fc531d9bf168fafcf396b1283f69e15db8fcd92955418effdcc9963ec6f6a338b4c734def2df0009556326dc66fe

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm.PLAY

MD5 2640890536213ca3e89ce82d124a9d77
SHA1 2b21925b559f336c3bd96369c24bb4ce41b4908e
SHA256 957243df4473df3cdda37541fbc769e287bab0c630c7e1db48525f49d4a91672
SHA512 8d6d244bb8276a244c6bef18375d7573c30f182de7fdba492bf004f7b603564923a93123bb260a2b41794aa674a6638b19f411193a255157b1c816963d1c09b9

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 c4ee19395b0dd8c884c8afed15d930e5
SHA1 0f4566ac0bc5a9a2130784cf9dde3001021a214a
SHA256 5f14ceab5cf95af3d74b7514884bba9bbd2409b1aace1d8887882f3e13cf96a9
SHA512 06911850e2034b78fe26b80c1678bb11658b64736590fef0694efa0a7c7d672a0361dc334e3e5facf20c7eaf2c7fc7b04e31b3c8d2b5181f94ff1f514a4fd520

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 7278b9e8f08e3bec1b8a284c1dcd4f16
SHA1 7ff52ac1199387cfa78e03d4aa5d1a14342f7ca1
SHA256 36677a9a88cf7ba4f426b4d3faf1d6a754a8f659f048a8556753fa46c69ca033
SHA512 2949fd7ca79a5ddd4529de3660740f31646c7834d6f299eae5a769d803511577b6a15097de3b70758fc814e01092254f66c777ea44b01964ef322028ef36cccc

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 c117efe2cef81d76a7fd5a8fa0498b17
SHA1 4fef1658600549f056ab9571f906505998488fa5
SHA256 e36b89244d97971ce7e2aa5cb6c4aa374b137afd737e26d280be547b179840c6
SHA512 274e5280930cf8bc9ee665449b24eed88715c177a6d813a5aafebadfc126b6551ee27059422919dc6797cc0ff56195479917f2fdda10ece962580fe17e4648e1

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 df0e49eaf896a0969b5606352f53dc8e
SHA1 3ba80f2c6112d98cace2f716cd22139624401cf2
SHA256 d0492bbd4f4af7a39786f906af351a31f4ddac307d14d5b7a4fbf6f5f96c43ed
SHA512 c698886eb0a6bd992022c9151bcfd4e533bc3928975f6c0a3db45af06963a7f50cf069814516bb6f0a7d4d8493972dea8005c5a980b168a352e4dd4ed8cffdcd

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 adabdc424a0c75ebe1dc76a15f8f2db4
SHA1 1274fa4400567a3fe83106a74ad67651d00e2a34
SHA256 01067f3d39a9796b8d61ad1bfb0b42cbec5c0eea887bcc18fe89abc02546fce3
SHA512 3b12d3c554cf64ce593118c349230d4f53336d01648a863dcbf8d4c10cd5daacb1b2e20effb284c5c547cf02a6d44ba54f526eb7426d3069bed8c6a53258f95e

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 2b9b481c518a145bcc4eaa17621ae6d7
SHA1 6de3e6b8303995e58a260eeaacb01de4759658a2
SHA256 ed05a80b053980ba163115f0fd7e710d27a43c08db506345b29642bbdda474df
SHA512 712294af810769ebea87c8be7a6dbadd6ce0271aef80a8906f3219460667551720e00123cbb8c16243ee736a8be9e4c344d5c938b866cf0c940657bbd8bdd534

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 8536f74534323848e6aa9575d86462ba
SHA1 6f7926a18da6c3ffdb017d276787ae648ade96a5
SHA256 a656c1780ee137fb69820c72f9a2ba49b1d5231e84c299ffedc18ad855057b7a
SHA512 9e3367e83f7662e1b7cd8f044cdf9a8f5792dd7e054f3154a8c20048b8eee0ba11dce0570db0cf3373e2fac68597a8e97e1c817bfb1d912d5e818138f75f9be0

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 72b54ad011042053689c7ecc52a2738b
SHA1 eb2715214590d735b3af577d0d63af4a4a430f95
SHA256 1ceac5a9fe936e047f9e09fb14ef7794e6104181eb086a1c9d41391c16178454
SHA512 ab967258be1090c61226c6dd3e415ba1dbd0bdaa3719f9bad0c4c91cf068ebe446fdb864993b451b0daff37bb0ef706255136aa237297503092a0c13f550b504

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 0fb53651a13708f87a9a64d785eeeabe
SHA1 5be227d73c6db438cf45c37380d1a00c7336e041
SHA256 26f913cc6dffe6809a57ffe5e77b7895821a7d4eb73b2d15323adeda1dace1c6
SHA512 538913210497031563afb8fb98c9802c81701355cad498fb35234397f3036b1fc0807f73f672af177740e0d1ab7b41dfd0078a569fd063e3815135ef76b1cbf7

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 448db654cc871e230e02539f565466cd
SHA1 6912f6bb1a9bcdd9b24f11362470660cfedfb367
SHA256 7a5966021ac36096095b5ceda279e3173157b760f753b086a3eea38a2ae66941
SHA512 a92885acec481b77ece63818dc4446b916fd1601fd5896601861ad94e8b0502d7243494aa29e81a40af2c83a8718249f4ed46a662e3639fc19a78840be0057c2

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 5f53eaad1289397040d43f82bc746bf6
SHA1 a649eb6e88dcf4959d96b30b09e58bfdde726eda
SHA256 bdf5773a82fc846e65f70ac99112796549fc2f9f0b157474d8f8237e3f47d124
SHA512 c9cf8ca7d4405d91b4dd39f874523efe5a67c1040e2e1bf8c6e20abe9c2aabac22e7916b7c11d8f76df0417414e52dbbf7ebc225bc4db0ed88e4107eb1ba3af4

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 1fd81c1b40b729ba222349d67d4c16b8
SHA1 9b4031b9ce94bb2ec344438550da3ed0f70cd707
SHA256 2d64586c8e6e352881fce5ab3e2be5359d7b800841fd642719cc6b5266ca309b
SHA512 e90aeecc3ed3f769416a1318caa82a238ee024ba0e514444d1e3469670805ef9007a2053f33160719ed1b111aa8d48d4666cc05bd297f2f7e04465f5924b9bcf