Malware Analysis Report

2024-10-18 21:36

Sample ID 240808-nt7xjswhle
Target 3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe
SHA256 3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545
Tags
play credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545

Threat Level: Known bad

The file 3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe was found to be: Known bad.

Malicious Activity Summary

play credential_access discovery ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Credentials from Password Stores: Credentials from Web Browsers

Renames multiple (7304) files with added filename extension

Renames multiple (8542) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 11:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 11:42

Reported

2024-08-08 11:45

Platform

win7-20240708-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (8542) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQL.ICO C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00164_.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEDAO.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe

"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/2672-0-0x00000000001A0000-0x00000000001CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini

MD5 377413fcbf9d967a24f0ab12124e73d7
SHA1 d85b9ef20023c92b9999d330e4873d1569255d17
SHA256 184105df5c2d497ad23646acf07ca0315174504fc223b969e214ab75f8babc76
SHA512 a0e46ade01e1c25f8f2dcbf14cbb54c32fe619d09fec3ca9088145cdb31ccb067a055bbc87f23925f759502ddd4a53947e720d4f853d04e4b7358de2da902c52

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 11:42

Reported

2024-08-08 11:45

Platform

win10v2004-20240802-en

Max time kernel

98s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (7304) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-400.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GeometryShader.cso C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment-2x.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook2x.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\MediumGray.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-100.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text.cur C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\FillnSign_visual.svg C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\SpeechOn.wav C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\RestartEdit.m4a C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe

"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp

Files

memory/2424-0-0x0000000000F10000-0x0000000000F3C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini

MD5 0c78da0ed7bc88cb4416241afad9deee
SHA1 c1730093522e87fba8d58222eab08628bb790bb7
SHA256 abda118116844dc6e85454700401c2c0b66089f601de2532976ac44093b7d76d
SHA512 f6a52d9fa03a110dc70039cae68ea04f377e8354ee0a8aaa2a91525acd6f0fa56b0e694a33f5e7a6f7d11db659e055917e4c20b5420666cec5f9a82a1bd75f49

C:\ReadMe.txt

MD5 71d60e098ec5f2c9fef2135ae34eddbd
SHA1 a4f7ba42724d4ef5315b60333b80c8cd7f093e85
SHA256 6c88891fcc6867528c3cf555def7ab0d77b7be66634f0cc1e9404c17187136b5
SHA512 ecee2a79b9bad1b0f51ca8fdcee716797b5efd04098f1c7540faae03833c5d5bf1e4c60f19596cbfbf73e7e64ccce6417c4e0f13c29cdd6f892292bbdc8f91d2

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini

MD5 8a54f755506f935b3641f16e0ee76fed
SHA1 a047196659b837f1218bfa6820fe934099fe962c
SHA256 fb88ddde38eea7a3b30c58362a23f37077effdfb6fc8038b36dcd2cade57d7bc
SHA512 acef238e23a2fd7123ecdf677a2f625a56e4503ff65eef5694a75ced7b175b51a28e884da892f3905d9c76b36682ab3182d301c8d9d523818782bee9c992941c

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 dd21aaf86088548fda091d996641245f
SHA1 c5cfed86c5677b33660954bcf102e33052db9b08
SHA256 a597b5c2a309d00ebdbad5ebcaf8c235744141df18f4c6ddae29c4caf5a9fc11
SHA512 56fb517c2e972c406631a310e82dc94903a44e3f2cd70597bcac8d1039e0b02afef229398eba1290477e116d639edf002c9af8b8765adcbce48d77f5f2fc8ff6

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 1191134d41eb8c0e24b53cf780170e16
SHA1 cded36f3296c8e2433d04c79536294b2062ea7ae
SHA256 9b84fee752a9ba5731ba14d076db18ae62ad97513a688ac9fce8b9683c1fe85f
SHA512 76dfaef81f1f28a33b284d3d16d0356831c9866a64b6ce5799ea33d59612ca10447d2ea4f2aa00a50575eebdcee273c0211484fec472a730f96f6b17e75f86e1

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 f71f5841b9c83d4086d0b47c79e961c4
SHA1 ce8779449915853333e0835d330dfac67536500d
SHA256 14cb3b6eafb566c2f6b7b1579c8400fe952f7e296b4b30682d766d00807bf6cb
SHA512 d7fc513e68f63363462e24692abf93b6cbb7ed54f2102ca31572b14b71d2c428cbaf0f2ba6119e7b26732cdc68e2eec5d818b0d3caa406a4ccb2c3ac6121ef16

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 2f66915344128e54c596033e032763d5
SHA1 30ee06bfcdc3b0400be629dd4a95ac79176dde2f
SHA256 b229b5cfe266146afa4a6f5f8f5080fdc9e3a67921752fbec8b4e9c5667375ea
SHA512 0ca973fd611a940f71eb510014f92310bb03c588702a845d33045404671b6e397a682fe0d80fe1aad7f2e080ead12db97c9c6ef908a733b090dd9c58081d599b

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 ebc0215124c7e9a3972f86078583a2d6
SHA1 e1b3d92ebd1e47e0ed16007e5798ee189d1a9b81
SHA256 6bb498264060fda35c612fd9a60ab7b0e79269b7cf2035798dde8e5e4e114f8c
SHA512 23d91b6d301e5c96275f08eb6c7d5af022d324afdcb9de302c9d451a9bceb9f0c75d932fff770c6e5e02453e7f371404530c321ca0ebe406fa71443f961f5f9e

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm.PLAY

MD5 b4b2b305b3329f6427b329c57ad7caa6
SHA1 dfd34e14a492e796956c65edf5b539d3adf3d54d
SHA256 59faf23431a4f302e25df2d188f88f34676adddfac985bde370f52b009735154
SHA512 aea4e7203e241da206a568c7096e2fef2fabff111b66af4c188deef1b2d0c670946ce122769858d589e256db44667ae16e65ef3810073c38eaf708c90a730682

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 f14dc1359818583ff7eb5637e59bbd14
SHA1 8e25c811d17b3c9293d2705cf87459d36053c4eb
SHA256 ee09cf0f4257e408243c0693587ec54dfcde0c515a620ac9a545714880cab315
SHA512 f86f78e388390d51c8d19bcccf449487b5610ab9f4c3109ec9d8deacf76ba4b11f4f80ff30df2f6436aad9357d3e845310d55325d5aa5c389caed28b7101003a

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 d6d738438db5362b21fc9f665c28dac0
SHA1 2b6531ec6e7828678e65ab2a8ce92232de0e983e
SHA256 ffc62f4ea4cca6eef1e0674ad7264d100ce18382d2fdc338eaf10e2126e37446
SHA512 84ca02aef8d152501f07f2b5034f353b3fd43a5726d37998e684791d272f7efe0b03a6551b1d537b4e159f60c835a004526c8e4bbd1d087dabab37baa5025465

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 a73ae96d2608633b22e22e52e5da10d9
SHA1 c8c5a6effd75b99c303f6e4f457470b2a3a7373f
SHA256 b268d7a778c307ba30fd9339e0131808e59a74ee8cee561ba1b2c7152b9c8189
SHA512 8065e5fa270bffbc127e0f8731139005692b899102e9abe3643f0a762a27e2e9c2534d5747ce99291ef6e3a3d2f112677a5d9cce9bc1f1fdcce15eacac51b2f1

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 de7d4bab1b4f1fdf09f42d6faf5f06eb
SHA1 ade47a71cb0ee7cc35f1aa6e7cb1b9a266a17ddf
SHA256 0e0bcd5e800b064391098de6334e51138ed6ae8e770fe67540573063ea473ae7
SHA512 498a0ee5a4341b353a608b77e4d4d0bc4eeb223470d104d51c67c74946bd3d8080570f3b9dda9864406f3a4304c6f8b6eeb472decb4a79a8c283925fa3ef6cce

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 10648c0fec8dfc90309ff6f09d1ebff9
SHA1 4c6143cf9ae1f5428835b80cbcfa288d434f91b2
SHA256 148b48a12e5c6190c484be9796bef68e578acf8ecdcdfce427f73a6aafa670e8
SHA512 0535767c2acb585cdd187b6ebc7884e6ff044b297120da125e098e6ca04d031027949aa3429d6a61352e5b11e36cfd733da45a6b26688f46964be4352fb47763

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 e041ade624f1f863fc061e6a786f8dee
SHA1 22380b12e9e4d896884e2473055de75bb18eae00
SHA256 68c7224958ba3f4474416db78bae4c2bce2aea8346d48e39c2b222094a860e3e
SHA512 d0aa1fac128a5863dcf6a7c3de0513ee9bd948dbb15d1c92e554b7e3718ff369a1c6c2764b33b2125f0c539a3eda31a54cb1bed412b11d0dc47ffa0a509d9ce5

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 7a6ec57327a36907cc34a00ed07c5da8
SHA1 55bf14d1876f793b6ab0d70fd5da7ef782a5e5c9
SHA256 f1489aa53e50e45eee29bb003302ba9688daa936ef642d202d854a2413dc2ad7
SHA512 9862b396975d657529f39107cbe37536ceed54894f42e7cff205e91791922782369c1c281999e301ea67cd4539a7a10f138ca026cd3718804f980a095b7d1944

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm.PLAY

MD5 e7013ae90bfcdff6de0d92cfd8cfec8e
SHA1 04c9df559a1af965e33cf7fdc84129db7eed0718
SHA256 ca9ce83453e611b8fe2e7dbef4b7a7d1e50587cf08d0b6c38b6021179da8b382
SHA512 ab50ee94493a72c291c1086880e3ef28a3322ef94f7b2e7b1b1fc0ab86be51a2d4db87a24bf2e7867c6a19d8d2f76880fc412ed72af358ca777d7265503b8ccb

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 42cf690f01b174bfe0514c496a365e78
SHA1 cac427486bc8c0f1834f8b154e94a61817b753b9
SHA256 4f360d27de9383f0a2765f45e69fb6ee90c8883b4b9479c179bb2248163d3cdc
SHA512 770ebb4ea8e6d3a06337c120bf0a5bb883e17bf8cf4ee053c9e2197905fd1161675a1385db3039f948694bb861a97eee420ba04f0a21c9e50b02a925a87cb174

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 b14e2a3ff73cfc2f5958f0528c1211d9
SHA1 5d67cb887a6bbb8c8ede61174e80279bcebcf7d3
SHA256 2dc63f4e26f81071db57cbe9c1dbb7eb191851fa8e50685b34d7899e379d2fb8
SHA512 608d258d4d54ab51a7730f457c1fc03c1f3048081b43dfbb9afdee45f6c6fadca110c8a2e6828a4ffde66c418d8a9cbbcb15598714a38bf09cd11bb08479c66d

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 cc437ed7f8d53dacf42eaa022b7cda5d
SHA1 dc70eeb2e8bc7a0c088fd59070514e57bcfe302a
SHA256 f7264be276640652b8f99f3fe0ba61eb6b80e19b6c74ea89e891cc163cc50980
SHA512 f74ac1f987adad34815d5d26bd60d27626de769d161a9824cf220a962ef3f0eebc33b9bbef86c1efc6340576900c4d754b74d19e0640d78445fe26edf6b3bd41

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ab60c79626aa7b0a613d59f6b7e8e906
SHA1 f2e7ae18eb40c8f7fa8af316e0bca32a3386b6c9
SHA256 6a76ab0d769d2a94074467f42682655d88a7b43c95fbd06c58b13c7c8433b267
SHA512 c054c95b0e3ecde144a42b4279df0b08c959aa2a27cbd404f4bedffc6fdb74a73ca2b5516817952a592960dd965cacd968d0c4121ba43659034588eba16e811c

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 356e3e3a8ee3f4741fa196f47ef5d9f2
SHA1 886aee376794bf5c8511c624d91ee453f166d0e9
SHA256 2ce7c1c79680edbe8025950305b08d647f1da381efdf33815297fd5c0f468172
SHA512 f5395d953e7c8f4cb8f9163b5fc17d199dda5dc338e7480e01e2b7549ab97f2e0b065df0a1ef24515dc2a729eebdfc8c4b45dbe9f6c8bca458f5720a13025716

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp.PLAY

MD5 d5f412559f536ba05f69facd08596092
SHA1 ac675c847a67d41fe2130513d8bd4d036eb049df
SHA256 c6920e73f9a18b5001f355b71083fca8abd5cd2af698e5d9d2d7257d0111ce18
SHA512 28932bca2968ebfed33c3316cf3d1b986ce79336314f9765134ba80d106a17f0b1e8298f17424e6aa2fd171c226bac5cd22339bf18cd8ff556a4fdc103338a01

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 13006923bd7153767ca725d49d57c51c
SHA1 a245e4fe129e0749248ae2eae598d25d0396807b
SHA256 b48d249d075b3f67c8b5a77dda616eade33d3a4d00acf9279792458d017ed9e4
SHA512 713d1ed90b7ef9a324572f0c1799e18df0aa964964a99de96de14679b8ae9fcad7adb30cdf4ee51d1c1f007dfdd1ab27cd6ccda09bfb6891ca0072a628a2552c

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 025ad50ef7bac27053e129ab7175ee09
SHA1 42f39a7a046673662399c67dfbcba81a7a5d6a4c
SHA256 eb847ff36a03c72f059de262371e7ee9147e06ed7dc37ff98e66e769dd4142d3
SHA512 042572d05f089d97821ab0ac5ae7b7247bd6f649f81383665ab0ea1745b2cc008086d5d4d612a7bad2c6d89c8fc7e3d4ae039e8fcc1b7b26d845795b7e7d4759

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 79f7acd14fee531a55861e2bdb4cab14
SHA1 2eddc6166ba5921940168c9c216c7210e66d51b9
SHA256 60abbd0352cab32eff8754e7a01058ea4d952c82431e5318f0cf244f329eac84
SHA512 1fa3f02ea6e7e15f68cab7f92c7a445a768e70edaa8d0a89f93197c068719ecb37998a775d75eee510cbe927cf6d5f640f8e6b4fde499e129d599793252ae318

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 e71a2cf96f1974ded1082ed356419d1b
SHA1 2c6f44f347e17b1069e6f306f4609e680b0f1653
SHA256 4307795b7ad4d81aaca8c5118ca979ca962995c69571c7377f284185f5869ed1
SHA512 c32569809c2b6df1964c0df52ae079bfe10f805d4652077379a5ac30eb68035824f68404c69fb6680ec8f8883e53f2b5ed3dfaf61dae51d343e48259b9f5e498

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 a6728f3d97409307288e44869ca66c59
SHA1 a4a878960f49b97f91d0c8b0602461fd6e13fa05
SHA256 2bd4df685bc014837e86105ea683cd6bc79b0146674cc0c4963237500aa55df7
SHA512 383e4198ee8aa766adf4759581827cf99ba85a27555c3207b6ba033ed36f69cd067d6b36a5f0c80f844346f541ce4dc1d4387d476e72a63e3b1a1332cd30fdc7

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.PLAY

MD5 fe363b22c897e13b5b61ae227a169ddf
SHA1 b39f5bfc8ae4d143829265a22c2bcadfad1b9d14
SHA256 5dbf9c1538186e05dc1d88ad4970df7a873c5edb38eb48dda9a79617aa380ff3
SHA512 d6ed4774a972ef31643b6f2ae73d81d19f72dfbd66090bee9bf20fe8130e7dcafd1c241bb9080236278a50b0e94f867770f14c413b912d170cb0c008947943e2

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 a9a2f8704351b2d227145bd48e881032
SHA1 09790033e4478a1f77c6ac6825cee43582ea08b4
SHA256 2bd5a5ae37caba98efc1b1da1fe8aa8048cc8a0a3558c4d4c0228ee6ab72aa45
SHA512 b6f53a7128791f791fb740df5780724a98b3822eb474f1d7283f6c820a54b0121ccd5b4160b96a00bd05b972de05fb9d4120413d1cef364a108ab8753807bdc5

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 d2cc1275bff28f12cc575add059c3abf
SHA1 44247e37244cac358be79b400dca4f111d0ba255
SHA256 fa3203d3dfcc0c6052ebeaaab63cc45949f4d2abd71fb06dec323a57aa447bd6
SHA512 94911f45a1f114d6cbc0b574d91352e093a4bc790203cc81e9a911d52081294e236e66563af474cb1e06b545b283d471508bdba2b40732091fb7da8269aa3580

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 df34ea66a9503adc326f003d66b0710f
SHA1 20b55cad393fc38ab92a24a060163460b531c1b2
SHA256 4eac414d680fe56906732f52b5da45510f124a4aca72a45222276cc9e6dcc892
SHA512 159b7b2b77db5430b8e23206a0175e4bd7a3a617f3046c6f6cbb8dab019c6a0c3638956fbb61b786c491e8e2c622c38d27a302ae2c72afdae9ba0734988ed741

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 92f4c2f6b9a21bdb6dc14f9777ff4824
SHA1 82ad3f266f8f4cdee8eabb8deff8108857622d06
SHA256 c4685645bf9940e981dc47eeb59df11e8e1b0523845159fcb152880abfd6b0ce
SHA512 9590ea14eae3e3ebe40c99c539da260286f3d650cad260d384da87b471bdd3fd3f347e1647967a54a170395c2b97e5720464854ea0733d23986457aeb728994d