Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PLAY.mal_.exe

Overview

General Information

Sample Name:PLAY.mal_.exe
Analysis ID:695797
MD5:223eff1610b432a1f1aa06c60bd7b9a6
SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags:exePLAYransomware
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Checks if the current process is being debugged
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PLAY.mal_.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\PLAY.mal_.exe" MD5: 223EFF1610B432A1F1AA06C60BD7B9A6)
    • WerFault.exe (PID: 8156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2796 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: PLAY.mal_.exe PID: 5460JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.3.PLAY.mal_.exe.2c60000.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: PLAY.mal_.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%Perma Link
        Source: PLAY.mal_.exeMetadefender: Detection: 45%Perma Link
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000001.00000003.344381653.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbHm source: baseimagefam8.1.dr
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb source: baseimagefam8.1.dr
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: baseimagefam8.1.dr
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb8n source: baseimagefam8.1.dr
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: e:Jump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: [:Jump to behavior
        Source: baseimagefam8.1.drString found in binary or memory: http://bugreport.sun.com/bugreport/crash.jsp
        Source: baseimagefam8.1.drString found in binary or memory: http://bugreport.sun.com/bugreport/crash.jspVM
        Source: baseimagefam8.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: baseimagefam8.1.drString found in binary or memory: http://ocsp.thawte.com0
        Source: baseimagefam8.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: baseimagefam8.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: baseimagefam8.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: baseimagefam8.1.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/
        Source: baseimagefam8.1.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
        Source: baseimagefam8.1.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
        Source: baseimagefam8.1.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
        Source: baseimagefam8.1.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
        Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateEx Callout.
        Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
        Source: Yara matchFile source: 1.3.PLAY.mal_.exe.2c60000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PLAY.mal_.exe PID: 5460, type: MEMORYSTR

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Writes many files with high entropy
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl entropy: 7.99656322156Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99978678633Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.99995051911Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99821840766Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99978509938Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99987915975Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99838036504Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99982797302Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99858193912Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996639862Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99974695504Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99975561316Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99987985198Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.9999664123Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99995338894Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl entropy: 7.99023685191Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl entropy: 7.99170038916Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\Recovery\WindowsRE\boot.sdi.PLAY (copy) entropy: 7.99995051911Jump to dropped file
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: PLAY.mal_.exe, 00000001.00000003.325887834.0000000002D76000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesechost.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSRVCLI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcrypt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHLWAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel.appcore.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDuserHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_user_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
        Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETUTILS.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecryptbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.344802829.0000000002D12000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilterLib.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs PLAY.mal_.exe
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
        Source: C:\Users\user\Desktop\PLAY.mal_.exeSection loaded: ext-ms-win-gdi-desktop-l1-1-0.dllJump to behavior
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%
        Source: PLAY.mal_.exeMetadefender: Detection: 45%
        Source: PLAY.mal_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PLAY.mal_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PLAY.mal_.exe "C:\Users\user\Desktop\PLAY.mal_.exe"
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2796
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540Jump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5460
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
        Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
        Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8ACC.tmpJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile written: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: classification engineClassification label: mal60.rans.winEXE@6/139@0/100
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: PLAY.mal_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000001.00000003.344381653.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbHm source: baseimagefam8.1.dr
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb source: baseimagefam8.1.dr
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: baseimagefam8.1.dr
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb8n source: baseimagefam8.1.dr
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exe TID: 5936Thread sleep time: -90000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: PLAY.mal_.exe, 00000001.00000000.472458165.000000000B82A000.00000004.00000800.00020000.00000000.sdmp, PLAY.mal_.exe, 00000001.00000003.410275281.000000000B81B000.00000004.00000800.00020000.00000000.sdmp, PLAY.mal_.exe, 00000001.00000003.411693718.000000000B829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
        Source: baseimagefam8.1.drBinary or memory string: java/lang/VirtualMachineError
        Source: baseimagefam8.1.drBinary or memory string: Unable to link/verify VirtualMachineError class
        Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
        Source: baseimagefam8.1.drBinary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
        Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
        Source: baseimagefam8.1.drBinary or memory string: m{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this callA constant pool lock<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540Jump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540Jump to behavior
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
        Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
        Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
        Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
        Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
        Source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
        Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
        Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Replication Through Removable Media        		Windows Management Instrumentation1
        DLL Side-Loading        		12
        Process Injection        		1
        Disable or Modify Tools        		21
        Input Capture        		11
        Security Software Discovery        		1
        Replication Through Removable Media        		21
        Input Capture        		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		2
        Virtualization/Sandbox Evasion        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)12
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        DLL Side-Loading        		NTDS11
        Peripheral Device Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
        File and Directory Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
        Remote System Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PLAY.mal_.exe81%ReversingLabsWin32.Ransomware.PlayCrypt
        PLAY.mal_.exe72%VirustotalBrowse
        PLAY.mal_.exe45%MetadefenderBrowse
        PLAY.mal_.exe100%AviraTR/FileCoder.zcerj

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://ocsp.thawte.com00%URL Reputationsafe
        http://ocsp.thawte.com00%URL Reputationsafe
        http://bugreport.sun.com/bugreport/crash.jsp0%VirustotalBrowse
        http://bugreport.sun.com/bugreport/crash.jsp0%Avira URL Cloudsafe
        http://bugreport.sun.com/bugreport/crash.jspVM0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://bugreport.sun.com/bugreport/crash.jspbaseimagefam8.1.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.oracle.com/hotspot/jvm/java/monitor/addressbaseimagefam8.1.drfalse
          		high
          http://crl.thawte.com/ThawteTimestampingCA.crl0baseimagefam8.1.drfalse
            		high
            http://www.oracle.com/hotspot/jvm/vm/compiler/idbaseimagefam8.1.drfalse
              		high
              http://www.oracle.com/hotspot/jvm/baseimagefam8.1.drfalse
                		high
                http://www.oracle.com/hotspot/jvm/vm/gc/idbaseimagefam8.1.drfalse
                  		high
                  http://bugreport.sun.com/bugreport/crash.jspVMbaseimagefam8.1.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.thawte.com0baseimagefam8.1.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.oracle.com/hotspot/jvm/vm/code_sweeper/idbaseimagefam8.1.drfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious

                    Private

                    IP
                    192.168.2.148
                    192.168.2.149
                    192.168.2.146
                    192.168.2.147
                    192.168.2.140
                    192.168.2.141
                    192.168.2.144
                    192.168.2.145
                    192.168.2.142
                    192.168.2.143
                    192.168.2.159
                    192.168.2.157
                    192.168.2.158
                    192.168.2.151
                    192.168.2.152
                    192.168.2.150
                    192.168.2.155
                    192.168.2.156
                    192.168.2.153
                    192.168.2.154
                    192.168.2.126
                    192.168.2.247
                    192.168.2.127
                    192.168.2.248
                    192.168.2.124
                    192.168.2.245
                    192.168.2.125
                    192.168.2.246
                    192.168.2.128
                    192.168.2.249
                    192.168.2.129
                    192.168.2.240
                    192.168.2.122
                    192.168.2.243
                    192.168.2.123
                    192.168.2.244
                    192.168.2.120
                    192.168.2.241
                    192.168.2.121
                    192.168.2.242
                    192.168.2.97
                    192.168.2.137
                    192.168.2.96
                    192.168.2.138
                    192.168.2.99
                    192.168.2.135
                    192.168.2.98
                    192.168.2.136
                    192.168.2.139
                    192.168.2.250
                    192.168.2.130
                    192.168.2.251
                    192.168.2.91
                    192.168.2.90
                    192.168.2.93
                    192.168.2.133
                    192.168.2.254
                    192.168.2.92
                    192.168.2.134
                    192.168.2.95
                    192.168.2.131
                    192.168.2.252
                    192.168.2.94
                    192.168.2.132
                    192.168.2.253
                    192.168.2.104
                    192.168.2.225
                    192.168.2.105
                    192.168.2.226
                    192.168.2.102
                    192.168.2.223
                    192.168.2.103
                    192.168.2.224
                    192.168.2.108
                    192.168.2.229
                    192.168.2.109
                    192.168.2.106
                    192.168.2.227
                    192.168.2.107
                    192.168.2.228
                    192.168.2.100
                    192.168.2.221
                    192.168.2.101
                    192.168.2.222
                    192.168.2.220
                    192.168.2.115
                    192.168.2.236
                    192.168.2.116
                    192.168.2.237
                    192.168.2.113
                    192.168.2.234
                    192.168.2.114
                    192.168.2.235
                    192.168.2.119
                    192.168.2.117
                    192.168.2.238
                    192.168.2.118
                    192.168.2.239
                    192.168.2.111
                    192.168.2.232

                    General Information

                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:695797
                    Start date and time:2022-09-01 23:06:53 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:PLAY.mal_.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal60.rans.winEXE@6/139@0/100
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.20
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, eudb.ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    23:08:52API Interceptor7x Sleep call for process: PLAY.mal_.exe modified
                    23:09:39API Interceptor2x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    A:\Recovery\WindowsRE\ReAgent.xml.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2184
                    Entropy (8bit):7.906470796265052
                    Encrypted:false
                    SSDEEP:48:rsWwduHqvdFMQo/HnkBuVDoj+JaJgefH3ETDXzdRd/LqB4H08At:rpsdFMx/HnVVcgWl0TDXhnH3At
                    MD5:741D12AE241E67CD5CFCF80CF82194CC
                    SHA1:032B992FF60974AA1605DA669BD1E4CA195A7A61
                    SHA-256:985CE51EDF72ECC79B81F19F90BB57EB9C07D5CAF668FE8FAC3F93877C6681ED
                    SHA-512:6F14C7BA8BED32C7BBC226022279A874478C88B2F8B0FE6D6D253789840DBB5A72491E0EFBDFF77E8B447290CFB3B16701696B8230E310DE369DC8B212AE92E5
                    Malicious:false
                    Reputation:low
                    Preview:.....L5l....A.m....B.VMR..1........s*...l62...V7;.g........w.u.S.o."........z....Q[.~...=....D;i...../~....I..(....V.k.....%..99b.e...}a.....e6........t..zy[..k.=A~.../U=..eA.cc.N6.%$..!.......;s"....=".K..J.n..Y|.n.....G.<..L....5C5(.`+*....5...K:C&....%..H..x<0..d..vZ..........;.L.r..\.ya.^MlV.............n...=X.........p4..5....kY9X\+~....................>...K..|E.i..-e5.*....Z9..Q.....A..~.H.Lf#....d]..c[...h.|d.P...!RJAB!.V....(.\..f..B....5.....*....]0.h|.bX.X.F#H.d.....r.(...U....=..G.......D..+..e.D..w...$%......)'W1w....6...F.....m....r....-..'.Qv`..zXA}......Ex.d.....,b.0............~I..&04..\...I...../J.w...~......c!.......x<aQ'..}..k..r_x....LF...a.t..=*#l..0d#...i@..!....pf..b..Y)...L......%.&..f...C......I.R9.c.......6...9.....N.h....y...0.p.}. *.!.I..S7.....W{..>V..M.....FA....9..|.F.|.+.A$.Nt.P...?............".f....4....k....&....)..S...{t...|.&-"q....a.....D/.I.N....~lZ.s........"...hR.DsP...YA|".9{..d.`r\]`_

                    A:\Recovery\WindowsRE\boot.sdi.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3171384
                    Entropy (8bit):7.999950519113721
                    Encrypted:true
                    SSDEEP:98304:rSOPRVYQ01WHdGWKiaarkZ3CtNCjXHISggwAf0Ga:rd5YAdGWKpLFXHIPhGa
                    MD5:20451479213D03C3D1DC78DCDA52D5EF
                    SHA1:6D821786CC2038B86F0E3724CB88B87E1D263E89
                    SHA-256:FBAAE9EAEF1E4CC8613A837B233A17FB4EBA4C403AD508B5FA5B045D00C395CF
                    SHA-512:75062D72C8EE65F6B772AADF29EA2A370190C3918CE3AA898F99E587AB5D548AB028F1964F4A4CB4D50BC0E0354647D00F5DC1515ADC62EC0E98FF20B11C60E2
                    Malicious:true
                    Reputation:low
                    Preview:.p.C.?.M]....g......,.e...i.1m.&..3.#.j..5N..k5'....U~.%d....<G.A.,qlkK.....&RC1.^.U.j[>.I.r!...>...{....n.......-./k...M.u..y.<.x.@...1.s....z.U.&.v[l..]y@.zD.C.........#...}L..IJ.8...0B....n...B~..$.j.P{mjPiJ....GN"KrH.L<..E.W~k....dp..a.....Fk6.l.8....$..x......1.,..".....77.ME%[,....f/.V@&..*......h..;........."9.7o.`..Y.P...!W..<...1.1.:.......Z.D27.o.b...<...NU.....Y.To.5..G.7.4.:..I...k.....^......_..v\...+.......:.6..GS..........t,[.7.`.....Yu.a....J)....q......5.s5...1y..L.gJ.W...A.w.^..Ay.8B#h..x....+.......(...8....*.E...ey......k.Rs.:...0.....Z..T%.!q......w.....c7.."........g.8.&Z......n.._.....n-.._\.Ec.YA..Ie.....f..W.c.s'......I....H.G.t.y|.v.....2Zwi..D....{..5 ..h.b#.?..$..KNI..v..M..?.mT)k......7Y+H......M..f..F..V......9..I..N.K..NV2E.f.q.......&.P...X.w.+..r.r.W..'S..U.......`.Rv.6e.1.....Zi...Kl.[.Z@8o./vJ.a...M...D&?zkh.......I!b..t..h}... ......_..)b....T|..)A......JWR<.T}Q...+...c0.\P../.I.....|.k.%.[.A.2....

                    C:\$Recycle.Bin\S-1-5-18\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.841192490922823
                    Encrypted:false
                    SSDEEP:24:/Ro81IkeNRIgMWk8W4w6PC7/9iwdD4dqnmLg5KJEWAI1A6FAEILhfe:/Ro2vefW4tPvIUNs5QcLhe
                    MD5:1E843A8E92E6F44FB8E99A42B0B8F76F
                    SHA1:E5369563F6266FA4C695B1384D2C2F79A8F4D560
                    SHA-256:208F067BA8B408092DE2E5641B73E91905BFEE134075EE7826C5DEBEB0A2F730
                    SHA-512:37CD780DA275F291609830F7A25C368946866B922C167D75EBD20EE895C7120FD24632079E778DA1372AD8BCE74353E0449E8DE0A4C3244F595DAFC69FC0D7B3
                    Malicious:false
                    Reputation:low
                    Preview:i2Q...".......=...-[."..C/....l.qqz..../.;.)6.........OTM.`...T...'.7.6t.}.H.d........Jf...~Q..*.]..7Oh...[`;d;.m.rD.../.\.0..DuTY.....`Eo.V...T..U.|.!.I>..........................l$...Q&.E.`.A>.6.`....l".+!#z...x..j.........h.."..h..2......2h......S..'4..........c.r}1.....{...5ML.)..........!.k......cUj:...8.i...;....(.?]....#..K!..f....c.k..$..Vv...{A....A..0.]...R..F.m.V.1|..a.h....e.].pN{.(.(.H..U.#C#G..e.ggZ....N^K..T....6u1..(L....}.C.......I.[H.:]3...[..M#.. ...F......{.r'..=..6..K....^...N..sd)i.$.&.Q......4V..D..;E.:....f+.'i517.....a......hR.s..e......n%3j|.H......}....S[.=.1+.=.0..'B........7\W...I.i.e..d..iWB..;?..5t...)Lb.O.?+.AbAyy.......T.t..'....8'...M.[qf.u.r....f.Z\g .y./.I......alO..G.....O..^7V....nLZ..?..C..e....2..=n.....*@....[9.q..;.vD..?....6.4...a....C..]8.!.u>P...^y.!d.y.>l..lG.VO.!....p(.....H...WA.m..}../.S....IP."#w..uy.+..fd;{.1..f..$H..f..Sk.m.0.Xb.........7.....BY........(.....Y......5............M...1?D....c.p.....

                    C:\$Recycle.Bin\S-1-5-18\desktop.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.841192490922823
                    Encrypted:false
                    SSDEEP:24:/Ro81IkeNRIgMWk8W4w6PC7/9iwdD4dqnmLg5KJEWAI1A6FAEILhfe:/Ro2vefW4tPvIUNs5QcLhe
                    MD5:1E843A8E92E6F44FB8E99A42B0B8F76F
                    SHA1:E5369563F6266FA4C695B1384D2C2F79A8F4D560
                    SHA-256:208F067BA8B408092DE2E5641B73E91905BFEE134075EE7826C5DEBEB0A2F730
                    SHA-512:37CD780DA275F291609830F7A25C368946866B922C167D75EBD20EE895C7120FD24632079E778DA1372AD8BCE74353E0449E8DE0A4C3244F595DAFC69FC0D7B3
                    Malicious:false
                    Reputation:low
                    Preview:i2Q...".......=...-[."..C/....l.qqz..../.;.)6.........OTM.`...T...'.7.6t.}.H.d........Jf...~Q..*.]..7Oh...[`;d;.m.rD.../.\.0..DuTY.....`Eo.V...T..U.|.!.I>..........................l$...Q&.E.`.A>.6.`....l".+!#z...x..j.........h.."..h..2......2h......S..'4..........c.r}1.....{...5ML.)..........!.k......cUj:...8.i...;....(.?]....#..K!..f....c.k..$..Vv...{A....A..0.]...R..F.m.V.1|..a.h....e.].pN{.(.(.H..U.#C#G..e.ggZ....N^K..T....6u1..(L....}.C.......I.[H.:]3...[..M#.. ...F......{.r'..=..6..K....^...N..sd)i.$.&.Q......4V..D..;E.:....f+.'i517.....a......hR.s..e......n%3j|.H......}....S[.=.1+.=.0..'B........7\W...I.i.e..d..iWB..;?..5t...)Lb.O.?+.AbAyy.......T.t..'....8'...M.[qf.u.r....f.Z\g .y./.I......alO..G.....O..^7V....nLZ..?..C..e....2..=n.....*@....[9.q..;.vD..?....6.4...a....C..]8.!.u>P...^y.!d.y.>l..lG.VO.!....p(.....H...WA.m..}../.S....IP."#w..uy.+..fd;{.1..f..$H..f..Sk.m.0.Xb.........7.....BY........(.....Y......5............M...1?D....c.p.....

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.8391822174279095
                    Encrypted:false
                    SSDEEP:24:ldrZkaccUU3x1exDspDyXq6BPM+DheQ3zIsMz1S3OT:lxZAksxDspmlBk+DIQ3zsE6
                    MD5:7B7DB91887D88BD49B0F140C4588A492
                    SHA1:770CA1A092D10E124CE4A61059CEF7E79FC4BCB3
                    SHA-256:C68801A90625B5BD23517E2398C891FCCD59AB69AC9C7E4604BE32FB341D4E7E
                    SHA-512:16F1592F628013CD0FB679B69662ABB5543F516144E56DC5B1BEA4FD8B8B6AD4AF7708A8F7CA622A70A061C934E2BE358242D30BAA271A1AD60C14DA6BB9FE01
                    Malicious:false
                    Reputation:low
                    Preview:....wCJL.....m..D+-.)..,...lf'&...r.W..x..'...<..=4..<.x..6.Z..j{J.n..*W2<.x...4.dg.gUY..#..d.X.g.B..g(.Y..v} f....\X....+tk;?.....jK..Po.T...T..U.|.!.I>..........................g...M.....".5...".`.R...+......".bq.7.Yg.[.....0n..a....q.|&u.?.z..~...N.Y7..8C...).^,A'X...|.|]c}.iy.c..v.w..).jw..`.t..T..\.7N......{~.....or"ce.."..(...9=..hFV..x.}d.@F2.eV..........b%.....lc5\.*..Qq....Q.a.}T........x.c..T...Ub.)./..=.a.\..;.S...J;?..q..]..H...,...c..2#.5.[ 1BK.".Z.bmJ.m...v...^b.k..b..X.a...M.G.[....;\BF.A?7.K..pi(.P.....]?,.T'...-b....p...{YU.....[..D..oS....[.t.[).b.P.8..R.7.:.....P~..Y..J{.h....p_....3.B'.TV%..j|Z..b.xR.+...4..\...Y..1...~0..R.;r.>.5........hz..=..bS.r....|F9/....'..........C....R.~....,..8.q...xz.{gi.O../.....X..a./o....XVi......j.0.chn#.8~O.e...~|9...=.2...?.W........P.G..rkM...........[?m...k..H.E.9......o..x.{........<B.L...R...r...P.....b....(........K.......`.;9c..m..5^.p...(.e..I.....;../..>.D.7.bw=

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.8391822174279095
                    Encrypted:false
                    SSDEEP:24:ldrZkaccUU3x1exDspDyXq6BPM+DheQ3zIsMz1S3OT:lxZAksxDspmlBk+DIQ3zsE6
                    MD5:7B7DB91887D88BD49B0F140C4588A492
                    SHA1:770CA1A092D10E124CE4A61059CEF7E79FC4BCB3
                    SHA-256:C68801A90625B5BD23517E2398C891FCCD59AB69AC9C7E4604BE32FB341D4E7E
                    SHA-512:16F1592F628013CD0FB679B69662ABB5543F516144E56DC5B1BEA4FD8B8B6AD4AF7708A8F7CA622A70A061C934E2BE358242D30BAA271A1AD60C14DA6BB9FE01
                    Malicious:false
                    Reputation:low
                    Preview:....wCJL.....m..D+-.)..,...lf'&...r.W..x..'...<..=4..<.x..6.Z..j{J.n..*W2<.x...4.dg.gUY..#..d.X.g.B..g(.Y..v} f....\X....+tk;?.....jK..Po.T...T..U.|.!.I>..........................g...M.....".5...".`.R...+......".bq.7.Yg.[.....0n..a....q.|&u.?.z..~...N.Y7..8C...).^,A'X...|.|]c}.iy.c..v.w..).jw..`.t..T..\.7N......{~.....or"ce.."..(...9=..hFV..x.}d.@F2.eV..........b%.....lc5\.*..Qq....Q.a.}T........x.c..T...Ub.)./..=.a.\..;.S...J;?..q..]..H...,...c..2#.5.[ 1BK.".Z.bmJ.m...v...^b.k..b..X.a...M.G.[....;\BF.A?7.K..pi(.P.....]?,.T'...-b....p...{YU.....[..D..oS....[.t.[).b.P.8..R.7.:.....P~..Y..J{.h....p_....3.B'.TV%..j|Z..b.xR.+...4..\...Y..1...~0..R.;r.>.5........hz..=..bS.r....|F9/....'..........C....R.~....,..8.q...xz.{gi.O../.....X..a./o....XVi......j.0.chn#.8~O.e...~|9...=.2...?.W........P.G..rkM...........[?m...k..H.E.9......o..x.{........<B.L...R...r...P.....b....(........K.......`.;9c..m..5^.p...(.e..I.....;../..>.D.7.bw=

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.809126501981815
                    Encrypted:false
                    SSDEEP:24:wj0qsFvOoxu/xsdcY6CdEC2148heEr1qLbS8BL5+iz0CP:wj0FOoxIxDd3fIQ4LW8BNjFP
                    MD5:FFA220979B7EBF2EBC161C8FABE80431
                    SHA1:C1579D24BE08CC52570259204D8CFDFBF18B6529
                    SHA-256:23914E1D7F3BBCA50A958EAC86943CEEB5E42FC95F32C750365113EB5DB54C34
                    SHA-512:25D8303129077E1E792B1605C549F89BF8AFA6F24540F1F4C4D0A5E16BB7E2430B4BF04B96764941A6498D5560EE738A512F3521C761CBD55ACFAC31BAD8857D
                    Malicious:false
                    Reputation:low
                    Preview:.Rf.....W.5...............l..Q&........#......=.`...5.j1J..sHs~.4.q.j.r*a1n....RA....3G5...+$.@9.i.UG..vtXP.......D..-.d[.XmA..3.@......T..U.|.!.I>..........................lJ...&dm\.8n.fk6......2.........b....zt......K3...F.q.jc..S..~.. .z.2N.,...Q,...C..S.h&w.r....+.%....'a......Tp.r@;O....p..].=....2d..=..'\....v...:E..bC....{0..-ts3... k...K..a^U.........w....i`..~.k...v...v...:.`.......4....`Xb....U..T...7fn.}.kV..;..w.q.-...m.........(.R...........[.s.F3..SF#.5.....[{a;...6.+3...l.).<.........a..%WV.. .p. .........I...2.}e]w...@..4[G............m.B>..tWe..Y..Psq}=F...=>f!n.yC*_n.\.e;..76B...Y.........S........~FJ|_.....&..?-...V..M....4.._&H. -..$.U+.,....Q.>.....\.:.!.U6K..2..u..6..%....!.r.G_........}...].......k.....(....+.s0_...C..bj8.b.$^.....j..q..z.$.Z.....[.-.^.....<fu.\Z.>.p.j......\/.Azm......./..@a^.....?;.i{...=N.?s.F.R.O...j..|.DyF.e.;.o3.u....Y..B.]xr.i.n...|m7.e(...n"....=n2+...Z.zBx{.....]....3. .u...

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.809126501981815
                    Encrypted:false
                    SSDEEP:24:wj0qsFvOoxu/xsdcY6CdEC2148heEr1qLbS8BL5+iz0CP:wj0FOoxIxDd3fIQ4LW8BNjFP
                    MD5:FFA220979B7EBF2EBC161C8FABE80431
                    SHA1:C1579D24BE08CC52570259204D8CFDFBF18B6529
                    SHA-256:23914E1D7F3BBCA50A958EAC86943CEEB5E42FC95F32C750365113EB5DB54C34
                    SHA-512:25D8303129077E1E792B1605C549F89BF8AFA6F24540F1F4C4D0A5E16BB7E2430B4BF04B96764941A6498D5560EE738A512F3521C761CBD55ACFAC31BAD8857D
                    Malicious:false
                    Preview:.Rf.....W.5...............l..Q&........#......=.`...5.j1J..sHs~.4.q.j.r*a1n....RA....3G5...+$.@9.i.UG..vtXP.......D..-.d[.XmA..3.@......T..U.|.!.I>..........................lJ...&dm\.8n.fk6......2.........b....zt......K3...F.q.jc..S..~.. .z.2N.,...Q,...C..S.h&w.r....+.%....'a......Tp.r@;O....p..].=....2d..=..'\....v...:E..bC....{0..-ts3... k...K..a^U.........w....i`..~.k...v...v...:.`.......4....`Xb....U..T...7fn.}.kV..;..w.q.-...m.........(.R...........[.s.F3..SF#.5.....[{a;...6.+3...l.).<.........a..%WV.. .p. .........I...2.}e]w...@..4[G............m.B>..tWe..Y..Psq}=F...=>f!n.yC*_n.\.e;..76B...Y.........S........~FJ|_.....&..?-...V..M....4.._&H. -..$.U+.,....Q.>.....\.:.!.U6K..2..u..6..%....!.r.G_........}...].......k.....(....+.s0_...C..bj8.b.$^.....j..q..z.$.Z.....[.-.^.....<fu.\Z.>.p.j......\/.Azm......./..@a^.....?;.i{...=N.?s.F.R.O...j..|.DyF.e.;.o3.u....Y..B.]xr.i.n...|m7.e(...n"....=n2+...Z.zBx{.....]....3. .u...

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.814787182020583
                    Encrypted:false
                    SSDEEP:24:JsvfJ/rPWFjn/Tvhy0xsXUWDx9Zd6XPK5lGOe3AEcvF:JUfJ/reFz7vk0xzWDx9Zdhvw3A9
                    MD5:FF3960BBAFA70854B96FE025F4FC76D8
                    SHA1:37D987212281BDB4194D4337616A4A3784C33932
                    SHA-256:8E15C5648505FB16220BA6EE67D0414D27CA769A15F4125C8D75ECDD1D691A90
                    SHA-512:5FBD2107725F7A38880524368F4B88AF7329737CC59E49F97D976D64942ED8A6C5C49EE6B8AE18662A7242BFBFDEE77110F36494323169356B9C6C41B6303E2A
                    Malicious:false
                    Preview:.o.;.....F.hv..5...k....K.<.....j..,@...T......I.;..5...!.p.|"K..S".].(....r...C.)C..`..~y.Q.a...Y8.........x..C.5.*F...L.W...&...:.0.\..%....T..U.|.!.I>...........................%....C$..V+$.*..c}...5C...MS.B4$pV.}...[.`.[y...:n..}8..JV.6.7.L.&!r.sy ......t.8..W....<.?S.2W...3......^.....IRd..9Ksg.b......f[.(.....y....G(......Hh.!2.k.g...&.:.W1.!'..#4....%.FH.Z.....I#.l...^j?.....",..S..a.52.|.^.9#.....i...0yx..K..&..D.O.Z....Wz .....Z....Y.(.....Qhh;ll....E.7....6.ECR...)...2...f...U.`....N..C....l7.}....8.F..5.h....e.?.Y...r.q.....^.#p...~"....).]0.2....A.2..v%|.......B..Y%jS$lh.a.u.+i........F.....i^U.1S.Wh.S.T...Z.<.;K..yaI...q&........h{.>^.cC...SBu..S...!.w`.X.WM..".n%!`....O...np..9R....U<.WKX.\..~...)~.a(.&.......<.,..L....~xfo..t)D.v.ho....<\N......$=.Zu)..B\.Z.t.u..)...pd.7.t.q75..}.`...e.,tO<C..h?A#..e..d..q_.k.?...U.T......U.............Q...H.~.0'..o;...U.E....;.h..v7.......w.......KL.`...HI..T...Jx..>.K9s.gY..]....:a.

                    C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1208
                    Entropy (8bit):7.814787182020583
                    Encrypted:false
                    SSDEEP:24:JsvfJ/rPWFjn/Tvhy0xsXUWDx9Zd6XPK5lGOe3AEcvF:JUfJ/reFz7vk0xzWDx9Zdhvw3A9
                    MD5:FF3960BBAFA70854B96FE025F4FC76D8
                    SHA1:37D987212281BDB4194D4337616A4A3784C33932
                    SHA-256:8E15C5648505FB16220BA6EE67D0414D27CA769A15F4125C8D75ECDD1D691A90
                    SHA-512:5FBD2107725F7A38880524368F4B88AF7329737CC59E49F97D976D64942ED8A6C5C49EE6B8AE18662A7242BFBFDEE77110F36494323169356B9C6C41B6303E2A
                    Malicious:false
                    Preview:.o.;.....F.hv..5...k....K.<.....j..,@...T......I.;..5...!.p.|"K..S".].(....r...C.)C..`..~y.Q.a...Y8.........x..C.5.*F...L.W...&...:.0.\..%....T..U.|.!.I>...........................%....C$..V+$.*..c}...5C...MS.B4$pV.}...[.`.[y...:n..}8..JV.6.7.L.&!r.sy ......t.8..W....<.?S.2W...3......^.....IRd..9Ksg.b......f[.(.....y....G(......Hh.!2.k.g...&.:.W1.!'..#4....%.FH.Z.....I#.l...^j?.....",..S..a.52.|.^.9#.....i...0yx..K..&..D.O.Z....Wz .....Z....Y.(.....Qhh;ll....E.7....6.ECR...)...2...f...U.`....N..C....l7.}....8.F..5.h....e.?.Y...r.q.....^.#p...~"....).]0.2....A.2..v%|.......B..Y%jS$lh.a.u.+i........F.....i^U.1S.Wh.S.T...Z.<.;K..yaI...q&........h{.>^.cC...SBu..S...!.w`.X.WM..".n%!`....O...np..9R....U<.WKX.\..~...)~.a(.&.......<.,..L....~xfo..t)D.v.ho....<\N......$=.Zu)..B\.Z.t.u..)...pd.7.t.q75..}.`...e.,tO<C..h?A#..e..d..q_.k.?...U.T......U.............Q...H.~.0'..o;...U.E....;.h..v7.......w.......KL.`...HI..T...Jx..>.K9s.gY..]....:a.

                    C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1688
                    Entropy (8bit):7.889644859093712
                    Encrypted:false
                    SSDEEP:48:dcq7D/hG1urkgf8R4fk0iSn1pANC9FbZCnU:n7DpGYrkg640S1ppFbZl
                    MD5:791C6729F78C4ABE86A39CDC5B6D453A
                    SHA1:3A3D313CDA9CBCBBE9BE3449D3709E78285B9BC6
                    SHA-256:F9B78069ADA8B8817005C00D511E900999245281A84041956E79878B9A5224BB
                    SHA-512:ADF9C406CDC654ECD9A0F784BA0B6486C851CC500EC73D668D56ABB089ADC1E7B2431BBC9AF4B8AA457D87068EEAE6D6791FD6737100CEEBC965DD171EA727BA
                    Malicious:false
                    Preview:..V.=...h..?jv....8...S.8.D.mF<.....O.R./q......^.3..$....<..$..)...F.. iVQ<.b........U..QU..}!..p.......z.._.<.....}...D,.`|..'OQ....S...i.L..|7..K......e...8?V.s.&.1..M.jF?.....v..........|aZZ-.&.R.p..`~8.F.Jv.`..e.1...n-.*...7.."$..1..z..|P......u....(D}.....s.D.7wFX..5.....4..qZ.3...WU...8WB....IfK....5e...U.?....5..8t.n{7q_..a..,o..I..0@mt..Q....u.C.=.qa.o9>.......T.=<>.r..[.."....^Fd...T.....6...>...E.\..X..l1`..^B.N...@i1..hg.c.....cx....4|........{O2E...a...Z...(.k..~.H .....+..R.JT.(u...eO'.Y%@...D..R. 3v...].9.....}.<.7\.s.4.E......S...Ry...c......J.."..;.[.W..I.%.....qz-.p...T..U.|.!.I>.............................,......z@M.|..p3g......J.........,l.3}1..K.y{..`....Hq.6C.}8G.'U..{.......\....(D...8.?...+].c.l.@P..^..-U.0.K.p.k..........-G.*....y%n".e..S.}...8\S.!....35~.kY~...X..Z...w.D.R..N..tp..\PVE_#..V`.........C..Wim+.}.Pp./......6q./.].F=....h=..R...N.V...6......I--.C.3h,.....x.h..A...wo.g.5.....2<%....#7...-fwu.....*...d.

                    C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1288
                    Entropy (8bit):7.848143852068239
                    Encrypted:false
                    SSDEEP:24:jfGesEtrzhmdCwI2T/Bf2B9MBX6bXyro57v8KSFglSn00E9N+S715QRz+/s60B4c:jfGehrtABcP4X6bXSWUKlSOV5Q0cF
                    MD5:B18A3A11190CC1DBEA5FCEBAD13E4981
                    SHA1:00564EA8A2FAC064A5C5C1F8C1CF0C8E33871AC3
                    SHA-256:0FFC86318EE3764654E2CCE87C0E2E5F8E9D928E213E70A6689C63AF486DFC53
                    SHA-512:E1219D29E0F14B8E559ADBB2416BA0F7DE53A7F2BC35556B04AB413D48484FBA813063DC375E854D74A7FA5BF1C26BAAFA2C9788D3C225953282CE00682B9FD5
                    Malicious:false
                    Preview:....(`.6S......jcl...$.H...#.>w..Q..{.d|.OyJ..|.n...........uvG...._.......a..........r...1."......_P.x;..~...<......g.:..h....u.&...C.L...-.../P..%!.[.s.S...ia.@..-&br..t%...hI...=$i.F}...s.m(x.%..P...}.a...C.|1..<..b...T..U.|.!.I>...........................f..y..pyM..pT@.....-.bbC?.3r.....F8...}....O..Y."...d.....9\..Y...X..<IzQ].z6..;69.N0/..eb..._.....q_`.*-:?t..>=0F..I;...\..e.........4.....M.a.w.w..[.>u...........x.{.$a.?.....I.....:....9..Zx.z.)Sm....1<N..bh!.X.[6.........X].z(3.h~j... F]...;.....`d..l:...z.bE.x....x.M..R.u..Sw....K.....s3ow#c......=..d.B0..z8..JC..K..R.,4.2.8o6D......eOA.2gz......R.cn@...e..z.\...RM..m.'.Q.B..m.lpw!..|k....6...C..l./".N"m....0.,$.9...*..........`...-a>....0}..0...PBa.H.........M..Kn>;;...5...R>....R..)...^.c.T.....mKO\..:.E.o-...i...rY.s.TL..j..........[...r.:o.....'.6{.SAs..{...f.....$%...J,6.xhV...-....<.......W6...........sz.]v........_r&.y......M.............$J....E.m.(f3...s....y..Q.k

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1496
                    Entropy (8bit):7.846221985597693
                    Encrypted:false
                    SSDEEP:24:rpFW92gyuIpAB2PrDdiKy442So5yoPOCjeZuKtY3SjFuDS6G0hfj2MNP6Z:rj3uIpk2Pzi2/QoGCiZlYijADS3AaM6Z
                    MD5:BE62D2068A8D737B45219174B24B558A
                    SHA1:7C4EA438318CCF6B42674C3BBD1EFB03203C5579
                    SHA-256:543B003F2090F217650B7FBD4F3E523658454D3B5D5535D2CC38A5F51D7A6CED
                    SHA-512:441E0DEBA1EC541D3E76320DC32EC4024CB60C29A320CF247F64694D181D99545D3BAF499BD4118E322C722677D4C617FFE5DC7E09ADF03D03DC524B6D1FA51D
                    Malicious:false
                    Preview:..@Ca...(.L.`'P;.....G..|.&._..#..._..A.H.b...i$h`..fW.JF......n..;.i}......v!..cD......K.).'..q.L..U..&..Flu..U(`....A.:o.....!x...y.V.n.a......Tec..(YX....Z....Vn#C....F.{.....i..n.....@....`.....<....E^.7..H../..=......G*IR...OU.=m(@.......8.+l..^....=.-.Is.#J.5.*.~.D".5.U..44.u.t2..r...M....4..|..^......R+*.m.........Y....Zn./.o..1. ./.%..43..}.J....L.v..2.<...>.g./..- bp\.)...Y...S%.z.?...Z....+9..u.I.,.r5^...T..U.|.!.I>..........................vj..Abd...G..~...W./..u.NdQ.....].gp\..E........,......-q..`.!.T..(..$in.\[..r..D-.'4p....Q".?.#.....i.. .,JY.5!...N_...Q......F..X....b.=.u......]..G.VN.PV...FL..*..z.q._...ki....c....Z.Q...9a..._2.*.T.....{..t..0...+.?.f...>q.f....g].S.E....S_.....D...1.%.[.2........"....gI..S.q.l..+.n.0yV'...J..N.*U..O..[..E..._...`...g\...<......9=.....i........r.>.9.7..b..x+..ob..Q.0&.E:.U..............;.:j...{...l.e.l-..[..7.c.1.e.].1/.$m.....@te.......x..kiZ.,..n.=...w9.J="H..}=0M9....]|....0..W

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.EXCEL.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.843184276553063
                    Encrypted:false
                    SSDEEP:24:oBuldpc9qEB8GCrHyl4b1dAfsHP21UDQcft2CizcN906Q16xMtkOBP:ZNc9fBerHyGb1fP21oLl2BoQ7br
                    MD5:5CC008EFAF01DA00B48F4F4FB05231B8
                    SHA1:5E84C85F7BC4B631768A5C204708FEA6A12C6CFC
                    SHA-256:A2DA64DFD03112C47B3174BF4261F0F09318F067D365F860C429AE29426991DC
                    SHA-512:E31206FCDBFC1DC7295A26054D3B63BD6B7DA11EF1D3548BB30F036C1F19095E73B84609791B090B075EEDEE299DBC1D048E91E8892BF6DFD799F187D9B0A1F6
                    Malicious:false
                    Preview:+..7R.".../h..@.V...>..>..y.I^x,4.....Fp..P.....N;.,..C*/.94..o...\r.....cHO..o....z.L.?H@....X..(..t....j...ET|.7r..!.R..`u..K......x.T...........(ckY....6P..O..Ch@,....i.O.........D..17..7.q..YH..;L.h..8..o...M..H"+.qs....rPQ....!)......'.R%B..&.l.....I.E;8..).....E..J.Vh...n.d..3+...#o..q6Z....&E....v..r..2...$..Z,2.5.F.U.D....T..U.|.!.I>............................V..1......K)$v.}..j.6..x..Tx!...g..../.2.C9....r......H.^....u.......??.%.x.q.X#$..';..J.<`.P..`..-.!.F....6......-.^..q.`.....sM..*.,. m..N5:...A.U...kZ.........^......zQ...Fz......4..7.ib^*....X.A..%(D=..}.#...a...$......K8.....\.D...CB...Z..AY.?..ahX(B..#SE.Z.e.....O...b?.....C-.o.....Y..R....'h...H.......1.J..I`...M..).e.......KF.v.. ..fq.iN8.........3.6.....pJ'..V7.o...<k..F].....k,..=...W.\W..E1F..ev.?.)G..,C...S8.Br............wF.L...J...j..E...2....z.....#..~[2......o.....xv...2...!YD(E..z.?A.Fo..{.4.wM..C.....G.....)k..#P.8..6.......j.#...C.`.*....#.`].....L...

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GRAPH.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.865655724826455
                    Encrypted:false
                    SSDEEP:24:5nM7kbcAWMf6Osgi6XMSQ3BEwfzuFyaiM0LB14kZSG4rXyfbGIHv0mYmB:FM7ScHMRsLSQR8OKrGjlP0lmB
                    MD5:F91DDFFCB49E3C0ABC5824CEC8FB7435
                    SHA1:B81C9F080892690AACC30FEAE567FC5CDE2D4076
                    SHA-256:4C9752EBE4C14D671E83D45E02025F4382CA5ADF531E9F09B95CF4F1D47A1A57
                    SHA-512:8F234F0FCA76BDCA3359272891C3D246D748400EF182A56DE9B4084213144618F9EAC7C9249623EA92E476D4CED798BED51DE9238A59376A67DAE6F8D30073D2
                    Malicious:false
                    Preview:..~.M......b.=..!..+.<;.....`)..c...In./A;#....D.c+|....O....U...5....8..c.......?...K...[.........l....z....X..4.A....Eg..8...[....I..S..Z.Ar..})5../..(.|.1e=3.q.Dd..>..g.v...1..X(..H@-...?....`..K.;o^xcR...yp`......j.p^.:..A..~....3.v.l..(......=`.O.l.v.F.(.v...E...R..7ZNy...A.....)......L3..J.k.....E]w..%.K..r]...h..V)k....v.3..\.7a...T..U.|.!.I>..........................R..,.e....5).:............H...Ff.j|y..op..3.$..B..N.B....<>..t)Pz..}>y.\%.Z...e_r.y........ZBNy..`#.Nvdgm....(.^....'.a..H.a...m.......K.-.io.p@.R...g..t...CT........V...A2..`....A..{Ev."...........$....0.41....[.E.*.o....u...D*.....)..Z.?a..<...V.pC...*..].....;.%.O.B7.b..h..?.9.3S....O...!.D..w..e....J3x....{. S.kN..L.;..Jg.....#.C......?P_.+.....U...,......C...R. ^`g..........?u....5....WdR.......z.........$!XF.......oxO].......U.X5.....J.)s.L..#bX%*......m4...&C.....R.....7e....*.$....:..GR..e.........H...*.6LI..._SY..,..E...[.../.;8.^......Pi...^..5.S....fw..X.....a.<tN

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GROOVE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.868331685237219
                    Encrypted:false
                    SSDEEP:24:Xwr5E67H9xd2Ot1JTEIgMSJKx2+gj+nGmY9VeZUU/IdFWvViutE+e9fnBVlxnyTm:Xwr77Hl1duZ+gjNmwj4wFWvYCZeRn7GI
                    MD5:073A81B13797474135A114E16A767739
                    SHA1:C1327CBE36F95F9C4CC27E2CBF3D79D5461D6EE4
                    SHA-256:0479A737E05F9580C09D8FF73921567D9ACCC0A8538E071418013AC862B8962D
                    SHA-512:1973983156AF9222AE24945ED8A1358C7CE9988626CFB0033FC4B80DE48C8ABF2E7AF252DC8BCA6C7080680F881D1CECD967C07F236E92FCBFB5F06E81816DBE
                    Malicious:false
                    Preview:/{4...g....5.....n./..Z...(.2..O.........B..Pm.G8$s..,.P....G. yH.._3<*}.o.J.t..<..&....a.......Gz......*j.T.,.....@..E..^..u..U.)..H...6.a...*..xqb.0!.ea?Ve...%../.['.7..\..(....Oz..O...m+@..IW...?0....hP......W0..k..6._......F6......$Gj$?k.&....$A.I,.*..V.v...` V.......3..#..c...n.%+F.#.T...x.<.5..C0./.J.&..l..t4J.1.....`...wq~....m.K`v...!.Q.$_...T..U.|.!.I>..........................'#&...s......|p.m...w...[R...>T.......Rs.......n...5c..vD..w...%.^.l......j.n.{w..R...p..zZ...Q...y..,.R.Z~/.x...5.0.d@.~...3J`EJq......w.L...d...=.UsQ.u...k...;Jj.c&..A..S......._|.=(.kH..].l'..kI;..C......@r..n."......@n}k{pV......zA..*....ao.....3/..A,..8..Q.n...=...<y....P.X.I.t.{<.A..........j.T*.........<..G.~....+\..7f...9..7...x.v.E....E+'XXb~.#..7b.s.'..1W.o.w....j.Q-..ye%N1..I....,.9.lp...d9P.........;Q6...B#3<..Fq%h..K..Y..I....*(.A<..y`..}..".#S.H.D..=.`O.'.M..nlI.D.B.f....Zy....{...........l.81l.S.@s..6e.'.p....].......^:.......{.u.v.....

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.857998230294626
                    Encrypted:false
                    SSDEEP:24:UY4BlES9lK8gnhCzBrMRFWKMjv1UaaLEy+ZIa6bQ+oYY+jfYeHZdPwUih7wBav:UY4jpnL8h8lMnWKW1UfLEHZgjfYMvPw7
                    MD5:D0BD3BF47FDD670909CECAC029442EBF
                    SHA1:88766682FFB38F13F457158644569EA9FCBD355A
                    SHA-256:7EBCCC8733B8C4BB172DED0591F296C944399E1A76DAAA26EB402733B13F8E68
                    SHA-512:CFF23BE29A1F6C0575FC661A40B8BCEA1E9026FF37E7A206C83C70162BAEE5340F7AF308862445A842D6AB8FEE8ACC317EA47D94EDCADF6879604844915C2AE3
                    Malicious:false
                    Preview:M...zp..v..EV.............^t..}b...IC..c.@Q;........(.._.3..z.......nkd.......3....Z;f.=.?..%.l....9A..S.p.V..b.).9Xfs...tU..>*y.... jRi`.....X.sY..9.....b..s......J.d..../....%A.bV.h|..}+&pa..k.hD....#.'..A.G...!.?....mTn..XJ.).G.9..-..m...K9...L.:/.T.r.l .z.....D.......:..G0..+..1 -)..*.Jc.i.%..~.mu.....a...0......I'RS.kV..0..}q+...T..U.|.!.I>...........................,H.<..U.C.P.k.....6.D..BI..w.Z.Cr.? ;y......;?.n........7.\..w..u.>..aod..<.D.Fu...../..0^}.?.ut...../...(....S4|H.C..}A.._..`I..u.q<.>I...L.............d..!)O...e..1u.......c0..^..t....O.PVdg..d..A.v?n}{..NRe.iU.._n.Ks.jD,.9.^.......H..Q...;U.m..V.."u..j....s.BIW,i..H..`..P_.n..y..^....WE..3..a.(&.g.7...'.W......].-.Ji..I.........O.....;P..*w...'@H..]..A.G..m.F.g.8O0....=._.......zL..$...2.?..<.<...5.q!r.Gw.....5..S.Z.........g..l..........Lz.aN..V..p.....K....9....e....DFM.U..(p{..E..B..Q...........}u....!....~sx.7$.9.....\|..........N.Vh..2...d...Y.O......";..X....

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.849848236935187
                    Encrypted:false
                    SSDEEP:24:osylyXXwnPQyfOY6OSw4dC11HDDAFNdfHWEWAo3qbZdmXVYDHyFG4S9Ujc/XCT9R:oswIgPQrTCHDDAxeYoabeV/FG4SqjHRX
                    MD5:C889B77F646B018C62073F4E1929A247
                    SHA1:47ECC335E9034E845611CEAB0F098D4DAA52E46A
                    SHA-256:BB91EDAF6BD64F742808370D24D22D60DC47BB9E5AAEBE003AE507C588D9A282
                    SHA-512:4E932B31CBEE933AB0E62A1A7B9340E8DF1CA57D67BD3604970906B0D0FFB0CFF866217280503E5453ECD294706B90D1287782E0B47754A11D743586FC20D88C
                    Malicious:false
                    Preview:L.l"3.g..C..Q...|.b.5.,..,uU^o.......,....I..r.....B.4U.....BL..V.W/....<....w8-.g0.[......z1.Y.U...q."....a.PN.......W .@d@..>.a.B..i..R.[,...+.m..N<.c.m..d..kFY..uK.t.F........,..8xc..X....8..sY....`.."}..2".%.U..b.q...*..q..J.kpkBO..W4dBG)97...x{|./..|.I..Y...F.z.P.~Z.8E...T...j.M....s......6."..Yl.K1..3/N..E&. 2G[..@I.h....m....[v...r%8Rv...u./.qPm2.P.4....)....T..U.|.!.I>...........................3G\..X.......rYY...V.4..}b<.r..@1.dV&....u..P......;.J..Y...Xa..@.@.7..7..._09..u[...v...s..m.L........4"..N...T...z..v...#.......a..?D...ZHr0.G...q6%d...N..k1+..2.U.k(.....,53....."F.cU.oR.8.bA...+...4.A.GQ..q...3..Z.)...\...X.F..(...........<t.4.....p.L...f8..4.....5..k.....!..W...+e.@......].p.....(T(#W^.lZ#.G.O.BAs..|.. .....:..3FX..1.!lq..l..u\......9.....]......koE.O|$5f.".H......l(A.^....7.s.^.W]r..S#yk.>.P..I....*........Z..b...<.............!v.......$.5.m.2../.xIC{..p7.......tP?.a.(c.mR..n+...D.hM..I'.._.....]...8~.W..3....U.^6.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1464
                    Entropy (8bit):7.865999469884405
                    Encrypted:false
                    SSDEEP:24:Jly1hwscIPwZcU+uJyPfOWtpahqjWL8/2B66ze+wFT25fDMgwyNR9NKIruN3X:+zwnpJyP1tpahkc8/2BDzVwAfy62xX
                    MD5:B239FC799BCF22B7ED560A903191769B
                    SHA1:ECA7F01DF9F6ED70DEF3C832594582FECE665A51
                    SHA-256:303C5A08D477D6D929AE5E917F4BF6FCEC38485369E251C6FB37C76E5C4239F6
                    SHA-512:42DCC682378A567E20B4622A1043131CF131BC66018588228F7A461252C5EB2738FF15926B4DC44F0BD4562067DA5F459FD7DD31DD46382FFEFE737AC61FE207
                    Malicious:false
                    Preview:Ba..2....-B&.|[...Rb..k.....]A...Or..!AG...iA.=za[...H.."Pm.2...ZNl..R....s.......A..So).....8$.{.A.23..l4."|..B.B.9D...0db..4.K..Y...xP..O...]3..&.tW^.1.`..b...".o..+.{.......lC..h........YG..!...[}k.;.~.`..k..I....R.Ui......V.toS.h.o.....*m.._A.0E....H...`D.(...Q..?.....g...a..C.h...7^.:..N.......Zq.Z..~.G..u..V.*..3..7.).<e$I..c./.`...".,..[.c3.mnt`.z.W...a..R.l\.m.~1..'...T..U.|.!.I>..........................mz..e.iT..J.a.5.n..S.\qo._U...Z....|6..3..F..nb.....2.+ZQ*l...K..<C..j..G.....FP,..'i:.tiT8.D..d..]..F.....f...{...4..G.....xu(..}..G..<....]a..{......%0K..dc........@._...*..."...]^.DE.'-.n.b...h.......8.k~.s[....j.u...........F...!...(ia.J[U.. ....uP...=N.aV....%_.F.R.....\...b}x=x..w\.?.A...[ .....R.....,.....CI...qW..yI.#.6.H...-..Q..P....&6.9tl%up.*UU929.......\.......)6.V.x. szqA".....3.h..X.mB.y....\..5...ec.DV.R.gu.(..}r.K.5..C.2..D.../f..K4..h..o.N...<~...:]i..............b/..Gf.Qj.k@.<kk..&.F?....D..(...^..$..._L.B..

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSACCESS.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.864424613946546
                    Encrypted:false
                    SSDEEP:24:FiZG7vqiJPbmqjbXaTORA7kAC5yqKwGMwWCZUe5n23L1UyxKQCSifdF03ptYNdiK:sZcvvJPbm0+ZzC5uwHw7BvyhCSU03ptk
                    MD5:3CE446A95FDDFE7A0B9A05160AA9C315
                    SHA1:2A5A44AB4C33F4E2EAB5D39CD48CD96F2CAD2333
                    SHA-256:5D7E31381DEC293B4A0A82981DA42EB1856CD3583E938791B6B8A3F0DFD002A3
                    SHA-512:DFD1D2C6F60C9D3C34F558B1A34D271C6CD62571A6274384AA5FACAA0FFAC4676E09F2498F5D1292B3ED5FF7E939E3F4ADE8C463FDF7CC2FA757CA5E58C70141
                    Malicious:false
                    Preview:..<..FW.......HFT...!.F.%..\..Cw.".....`7....~.nq.9Wb.<.).A..R.....6.'.u.].L...{....7UD..g.OR..K/.$....j.Jd..:..hIUu..Z.x..S^.r..._....CF..:.E..`..#5(S.hX.>7.a..0+.E.4|...t.|)...Q..X...1.h...KM..1.|.#....i....."4BH.L...}@1...b.4...5.!]....Y...|.'K5x.^W..k.1.t..\..b....-g.......`..F.#..D..r.A..\..A..(ec+>1H.n.f...O.G.'...P.Y...j....D...tB...Eh=.VO.g..cB..2....z...T..U.|.!.I>...........................@qp...T...`..D.Z...8.I.TJ.4.j..;4.-c.Y.r....v...Tg..A..;.N.V....x.)v.U....Q.rpyv.x: g(UT#..o........,......^.I......1&v.|!.7.1fC.C...9..<....D.jl%i.<..q..../..j..bB....f.#@.-.c..%_.L....A.....M....).hC..y...J..t.k..O..}4lj..j...0..9.^...7.{....=v..9...o..P.{B.o../..w...t.C+.O..Zd..=....P._`...>.md.(.......{..q..b...J.8W.A.n@}.&O............<..!..X,-.l.G.:.4O\..2z....)....KpJsu.......F...U ...Z.,..k.g.......'...c.lZ......w.I..".-4....|.e...Y7-.."..rkq.V....U..CW._..2p2...G.S...S.p]..r4..*...S.d.h...I..vg...6.;.....Ck.%..y..z'&.1.......%...../

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSOUC.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.843293247170097
                    Encrypted:false
                    SSDEEP:24:t0hcX/mealVpwGss0DKyw3bwSuTogAieqzyAKsyl3E4qNhZda3/aj3P3Fsre:tIGaBwDsUssSrOeIxyl3E48eW7
                    MD5:3CA767061844F3D25DD7C689B4355AB8
                    SHA1:8CFAB6D2C2B0AA3BD048D15EBB39CA3187714446
                    SHA-256:5C505F4DC209F55019A2EF89746540F447E427642C22ED02CB2226F7D9B0667F
                    SHA-512:F4CF0875EBCF0DC797F294F237407E59FEFA32DFFF0EE203B9E42F92C4A36286CF09E7A6870BAD41DA8B787F44BB893342618C1DC4E8BFD93F5BB66901741D77
                    Malicious:false
                    Preview:....2...........I......;x......Y8..M.4...E..}>..X.S..^hVm...(..@e'.R.1.2.s'.P.K`#.."..,i.R..(...+.....M....R(a.}Q../x..t|h.L....Q8.[..j..m......q...Q.Wr.5..U&Y......-L...j..s?E....`G...?...,...+q...6...O...J...r.T....p...a.y8.ND..T_W.X...0C.~..Y.t8.(c+R|,......:..i.T.u.Cp@w....u6...!......lm.P.....kkw.5..u1...Nw!..\!.]...+../.35..6.a...T..U.|.!.I>..........................K.....;...j.q..p4x...... .}..H...$.....2D.Wf)b.z_P.."L....=.1}\.b.D.E[a...w.).g.#.... .I......6~..q..p..@.N.%..W....`.....3.B.K.4...q\q........F|....,.5 ..[C..z`...Y.-q......:.}.S...3vJ........hJ...2f.|[...t.l@.!..l,\..w..t...>...(.U........@ ..wt-..m.L.=._.k.VY.+@~.iP......c..Y7......!K.......H}.Tb..R.....%.....z7.4V3...|R.....Ow.;g........_..>...*%.,nG.WV.'y....8.0...z..;._.U.{.".,Ix.DNH......../.C..qy.M.Q^..`QR.....>ax..Aq1...n......o.Q....u......g.^.;..&c..x...0..i..|.....$.....dn..U4.^.v...s2.%...l.]e...o".....y=..p.4..+.!H....h_......g./'.&....X1..Y8?...p.0)

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSPUB.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.853576836983684
                    Encrypted:false
                    SSDEEP:24:PjXVP5Kzt5QUh7p55z1Qj32HNMTG2dVlrKKM3aqYKhlN2XQcglmP/g3U8y:7VP5g6ov9dIHdDrKji4v2XQP/xy
                    MD5:0935A8890C56BEB835C4DBA654E05BD8
                    SHA1:A971476E26CCF983AE1634EA2A22862BF177AD17
                    SHA-256:0CD1FC3E7E9A4AE12CE900A951A8EBD107C5C8BB41D5DB0D2E78112AD29EC66A
                    SHA-512:0B5343BDB82F04FB148FFC3DD691A7D56FFE2CFEA1A37B68FA66A7D027C717739B951566D727EE0DDBB43D42ED17EFC064F71B893A0B20AD072E23D105617112
                    Malicious:false
                    Preview:..F+..f..qg...... ..`h...%.p'.....\e.q......\.v..;.x..G.k...b..7{.x..4..X.j.rV...l!<.....x.L..X{.b.Je.~.&|....0..Q.Q.CW.....-...E..{?s*......Y.....D.4.{..D,.......)%...^{.t....*.9H.{.V.&.{.:F!...e2.7.9!..'.{4..~.~~....7.T.bV..h.......-p.a.%K...:.:!.nZ6.F..S.${.....9.....iN2.>....<.."I..=b.B.pC..s....yYY.L.o...n'..1.n....O.+'>Y\..3...T..U.|.!.I>.............................yf!$.....Cg.t8.Q:..=..P...b..GV....k....C.5.|...Fh)v.,$.......-M.D~YSr.3...D....b....9[.HY#.6"gX......{.Q..&F.g-..A.W.Z..U@..dQH.C...M.](.f..Q...O..d..j."M#.p.z.J.......8.u.n&.-T=9......[.<.#..`..q..<.f..s...w..f3..PF.so..U....0...}".i..t.^H$..iD.60..G+..;....*...7J_..l..}...i1 ....\.)m....m>i..4..S/.....K.*c.:>(....[.i.l0.TG .....7....W..^..<...9..c.......C.....).V.2...........u.gh.Y..4...F.O.H-.'}sh.T.=.:.e*.8...~...m.Us...x.x....(..;....<..$.U.;)-..Y..E.........m...U....2...\..Z(# ~bG....RgQ[+... ./u.I...P.....4....-.A....?y.!..;.s......Sz.8.N....:..2...i......?..Ik

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.ONENOTE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.863144220397379
                    Encrypted:false
                    SSDEEP:24:lS3Fm9ydjVyZI/eH5EgmZP5EvzX32UzPJIIAkbvowiKw0Mj6HutLnNlvbPp39y85:UVm9ydpyZI/eH5bmZREvzHfPJII3cD0Q
                    MD5:9D50F4F33A1CD63FEF8069459BFF93A9
                    SHA1:3CF00F1F005DA90A4C2239BE7C296751E9B8BBAE
                    SHA-256:FB4BBE8E3A4B6BBA421A303325861BC43CA2C1D96794DF5E151F5A42DBA94482
                    SHA-512:3764564C5651034392BBB15FD49896049E470D92CCBCF5AA58958C0008344185687CEBAB196ABFFCF57B5A240BE0AF7D2C7468AB735EB2A9EEE424E26F762DAF
                    Malicious:false
                    Preview:.VUU."..[..W.......|..3..g.,U...a.X.m...V).o.)..AQ.~.'...3..P..re-.H.r.V.a....)Huo..$.w.e..>.&...r..Z. ..]....)...P.......b..?.....d.-Yw...tJn!..J6w........j.....i&...A..m..k..5...6.M...C..;.../%..L.. ..y./K-..A.[..........eH.#,....6...'....S.......V..c\B0...D.......r.F.h...h......Q..S/....Y"..Z....&..(..0...|j..C.@.?.......17+[.......Xg..#......T..U.|.!.I>............................|..........=s.i..W|z..l.<.f34/.gP..eU......<.'.-.M.W.U.:#.....eh...a..#..y.....t...Av...Q.?...wz~O..4Z...4.R..4...>.+...7......[...-.-...;_]G..G-.q.1W..$g.&n..%.K>......1.,..u..sD.......O-.y...PwUd........B.f.5,F_.....0.......z...p7......)[.~...........4J...j.[..?..A^I.m.i..N...........8.....:..9E.r..z........3.0&8e.Z./.$..,.[..SR....4p3.. ..$V..$.8k..BQ.%.......)MU...</..!..G..p.D.[Up.....f...2...=..\..no8...5.R.dK.C.X..Q9.*.o'eV. .*.PZY\.......J.y.....}87._@...<SgT.O......j.q...(6..~.)........%.{[..Z}.?...K...W.&...j..>G...om...[N....;..%l.-N...-.]Nd`U..mH.^.T.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.OUTLOOK.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:COM executable for DOS
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.872758956170493
                    Encrypted:false
                    SSDEEP:24:kLHzrNUE0Vm4An/HvgZ6Xk4XYN+1pRdpGr8MeZPA4EqXxaeqajdFHEs0CSF9mo3B:kLHzrNUKtnvvgZ6XjIopRepgXYLaZdEn
                    MD5:599CA8746812FBEBC4E2893FCCEAF4DF
                    SHA1:A2524C6F6D915F1863B0BACBB61721DCD30E4F82
                    SHA-256:EBFB1D95025AE8589EA587FAF00BADCB476AAAD959693D9D92DD4E63C558CA1C
                    SHA-512:2CD29C983395DA3760995C2FB973EA51E23A8AD4267D3FB7BB5C8742A4289204A851E40EB22067F6EEC0BC0D5D5F5D4B376BB5B41F3740B6D06B4144379492B6
                    Malicious:false
                    Preview:...QPG...,..$..&.z..zw..Z..d...k..>.5.....B.{..w..........{P..i|cJ.*..O..4!;..Q....<!E....."..u..V.G8..o]......q3s...yrEy\.7....V.ZDH.U..$<p...M.......@.z.......:u..\a.D..m..{..A05.=.0]|;...Lg.F..-s....O...d........K..[=H.S.A...%~I..S..9...}......(.>A.[(.BN..P .y........$...W..[....\....2<.i..>..M.R.yr,...w\...k..t.CV..8e.....8...2.Wy..T.TT.n...T..U.|.!.I>..........................&..&.hC~@....o.r.....3.v(a.....kc..."..l...YWu*.../..$BR.\{X.)JV..H.j......X.Js...!....:..7&....E='.D..a...x..:.......sVg..B...d..`.?.}...........{0p.D.....t.p.F......q..ev.....O.zE.h.d.b;.tixC......B.......N)..n.]~.T.%.J..]...........5'...c.NK./...)..+B..e....ky....1.}.+..k..ZQ.M.......v....y\...=.kQ...K...4.C.<....P.Sg...R..Q..Oa.;<.EDjc..I#7..".U.@..e.............I.'..~2.....}..;F.....C2.o"...;.VT.<,..y..l .?.i.?...".o.zw.i...~N...XgkZ..c..m..z...rI..6s...bz.......T.......w...9..;nQSD..m0.....".'..>...I..2;.C...."G...\.F.g.D.U}....2..fz.R.W..*..K....

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.POWERPNT.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.871385689425973
                    Encrypted:false
                    SSDEEP:24:kaLVQ9hLVO1njzijdi+MhJ7Wv/IPTktqjgDmZtMwRLk0njxZNTvJeRLK14rIt7gR:kaLV+A1jziBiPJ7e/DtqjmmZmMzTvJe/
                    MD5:45BC4FA6ADA3C6DEF52FD1710BC29969
                    SHA1:973413A6E6540F8D1438EDEE696E18467DE4AD04
                    SHA-256:F9387DABB09DFE4CC6E0F87842DBB8900B4C073E4EE9D2EE3B6E761A6AA4902F
                    SHA-512:816491CA309187C5348392CFCC5451BD0C36A31E8921CF8AA2D2C3F9455DDA3EF7E0A7BBD04802FA3128E82AAB11394CF172E00C37DCD66E4B00FE917CD00DE0
                    Malicious:false
                    Preview:90...\_|;..A...yy...J.R..7...e....P.*V..i... .&.|.!..u..#v.I.EX.?S....`...Ds'.f5X..........%3...`...-...\Uq.u*.@.t1C...**.e._"....X..i.......D...| %.Z.G..........V...&[...~".3&.....*Q,.....(j.C|.....w..QI...3..b!...=......$.#....RV...W....-...AAm$._..t.v...'...Y2...G......a2NA....9.fW2nX.K.K-..RM...o.......6....l8.BA.. _.1..]..@D....@Tx.@....c.ro..0a3...A......T..U.|.!.I>..........................Bm...n..b.'d..;_w..'.G...A..f..C.U9.{........[.e._!.:....z.......=...........l?....8.Z_d"...q.P\.%rJ:=5..ER..tZ...&g.<|..(:.,...H!L...$P...^......+.T...6.!..E[.s]'....^v......cK..........:./..1.T..ZB..c0.f.......K............(.\......S..?.....d{.y..P/&v...j.._...N.Tk..b5.TM....|9S2.T.mM.|....l`.p(J.:M...#$.#..v..v..3:..lw..7...E1..?.[:=..+.Y..n..OT2x#....zfW;..f,`...H.._n.b....#...(....Q.,.Y..rq.)...<.5rz.\...q.&.....8...)Q.>(\./#..L.L..cP.....4..5h_.....s.....&.p=<..u..u...oy....j.y<{...p.,[@.....%.n.z...v...._...nw...g#.Rnm...P...A.&....&

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SETLANG.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.858754654949151
                    Encrypted:false
                    SSDEEP:24:zkDYX0UX1NWJsbxWqIvTDMP+i8n3LtX+LpDyAMEJF00XzXbye00pnIeMu+5Yc7vI:I00UlNWJsbxWqmTDJTnbtuAEJF7XeBuv
                    MD5:3F39E6EE456D937AB0FC27B72A57DD0F
                    SHA1:0E089C3229C7EEE37A849121CB036AE3FB113A98
                    SHA-256:3AC4A055053912B1C54FDA317D55F3879AE7727E6F10F78792A0AC25FEC1B498
                    SHA-512:40B5F2EA80938C3DCFB12BD54EC7608AAF8F0DDDB56F090E846EA9E3A6CFA74DD716A08A82E3BAF7F3059BBBBF44EA4D2695F50F2E7A083DABC074ED1C90A6D7
                    Malicious:false
                    Preview:{.'.k..\.Kc.L.+..=._u:..ph.u.IH.f.s.......Us...rS.\MY.o..rG..}.>...y..Jhf.m.).$.....{5dT....v...`.....m.e..P<+.L..7.......{.>.$.r..........~:.^..8....I.....x.....S.lq......:..|}}.q.9....R..t..`Y..u<..<..(.t>.!&t?.|..64....C..V../.....-4.i...i.B...i..km5....i.1..t..B...U...d..........7.#.*./..X..'...3..f6.$..hU.......@.X....qC3.0.eeh.......L..@.....T..U.|.!.I>............................^....13..."....|.g.\.......YV......D.k.]..SQ...!}1./(.....&..$c.. TT^.O...t.u).C#y......L.../...."34q..LT.`..<.a..Q.. ....J\...@Z..=z+.p..<.A..x.9.'...?.WN...,...,.b.3k.X...._Y..u.Za.....7e>.)Lo&*......+...a\.J.c...K.......T..:.....o,..U'...@$.K.M^.:~l.6.;.S(..X...q.z.M$..~xq.c.}....S.y0.......^hg..K.E9..<.......{...'_..5a....O...L.+.E..........9@_./.`...k....K...?.....w.K..UV.....g..B.u..g4)P.c.o.. ...Q.......].-.\..C.po.....cy.....V.e...g..,..|...M......L*.u...oMP....b....3.Q....Y.......;...(.G....Y.H....w....&W.a.RB...C&..Q.-.9....u...D.....}.z.@..

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.849810799626368
                    Encrypted:false
                    SSDEEP:24:T2zIXM1nD2imByT8t9tqM2lDypXtQyaInlWLjvNTTvPjWxZQhMKdgaaUgA:TfqnKVyotj2luXQXLjFvXqXAMK+Ut
                    MD5:3C3B1AE0100E9CB774534EBAF792A0ED
                    SHA1:DE381E0E62DC658E6FE9467F0EE913D4A9ABB3EB
                    SHA-256:0460FE124F1466ACA454F083A2C9AC7299EB4115597FE9DA0CDA28B8316CB425
                    SHA-512:14D9FEAA436D72082FF0C9B68B5E90AC9CEB81C0648DCD0D3DC4A13DA58F83541ADD948C3A7D724E6C85689052C534BCD54C2E3C60A3F0E30EB756E9D57A6202
                    Malicious:false
                    Preview:..O1._........J`O.X.....D9.@....L...$/...q..........SX..y@...]...H.(XV.f.w.T.PV..w}.)..].@.....7.T..\T..{Ah.e.@......L...q.5-.........?a..6..k.f.u.G^.)b..0d..7j:..&wZ...../..H.xg.?.2..8.X....^F$....`#X.............Mk......q..>g.hN..$.X*=.......E...d.D}..r?(0}.....Tuv(_...P.)..9...=..P5.3zr..O.....%H.k...F.]..p<K.I.LY...{......I...q .N..h..H....T..U.|.!.I>..............................%;..LO.Td...i.<[q...[^.n...HoJ1. ..PW.x...!...|h.......p3....i.*.Tz....7..J...7.-.9.;F.t1."..y..;$..L.Yr...Hdk..H_j."R..R....%c.B.H.|.'..`....K...'5.@........d...H..~..$..7D}[H.!...j..l...N........z.j..}.|.1....2I[]*`.....~...3.#%...Y.-s.j..8.}..,.z^...y.t.7.O..?....NP..@.;R%..K?..l.au.zfu...F.j.bK.H.....w.[....<....2..YPtW......`AK..3.R.....I.L.0.;...<....+.w8)=.J....6a+.Cqi{.!.~.V..#..=..0.....GB2t..bS.O.jL|\..........U.O;.PH..cU..R..2M..3.J........}.^..Y.}v-.k..9...Z.^..X...mL.Q,.=X...P...HR{.{.NF.w.~G;.7.K.z.G.E._..@......P.|}L.&...1.....q28.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1464
                    Entropy (8bit):7.847611422338244
                    Encrypted:false
                    SSDEEP:24:s21pAKrdEBCr4urSI9eNb/1+woh3U5ARLZAi8n7AWLo1riCwhYaADRr1OF3nTqFB:sCAK8dG79eNb9+woSiLar7AmCwhqDdk8
                    MD5:EA4121C2B9151615E27FB3FDB752CAF9
                    SHA1:8C319FB77C19B3EED568E0BB4933DB9459A82A0E
                    SHA-256:9165841827CDE4EDC3511DCCF6FDB793352BA615F2C66986CBE203362D81890C
                    SHA-512:65C1F3FA1A5ECFADF0994CA0C7790ACD8618932D834674CFBB14894DE56456E9E4834F7464D01D90213B85D1B537FC8722CEDC06FE6ADD8B217108B708276E54
                    Malicious:false
                    Preview:..w.~U..iL......,.....p.Q..]..#..{e:.{....A5U.......N.......|...p43:...k.......&.....^U......@..@~5....G.s..:*s#LL.....J>LA...N..}...O{.i.7.?....ln........M..k......HXTk...-m.Y..?H}x7.<C.|b..H#w. .C.@..h{=.c...9H.Q.E..99..{+O?1...L.&`#.}...<.).X+c..j..Z.*.|..P:... .6m.Z.h.%.~..C}..~=vXC2:g...b...s.^..Ow.T.5..!t.=......?...z.q..\6.j.{.r.Q/..........i....h....._.....qx......2>.Gk.......T..U.|.!.I>..........................#......{Qgb^.#..G.C.m#.......ia.4r/....t._..d.`.y...)..e..u:;..lzW..q~......{*w..>.K...........B.!..[.cpH.(......<Ph.;?....U.-Tu.8..h".....S...~..F..BD.`..Aw..:..cL~4.3..G....a.5..Fm..X...k.=...+(.l>..2N.h.j..;.....<d..=/.<m..#t`j...w..{..:"k..V.]o.}....`.....U{..a.........\.l.!M\cA+.T.......ZOj.|JF,]q..7.@.m{..d.Q....\..qR.....L......Z..qu.$.UD..yS.z.}v..x.T....k.|.......N[.."cmh-.(...C...l....D...5.(.L......|.<..P+....p..7.u.(..`..@....D6.F,S.a..^'.O.[F(...]n...;:F.5T:..f.../.q...(H.w......v..%....2....Q...I.4..A.I........:..N.".]y..

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1480
                    Entropy (8bit):7.853851611892772
                    Encrypted:false
                    SSDEEP:24:eJVyI6+lvUPNsEdhRZ57yAYVH6AzPHYoGk+USB/xetMsGQmK9GLGL:eWFi2957pA6Az9GkBSHbjQx9KGL
                    MD5:C70C7549CE86E39A269C67FA09DC0987
                    SHA1:F91C99CD309A131F7670F6EFEB79D5D612875087
                    SHA-256:E19668715AB794455D522E17D2D86D433D332183B2503B4118D8402DA8F80FE5
                    SHA-512:36F89BAE0F0DE5339AD4E87FCC9DD8C766FE8006B3AD3A6E67A9EDF9F0591A98504EF9D9CA391676F611D3F6A0339726A10862370B04DDFB869A175722D411AA
                    Malicious:false
                    Preview:t27...K..4....a.fRT...Y....RX..Yq.6....'.(.....ok+3'..<....}.`..~.U..^..P0........^z.n|....&..H."E">..?._...._.gX..;...H.Ag.x.....;c)....SY.`wS.......p....$.yT3..R0.dV.T'i.|...(...<..Kj..Y..wLF.^.m@.\.).q*/.}. O...=}.G.:......J?w.^l<.B.,<h...u.d..W.^X.c{..y.T#..?_g=...S.1(..../.$|..,^....B....s[...2;P..h.V.8'....U.....i.q.....D.c..3Sw.7]:.......;.+ZP.D......$.ocr.8...Y..~&..G......&.=Q~.%...P.....T..U.|.!.I>...........................Za.0K.4.{]R.z.=T.3.=...C...y*...>.t....^.qd...N.8.V.jn&.....,s.@t..}Y.....\...........`."v.........O..J....?...]br..B?.t.."......uk..?N@.....v....!F...f.A-...0...gf4&j:."....H..:.=I..FTV........$.Y..Q/)....z.2.4....7&..w;k.....1C.]...~.%..........pf..f...".:.....].tW..~...}..o..E.F..X[..|.B....--...a.bf..Y.j7.tH?.....mJ..9....Z.|.;.X$.q..c.r.....".[."...&,.Z.(.h..?.)\.Zd.*.I..w.Ky..l...p<...=..?.j`.l.yT.M6.....M.....(.8....E..L..:.&.md..t..<....(....4..J.....S.m..=..dy..g....m...x...y..L......n.*d.G5C

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1480
                    Entropy (8bit):7.857940351082443
                    Encrypted:false
                    SSDEEP:24:T0DH8Fcj/nsxNmZ5Yav8eCIfJGl7petWTSQOOA2I2MUCH7maAtYbuM6GJXuF:IDcOj/siYyKIfAlwhXgMTH7mJtCuM6Gi
                    MD5:0373E50451FA9EE9868010D62FA5F7B9
                    SHA1:55EB7409136EFDF7786B46D47AE088A97F259CB1
                    SHA-256:1CE920D4B0AA221A0F21BB7E3FE0A7E31AD7FAAF3AFAE142F6D06AE6988C4D18
                    SHA-512:C0698D61E5BE33DE08E30EA30FC07AD00624A746D246E2EA07F73BDCF16C5952A39685D664C75CF4EC7F2386E949F1C94984B8451C9250DA2387CF8E8DB9C048
                    Malicious:false
                    Preview:.....O.%y.l.".e....<y.......iB|+^Z...!.M.u.......{M<}...2|.1D.."..x.1.I..S...T..e?r,Kt.H.~.hy.r......Jy.Z....C.8.....V.mR$V..3]/U).r..2.s...I......tr0...~..l..g.7..I...A..."Tf~.+=.[....6.5..R.r.R.'3.Z.CY..d*.9..T.o8.Mq^O.w..w~k........H.....y.p.....mrnb...>....%rv...(.se.........L.....5L.B.r"z\.f...}...$.[#....z.p.&.L.Tu....F.P..V..9..!.m?..si ..3..pifw......t..e(.%.%9.A.>..._.._0....A....k...T..U.|.!.I>................................w.....H.....:9..j..w...O.m.).'*..k.l......oC.B-N...~.1.:,l..U.K*...!FM....p...##...........;.[ p..~.....V.(.....k...[.....+...l....G..'.....q.^P5X..%..S./....z>...KKr...A.]z...n-&..I-k.C$.c....$~.k.....p{..4.."e.\#+.>y.h.(P.Ts4..;.|>..A5_...D.9.......~..%...+F.6.4...)YQ..~...a.I..!/.... ..E#....O9..o.`t...k..E,...K!.@.A...X..{m..7....R..N.y6..@.=.pMWf...Q.....#...8:6U..FF9j....-.nB..B...X 4..D.9.9.UN ..N9.6..`5}qk.....nb...X....us.sB).].0... .V.y....../xd.z.....#........"....oD,H..X.}k..C.T....G..}].hd.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1512
                    Entropy (8bit):7.85810574782477
                    Encrypted:false
                    SSDEEP:24:MpflAGCKQXZsSkQVTag7V1D2EWCr9SZ2De8sOH+204FFU8RGKPtzmF6+VTZ:WlLwkyTyEBrUZoeX20+FRR1P4zlZ
                    MD5:BE05D70AF80C873E1D343F3DEBFAA5EA
                    SHA1:72CC9E464E6A39CBC4C17393D60AEAF9F89676A7
                    SHA-256:230FF4E2CC67EA4CD83F988E89D89611748504F52B2AC8A802CAF01CBFC8E496
                    SHA-512:0A1C4D04C96A2FB484E918F94907038588550661968CFB1DE3D1591341BF3E19090EBC8FB5D58F222875BE8EE94B610158E66072A6A3C162A2015FB66C1BBB12
                    Malicious:false
                    Preview:j...K,...8s......W.. ...$..j5.....+t[.VI+...Rw......u...j..#E...;.N..7.Y]..Q..~..#&..JOq#h...GEw...]...zR.....tDv/.HsI..:S..3.isF=.p.%<X.9G.....tU.W....r...$.DV.....M7.sD'!..y..e.^*.L.d.c`a..`?....E>..h.eZ..D.....9.2z....+........,B.f....7.&.%.i.Yc......jy)...v-.6.'Z.?.:6.^..%..v}..L=.T...P..9...0...P.}.p....G.B1...r1z..:..A].{;.Xe.M...y....y.rN..j..r...*O-...5.k..HP..y.i|..h....~.1...0E.. ..d...nI.Z.../#....y........-...T..U.|.!.I>...............................A...Vr... .A...Yk.f...E......o..h........Nq......*mX.....d...Z.<....|.c...|..|d..X..|....(....me...L%..].~u1..7g...'(....(...P:..j&.[s.Q..^.{.RY.,..jC]('...Z...b.*.e.pvE0...?.n.......N..^C....b.....Z.T.`.J-..=M....).?...\.:.5q7F............. i....{1;..h0.`...V...JP_l.h..}...W}.>G~TgA){.j..._....b..M...t......pZ.d.K......[?.|eXA.... ....a....6e.(@..7.Kc|...X.w.i..Ez...q...Y},.P.H.9...nn...G.^.......D.h.....Q.i.q&..........Z..yw....-^..!....\....=.G.A...'.......6.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.WINWORD.16.1033.hxn.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.8585343568616635
                    Encrypted:false
                    SSDEEP:24:HENByB8wk4YHrMDzgyV/mHSAZXAvujxQIQy5hvar1hC/IyM1Fc:0Bw8J4+MDzgyoyEXI7kg310
                    MD5:5F0545863D1CA92C73D0B8F4E69445C5
                    SHA1:A29FC35492C271313B77B6B005F571CB97A6E51B
                    SHA-256:36F2FE91F14B79FBC8F300276FCFFE4E17047D1FB606CF79C0C1611925AC869B
                    SHA-512:D14D323EECCE525819E9B9C493D1C9BF565F214BFEB5DEFF6D2CD5AD1397E990BABB73C3FADECE52352280AD122430689B037400588AAD1DF01C30DBA930FB3A
                    Malicious:false
                    Preview:/.S.TB..z....m........0.......VX/..%.-..@...:...be.R../.g.....3l.M......3l..l........P?....>h..A...9.q.k..o.S.:.....+.9.6%i.>*.|.A...;..*zrw.hE......J...j.g@.?./.{~{DpT...U....">.u..4.1g.g.....(_/p-...k.\2^..X....j..PY..(........r...E..O.x..G3.....6d]B.:..w%..3....5.Y.&....;....s{.a-Rr.)^..|[u....+.YW.gp.KC...\...Mo....Z..8s....~V.GR&...b.2.;...Q...T..U.|.!.I>...........................u..0.....d...N....?......@........@.].o.e}b..#q*...w.1..8f=.E@"..Dc.`..+1a..Q..R$6/..[.W.A..=Z.mb..Q.D..q_.V..+..GK....a.[..$.e....-....|g..fuh.k.R`r;...s.p{..px.%} .h.*..1.._...].VJ..Z..Qv..~...^E.8....+_..$.?...6..&...;.......KhY.n.-b"..f.....#.......}.i...j....n5S.24.?..y...|/....YX.1p<'`...u.......!..@...&v<.G|}.v5I.+b)X..[..Lix....<p..q.2Drzi..B+*p...b..Ll..k.....tH.n.W}/...,...p...p...G..6..},.z..{+.:.^Z6%.._..!....SQ.......*..7.vsu.h..K.h9.F..L..j..n...ZZ.5..B..)...8...w..V..z............'../.U..*......Lm...g7...`TE.r...=.`......A...HE...4.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\nslist.hxl.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7336
                    Entropy (8bit):7.972115287923678
                    Encrypted:false
                    SSDEEP:96:r08AiUF62krw7hBwehuWfS4ngHzfPBHVskrnTK8pWb8U9IY7hzh9MYhysswxSzvs:Ixlo220RLzekkrOiy79f9M3wsXh2EG
                    MD5:51EF479FCD12FAA9D8E754ACB9780B54
                    SHA1:D21BDDFC79D818FC95362794E368EC58645B67B9
                    SHA-256:6570480F29B09194CF57CC2FB11C21F76D2C565C73A91361B618990621A88D89
                    SHA-512:3097F39149FFBD47A4C3C19CA6C4E10960C6E45F3070367D66B7CA2B7A7C202E86FDAB8B8F26797E665633E86BBA8E50EFF5F58B552C668796444053BB69A1CE
                    Malicious:false
                    Preview:...s....Jq..eN...p,k.vj~.t.'.........h.....\&~.I.2......W=...A..@6..1.].+h..@........K.MC....M_Xsm...+L....F.1.e.......uf~..Am.].E..>..........l........S.+...~...}..;e.Z....x....#.O.....t.W.L.taH......o.+.\3.+V.,.be.%H.|...hHzC..;l.......(..T..@. X..vH....$...5d}...a.m....I..7%)......r....r.......1.n....l.x=..s;O&....m..\.%~...r$,....7m"@.1.s]F.......&.Mg....<P3..'.6.......*1... .EV.:.p.z.C./;.w.". T..........-...H.Y.4......b..yW...a.....K........}....c. ].LX..../. .....Ft...F.u.4.t.P.(..d.......y.M6.....H`.._}.7...g...v.<.Ix.....}..*.*.M..t..Q\.....bei..F_\.|..).....D.0...g.I)A.R.0]^1.c...y...1B.M;..#....... G....]vC'...h...+..".......3....h .z.PagJ.s\....A%.alR. WY.....h.\.....]..........Z1..`h...w...b.rm,..E\....I...a...b1.p1_.....}^+....l.i!.5"...a...O.sM...\X....FL2..m...?.~.|.Z}n........5..0N..).nH:*K......j..h.d.P.#....$...=..LR!d.6.*..[..O..._...z.I...l.M>.<O..C@.9,...O...6E.-....V.v.....>NM...u...!...G;.@..I.v...T6...w...M._.F.....s.

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1096
                    Entropy (8bit):7.806190937685905
                    Encrypted:false
                    SSDEEP:24:PEa7UL+cLrEstaRc/brO9ei3yl0q5Anw4srTmtgFGk:PkLAZyeSAn3srTb
                    MD5:90F5C9EC9645033FC304C27862AAEA62
                    SHA1:06D6BD5758EA5BA9B15A0B116BBDEAC89D6C57A0
                    SHA-256:E825BF40D97FC676543BC018D97F7BFC0964B800A985BF0344A54B47C924C5AF
                    SHA-512:78AF565BB5D851C1210DAB260711B1BE68AA3956EECD1A9CA60EABE047AA8E707EBBE92183A0680924FF34E8F43B507DBCE5D9C64FCC8366566EA7F6250A9753
                    Malicious:false
                    Preview:"....=.....O...&..3@...1 >.(....T..U.|.!.I>..........................4...vr..R...._@'.......c.!......x..c...R.P}_k.s.N...^E.....6...~T..Qs...F.d.l...f..S.J...)..l......q..n..F.m.@.....&..\..y......H+.......c{M5i-j....h....V.:g...D.a.c...o...q^[._..#._.OZ.T.....=;.J.'..}..Yg.z......W(k.,.#p.s..;.n.Vg..=..{....J.....e..c..e....?.2...+6.X..l*9J.Q.x...rm..........a..[...>W8..Z.).X....[..t..z^.Mb..t..M.P.bzj[.....A..M..l..H.Q..&63X......w...N.7....o.3.sO.yaQG3V'&_./..Y8.[.|1..e6.MM..Pn...@.........-......g[..I%.......4...n.`I....".....I..:R.<Fk8.....X..x+._....j...`*..@ 0y8oM..:W..rX83..$.H..\[.U.d....)|a....L.?............j%A.g.*...]S...{<]....D.2..#Q.......}....]..R...a........j...L....[&.o.C_.un.S....:x-(.Hq..[>..[...P;OP.*.N.;t.;.........%.x......`.....4.......BlQ.V[....#.=.U.b.t.,"N.(...!.[:...y2..L^+..J.9...7W..DI.....`....2..........H.u......._{..7>...........w...=.,..'6cr....h~..{Sy.Bk..G...w9l..F.?....~...f'..3;B.SA...Y..t...E..Q."........

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1912
                    Entropy (8bit):7.891145908319616
                    Encrypted:false
                    SSDEEP:48:1NhDCyr2QZJyAy7A0AETKS0tiuffaCSV/wIowXwAgxKXbrZ:1Njr0AMAtdiufiFGgwAgwXbl
                    MD5:3152D820841DE233983BF8043EB4A4EA
                    SHA1:CCAB6091DCA52221287A3BC13CAEB7EE31142229
                    SHA-256:037A7AC44C24BC80E5414BD3EDB4C4037E448FFCDF4C147E87E2461294BFEE66
                    SHA-512:8A2EA2D5961E0B6D33CC702E3CE711867DC19E2844A46ECF7CEE64D7E2926625EC7D3B9888E6FE52E0C6D24532CC08D028041DEDA3C18775418CEFDCFCA05BDC
                    Malicious:false
                    Preview:E..}W!a.8.P..q......\8)*..... .S[.8+..........f.|.....3...u..!.G{.P.~....\.,!.RQx......{..y". ..v5...H$hW..u9..J.......6...#.C..])..<..OH...e\........-.!^.w.;l.U.-..B.....H..E..2....R..6.......rz.......~..tT...j..sd.....v.'...!.L.w.T9Q.....o........<...G.@....'...h...LA.I.....z.QQ....>.....`.#,.7.1.%....?..@.....(5..pB.z.{..-1..u...k<...T..o]...%Z.hk....Y8F...........f....&..;a.P......h...,v.%.s.t?...>.TBj3G.tU#....F3E&^R?.L...:W...e.8.[..>X.i|.b"..=,c.J+:....1..O...EIx...m.+.6U:@....f./..i......o?.$..:..pYw*..P.D...!.....w......v..)NE8/...>.{.....~...=..:n...,K.F...X8......K...D.z..g.gP...f"..T".....z3...-.V...p.......}.X.\iC....S.....t..Bf..!{......O......r.jVk.s.Z.H..a..j.P.^...B..d[..`j.g..h|...,..e\NcI...&..t...k.....]..w.I6..aN..V.Q......u..m....8G.y....>N.&S!.."C-b.%i,J/.y./.YKS.jcIV.*..........T..U.|.!.I>..........................)...o{..O.]......+.)/g.Y....xW.....c7.s.0?..{....q.|..|...."Z..g......b..TH......f..r..?.$.S.U...]D..7~.jdo

                    C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1896
                    Entropy (8bit):7.898735813165513
                    Encrypted:false
                    SSDEEP:24:xsZkWPhCW8AeFX25NaZWV0dmWKtjArsUc2PBp+mlVXjuIzrS370czlxi7NDfR/gA:AVsWnGdwpH85RhtrSL9lxIesveS
                    MD5:7728BBDE4BC0115505BF24BA900C0843
                    SHA1:945B4DB73762602FFB99F1B25D0892A5968B1DF1
                    SHA-256:A3ADA7E88D9A6D16AA2600B4911FEA68B3FA51E030133BF9A0A11AD058961554
                    SHA-512:395C3CE61B1564420B8B2C3525349E0975C720239F7BC989F004E8E817B2B64F6EDF044F4672BA5E0A7320CFF760620CA9DAED2BD660DED0C99835B92962C032
                    Malicious:false
                    Preview::..3......U.Ull&.n.P.V...&$.h.mg..n..h.$d..HF...7>.s.....~'.X.......d.{.D..'.....G.Bg{.w....a..]r...b...k4.....(`C.......9..O...4...Z..1y[@...K..vW#.h......0..c.~8U..uT.4.e.=....h...9.3.=+.8d...'.....Q.T26.?.q...D:....8..t.\6B..+b.9.......X._.......D>.]..C.+3..).n..o....N.....5I....f.[.D.<.Q.....Ex5..."sK.g...../xK...(..x.C...}W....Vc.....qq.(.5)W;......7..jO...X~xa.j.u......ai........hF...uX.d..Et.t..vSC....D....p..0.}..^....'.9Nw....4@..,ruV..X.e.z....D...8.HP"T&.g.....A.m:.i..Q.g.W...p8..n.......2^r.....I.\...1UL....S...e>x...(.e...*q...:.f/R.W..\.r.X..X...z~U...v..A.@..e._.!....w...(g...6+.:..oc......]t....(.Q..S8G..../..:^v..]...$......t...:<.~..0)......s..{}H.T.V.&.z...F+}.G.'.Y."4?...#vdU.....Ig(...@..C.i.."..(.=.1.$..[.GH.H$I{P.10?x.f.3D.X....}K.N.y..)....Z..(..{G.>.2.....~....T..U.|.!.I>..........................`_qUa.I..C....\...D..s".I3.c..O.'....c....s..YR.|.}..[.U....Z0%.E}]..(.U(.........V.....v.FR9......B.ZV.M..xBV7hxm...\.:.<..

                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):244417608
                    Entropy (8bit):6.925653517676933
                    Encrypted:false
                    SSDEEP:6291456:/WCpELQzJo3S/buKi8FpgpeNcOf77ntTVU5EAb2XO9a:/WCpELQzWKi8FpgpeNcOf77ntTVU5EA0
                    MD5:8719288A89BAF1172AFDF933901B8FF7
                    SHA1:7FE5BBF8E88C685B5DF85CA165E81106B8B93B79
                    SHA-256:F068AD68E246205985E0D25C1A28B70A3F1EE2AEB97703B1EE2AA19AB018193E
                    SHA-512:AAE7C3DC602C7BEFD8BC2B92A43D82DFCC8CC191446697DF39267C961BBD8AFEAAB7E00EAF57CC0FC41B4F4143D009F9F7C70613C916F4AF1AE6CC2F1228585E
                    Malicious:false
                    Preview:....Y.....o./.Z&.?9.....e..M.w.+.y....z.}...#d....5.15{..S.|...C/(....n...{.{.,...KB.=.M...J&."F.....22.5? ....&%c.....[C.h........gH.`kB..e..e6...T.q...c.G...N.)../..9.ndVw.D.I.#||.j..Jq.= f.A.9.]/."...H.`&2.h/3..A.~.E..b$..k......9.DD/...:..u....8./..f+...b..B...R7>....].....a.*g...kN.Bf..9@%m......8WC.Qy*...xe.P!#X..+.:....6..E<.Y....>.-.&..9.(.&.w*...W-$.y....Y..w?......O..../..d.]....9.+6.......C...e.W.m.....b.....A.u!l.q...W....}...6...P.LH.i[.........G.r.....%.?.5...gv!.4]2v...5.D....{..+.k.N..u...Ya7...TH..Q...(,.&.....*..C9......diF%g...\.U.B..U.R.l.."V.i..D....sn-...r.... %K5u`..k.........b..9 ...S3PVt.......H.....l.h.g.7(.=m.j`.o...1u.RB..6./q.!.....p.u#..j%v6..lE..IC...DN......5Rr;....{.y...T.E....17.H..1~B...WT^.6[.Dn....NNx.....0UP....e.4..........et..o.."i.+...l...C59(.3..w.W..*..,....g.e.3]..{j..#..3<X...M..k'.KU.RZ../.Pz...QBZ.X9F..cd..L......].v......hr<,.P..o.r.m...b.A....~..|A......1u...x\.../h.....KL..../.5T..4

                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):175115128
                    Entropy (8bit):6.857427947123201
                    Encrypted:false
                    SSDEEP:3145728:ZIFJHdDdl9HCH6eRwZ+zU5IZ+zix/5bg5hs:UdXXHCHJeZ+zU5IZ+zix/G5hs
                    MD5:0E4E039D8CA4ED49F53A63D1740E93CC
                    SHA1:78F51590D24F970F82B8CAB73CE85C4AC2DA6517
                    SHA-256:F4C3325A80773D484041B2682B8A562C7B1005625848BFC0E02C0B16AF727722
                    SHA-512:C416B6E748CA558F8E306F40D4DE7BDA9CAD1AC229CC2056DF498DAF4033B3ACC8FBCC8DA29C509124E8F6B4D462E6645B2569043B3C2B51EFEE16E66B54A0AB
                    Malicious:false
                    Preview:}...9`..y.;..T yt...^......'.b.n..VC.{.JN.X.&...2.e...YN.$kZ.....^V.....aK.>.^!.....QZ..8...0..iKh...l...b)a.W...\8*...G....D..Hx.:....r..to.4..w...v..m...7...2?q.%.HY0[.O~Y`P.HJ[..%./...5.e.~....e...e[f..%.F-.......Y.^.9@%wB.ljQ..mS:._. ..#.....>b8o...".+e.H.A.F.G.%.;.V{.o.........Z.v.lt......P.X.#Fq?...v'v....h..o....$.c..)..-D.r..=...^1..-!...m.wrHY..b..1..vW....DX..`+*..h..$...9.AK.5.....)..._n^H_8...o....M}.e_I.b.T..}.\.b.xp.f.6...W,bln...bm....'..s...+...4AP..H.n.4.C..^b..Q*....Y.z.+...^..6..I......\....e:8.}.S.s.{....:.....;.....6.TAQ.p.>.q...g..s.>. ..V......."...hn.L....:.|....?..w$.V..H....4..gBy%"h.s....._....j.....y.w.....a....*........A....~..b.@..wL..'....r2..(A.RS..g7........a$.!.FU......a.H...O,...c.....G.B..Ht...mR.jz.&...w.HD9>Q.9...T.0?.XT..z........t..+.A:M...Z`.A.H..4M.5....P_ ..._^..f....G._..........._...A.....n..j....!.*..!o..U......&.Zl....NS..d.9.....vA.8.70....4g.=6.\.[o......>..&...?.3NjhS-......1 .X.[

                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1688
                    Entropy (8bit):7.889644859093712
                    Encrypted:false
                    SSDEEP:
                    MD5:791C6729F78C4ABE86A39CDC5B6D453A
                    SHA1:3A3D313CDA9CBCBBE9BE3449D3709E78285B9BC6
                    SHA-256:F9B78069ADA8B8817005C00D511E900999245281A84041956E79878B9A5224BB
                    SHA-512:ADF9C406CDC654ECD9A0F784BA0B6486C851CC500EC73D668D56ABB089ADC1E7B2431BBC9AF4B8AA457D87068EEAE6D6791FD6737100CEEBC965DD171EA727BA
                    Malicious:false
                    Preview:..V.=...h..?jv....8...S.8.D.mF<.....O.R./q......^.3..$....<..$..)...F.. iVQ<.b........U..QU..}!..p.......z.._.<.....}...D,.`|..'OQ....S...i.L..|7..K......e...8?V.s.&.1..M.jF?.....v..........|aZZ-.&.R.p..`~8.F.Jv.`..e.1...n-.*...7.."$..1..z..|P......u....(D}.....s.D.7wFX..5.....4..qZ.3...WU...8WB....IfK....5e...U.?....5..8t.n{7q_..a..,o..I..0@mt..Q....u.C.=.qa.o9>.......T.=<>.r..[.."....^Fd...T.....6...>...E.\..X..l1`..^B.N...@i1..hg.c.....cx....4|........{O2E...a...Z...(.k..~.H .....+..R.JT.(u...eO'.Y%@...D..R. 3v...].9.....}.<.7\.s.4.E......S...Ry...c......J.."..;.[.W..I.%.....qz-.p...T..U.|.!.I>.............................,......z@M.|..p3g......J.........,l.3}1..K.y{..`....Hq.6C.}8G.'U..{.......\....(D...8.?...+].c.l.@P..^..-U.0.K.p.k..........-G.*....y%n".e..S.}...8\S.!....35~.kY~...X..Z...w.D.R..N..tp..\PVE_#..V`.........C..Wim+.}.Pp./......6q./.].F=....h=..R...N.V...6......I--.C.3h,.....x.h..A...wo.g.5.....2<%....#7...-fwu.....*...d.

                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1288
                    Entropy (8bit):7.848143852068239
                    Encrypted:false
                    SSDEEP:
                    MD5:B18A3A11190CC1DBEA5FCEBAD13E4981
                    SHA1:00564EA8A2FAC064A5C5C1F8C1CF0C8E33871AC3
                    SHA-256:0FFC86318EE3764654E2CCE87C0E2E5F8E9D928E213E70A6689C63AF486DFC53
                    SHA-512:E1219D29E0F14B8E559ADBB2416BA0F7DE53A7F2BC35556B04AB413D48484FBA813063DC375E854D74A7FA5BF1C26BAAFA2C9788D3C225953282CE00682B9FD5
                    Malicious:false
                    Preview:....(`.6S......jcl...$.H...#.>w..Q..{.d|.OyJ..|.n...........uvG...._.......a..........r...1."......_P.x;..~...<......g.:..h....u.&...C.L...-.../P..%!.[.s.S...ia.@..-&br..t%...hI...=$i.F}...s.m(x.%..P...}.a...C.|1..<..b...T..U.|.!.I>...........................f..y..pyM..pT@.....-.bbC?.3r.....F8...}....O..Y."...d.....9\..Y...X..<IzQ].z6..;69.N0/..eb..._.....q_`.*-:?t..>=0F..I;...\..e.........4.....M.a.w.w..[.>u...........x.{.$a.?.....I.....:....9..Zx.z.)Sm....1<N..bh!.X.[6.........X].z(3.h~j... F]...;.....`d..l:...z.bE.x....x.M..R.u..Sw....K.....s3ow#c......=..d.B0..z8..JC..K..R.,4.2.8o6D......eOA.2gz......R.cn@...e..z.\...RM..m.'.Q.B..m.lpw!..|k....6...C..l./".N"m....0.,$.9...*..........`...-a>....0}..0...PBa.H.........M..Kn>;;...5...R>....R..)...^.c.T.....mKO\..:.E.o-...i...rY.s.TL..j..........[...r.:o.....'.6{.SAs..{...f.....$%...J,6.xhV...-....<.......W6...........sz.]v........_r&.y......M.............$J....E.m.(f3...s....y..Q.k

                    C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1496
                    Entropy (8bit):7.846221985597693
                    Encrypted:false
                    SSDEEP:
                    MD5:BE62D2068A8D737B45219174B24B558A
                    SHA1:7C4EA438318CCF6B42674C3BBD1EFB03203C5579
                    SHA-256:543B003F2090F217650B7FBD4F3E523658454D3B5D5535D2CC38A5F51D7A6CED
                    SHA-512:441E0DEBA1EC541D3E76320DC32EC4024CB60C29A320CF247F64694D181D99545D3BAF499BD4118E322C722677D4C617FFE5DC7E09ADF03D03DC524B6D1FA51D
                    Malicious:false
                    Preview:..@Ca...(.L.`'P;.....G..|.&._..#..._..A.H.b...i$h`..fW.JF......n..;.i}......v!..cD......K.).'..q.L..U..&..Flu..U(`....A.:o.....!x...y.V.n.a......Tec..(YX....Z....Vn#C....F.{.....i..n.....@....`.....<....E^.7..H../..=......G*IR...OU.=m(@.......8.+l..^....=.-.Is.#J.5.*.~.D".5.U..44.u.t2..r...M....4..|..^......R+*.m.........Y....Zn./.o..1. ./.%..43..}.J....L.v..2.<...>.g./..- bp\.)...Y...S%.z.?...Z....+9..u.I.,.r5^...T..U.|.!.I>..........................vj..Abd...G..~...W./..u.NdQ.....].gp\..E........,......-q..`.!.T..(..$in.\[..r..D-.'4p....Q".?.#.....i.. .,JY.5!...N_...Q......F..X....b.=.u......]..G.VN.PV...FL..*..z.q._...ki....c....Z.Q...9a..._2.*.T.....{..t..0...+.?.f...>q.f....g].S.E....S_.....D...1.%.[.2........"....gI..S.q.l..+.n.0yV'...J..N.*U..O..[..E..._...`...g\...<......9=.....i........r.>.9.7..b..x+..ob..Q.0&.E:.U..............;.:j...{...l.e.l-..[..7.c.1.e.].1/.$m.....@te.......x..kiZ.,..n.=...w9.J="H..}=0M9....]|....0..W

                    C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.843184276553063
                    Encrypted:false
                    SSDEEP:
                    MD5:5CC008EFAF01DA00B48F4F4FB05231B8
                    SHA1:5E84C85F7BC4B631768A5C204708FEA6A12C6CFC
                    SHA-256:A2DA64DFD03112C47B3174BF4261F0F09318F067D365F860C429AE29426991DC
                    SHA-512:E31206FCDBFC1DC7295A26054D3B63BD6B7DA11EF1D3548BB30F036C1F19095E73B84609791B090B075EEDEE299DBC1D048E91E8892BF6DFD799F187D9B0A1F6
                    Malicious:false
                    Preview:+..7R.".../h..@.V...>..>..y.I^x,4.....Fp..P.....N;.,..C*/.94..o...\r.....cHO..o....z.L.?H@....X..(..t....j...ET|.7r..!.R..`u..K......x.T...........(ckY....6P..O..Ch@,....i.O.........D..17..7.q..YH..;L.h..8..o...M..H"+.qs....rPQ....!)......'.R%B..&.l.....I.E;8..).....E..J.Vh...n.d..3+...#o..q6Z....&E....v..r..2...$..Z,2.5.F.U.D....T..U.|.!.I>............................V..1......K)$v.}..j.6..x..Tx!...g..../.2.C9....r......H.^....u.......??.%.x.q.X#$..';..J.<`.P..`..-.!.F....6......-.^..q.`.....sM..*.,. m..N5:...A.U...kZ.........^......zQ...Fz......4..7.ib^*....X.A..%(D=..}.#...a...$......K8.....\.D...CB...Z..AY.?..ahX(B..#SE.Z.e.....O...b?.....C-.o.....Y..R....'h...H.......1.J..I`...M..).e.......KF.v.. ..fq.iN8.........3.6.....pJ'..V7.o...<k..F].....k,..=...W.\W..E1F..ev.?.)G..,C...S8.Br............wF.L...J...j..E...2....z.....#..~[2......o.....xv...2...!YD(E..z.?A.Fo..{.4.wM..C.....G.....)k..#P.8..6.......j.#...C.`.*....#.`].....L...

                    C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.865655724826455
                    Encrypted:false
                    SSDEEP:
                    MD5:F91DDFFCB49E3C0ABC5824CEC8FB7435
                    SHA1:B81C9F080892690AACC30FEAE567FC5CDE2D4076
                    SHA-256:4C9752EBE4C14D671E83D45E02025F4382CA5ADF531E9F09B95CF4F1D47A1A57
                    SHA-512:8F234F0FCA76BDCA3359272891C3D246D748400EF182A56DE9B4084213144618F9EAC7C9249623EA92E476D4CED798BED51DE9238A59376A67DAE6F8D30073D2
                    Malicious:false
                    Preview:..~.M......b.=..!..+.<;.....`)..c...In./A;#....D.c+|....O....U...5....8..c.......?...K...[.........l....z....X..4.A....Eg..8...[....I..S..Z.Ar..})5../..(.|.1e=3.q.Dd..>..g.v...1..X(..H@-...?....`..K.;o^xcR...yp`......j.p^.:..A..~....3.v.l..(......=`.O.l.v.F.(.v...E...R..7ZNy...A.....)......L3..J.k.....E]w..%.K..r]...h..V)k....v.3..\.7a...T..U.|.!.I>..........................R..,.e....5).:............H...Ff.j|y..op..3.$..B..N.B....<>..t)Pz..}>y.\%.Z...e_r.y........ZBNy..`#.Nvdgm....(.^....'.a..H.a...m.......K.-.io.p@.R...g..t...CT........V...A2..`....A..{Ev."...........$....0.41....[.E.*.o....u...D*.....)..Z.?a..<...V.pC...*..].....;.%.O.B7.b..h..?.9.3S....O...!.D..w..e....J3x....{. S.kN..L.;..Jg.....#.C......?P_.+.....U...,......C...R. ^`g..........?u....5....WdR.......z.........$!XF.......oxO].......U.X5.....J.)s.L..#bX%*......m4...&C.....R.....7e....*.$....:..GR..e.........H...*.6LI..._SY..,..E...[.../.;8.^......Pi...^..5.S....fw..X.....a.<tN

                    C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.868331685237219
                    Encrypted:false
                    SSDEEP:
                    MD5:073A81B13797474135A114E16A767739
                    SHA1:C1327CBE36F95F9C4CC27E2CBF3D79D5461D6EE4
                    SHA-256:0479A737E05F9580C09D8FF73921567D9ACCC0A8538E071418013AC862B8962D
                    SHA-512:1973983156AF9222AE24945ED8A1358C7CE9988626CFB0033FC4B80DE48C8ABF2E7AF252DC8BCA6C7080680F881D1CECD967C07F236E92FCBFB5F06E81816DBE
                    Malicious:false
                    Preview:/{4...g....5.....n./..Z...(.2..O.........B..Pm.G8$s..,.P....G. yH.._3<*}.o.J.t..<..&....a.......Gz......*j.T.,.....@..E..^..u..U.)..H...6.a...*..xqb.0!.ea?Ve...%../.['.7..\..(....Oz..O...m+@..IW...?0....hP......W0..k..6._......F6......$Gj$?k.&....$A.I,.*..V.v...` V.......3..#..c...n.%+F.#.T...x.<.5..C0./.J.&..l..t4J.1.....`...wq~....m.K`v...!.Q.$_...T..U.|.!.I>..........................'#&...s......|p.m...w...[R...>T.......Rs.......n...5c..vD..w...%.^.l......j.n.{w..R...p..zZ...Q...y..,.R.Z~/.x...5.0.d@.~...3J`EJq......w.L...d...=.UsQ.u...k...;Jj.c&..A..S......._|.=(.kH..].l'..kI;..C......@r..n."......@n}k{pV......zA..*....ao.....3/..A,..8..Q.n...=...<y....P.X.I.t.{<.A..........j.T*.........<..G.~....+\..7f...9..7...x.v.E....E+'XXb~.#..7b.s.'..1W.o.w....j.Q-..ye%N1..I....,.9.lp...d9P.........;Q6...B#3<..Fq%h..K..Y..I....*(.A<..y`..}..".#S.H.D..=.`O.'.M..nlI.D.B.f....Zy....{...........l.81l.S.@s..6e.'.p....].......^:.......{.u.v.....

                    C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.857998230294626
                    Encrypted:false
                    SSDEEP:
                    MD5:D0BD3BF47FDD670909CECAC029442EBF
                    SHA1:88766682FFB38F13F457158644569EA9FCBD355A
                    SHA-256:7EBCCC8733B8C4BB172DED0591F296C944399E1A76DAAA26EB402733B13F8E68
                    SHA-512:CFF23BE29A1F6C0575FC661A40B8BCEA1E9026FF37E7A206C83C70162BAEE5340F7AF308862445A842D6AB8FEE8ACC317EA47D94EDCADF6879604844915C2AE3
                    Malicious:false
                    Preview:M...zp..v..EV.............^t..}b...IC..c.@Q;........(.._.3..z.......nkd.......3....Z;f.=.?..%.l....9A..S.p.V..b.).9Xfs...tU..>*y.... jRi`.....X.sY..9.....b..s......J.d..../....%A.bV.h|..}+&pa..k.hD....#.'..A.G...!.?....mTn..XJ.).G.9..-..m...K9...L.:/.T.r.l .z.....D.......:..G0..+..1 -)..*.Jc.i.%..~.mu.....a...0......I'RS.kV..0..}q+...T..U.|.!.I>...........................,H.<..U.C.P.k.....6.D..BI..w.Z.Cr.? ;y......;?.n........7.\..w..u.>..aod..<.D.Fu...../..0^}.?.ut...../...(....S4|H.C..}A.._..`I..u.q<.>I...L.............d..!)O...e..1u.......c0..^..t....O.PVdg..d..A.v?n}{..NRe.iU.._n.Ks.jD,.9.^.......H..Q...;U.m..V.."u..j....s.BIW,i..H..`..P_.n..y..^....WE..3..a.(&.g.7...'.W......].-.Ji..I.........O.....;P..*w...'@H..]..A.G..m.F.g.8O0....=._.......zL..$...2.?..<.<...5.q!r.Gw.....5..S.Z.........g..l..........Lz.aN..V..p.....K....9....e....DFM.U..(p{..E..B..Q...........}u....!....~sx.7$.9.....\|..........N.Vh..2...d...Y.O......";..X....

                    C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.849848236935187
                    Encrypted:false
                    SSDEEP:
                    MD5:C889B77F646B018C62073F4E1929A247
                    SHA1:47ECC335E9034E845611CEAB0F098D4DAA52E46A
                    SHA-256:BB91EDAF6BD64F742808370D24D22D60DC47BB9E5AAEBE003AE507C588D9A282
                    SHA-512:4E932B31CBEE933AB0E62A1A7B9340E8DF1CA57D67BD3604970906B0D0FFB0CFF866217280503E5453ECD294706B90D1287782E0B47754A11D743586FC20D88C
                    Malicious:false
                    Preview:L.l"3.g..C..Q...|.b.5.,..,uU^o.......,....I..r.....B.4U.....BL..V.W/....<....w8-.g0.[......z1.Y.U...q."....a.PN.......W .@d@..>.a.B..i..R.[,...+.m..N<.c.m..d..kFY..uK.t.F........,..8xc..X....8..sY....`.."}..2".%.U..b.q...*..q..J.kpkBO..W4dBG)97...x{|./..|.I..Y...F.z.P.~Z.8E...T...j.M....s......6."..Yl.K1..3/N..E&. 2G[..@I.h....m....[v...r%8Rv...u./.qPm2.P.4....)....T..U.|.!.I>...........................3G\..X.......rYY...V.4..}b<.r..@1.dV&....u..P......;.J..Y...Xa..@.@.7..7..._09..u[...v...s..m.L........4"..N...T...z..v...#.......a..?D...ZHr0.G...q6%d...N..k1+..2.U.k(.....,53....."F.cU.oR.8.bA...+...4.A.GQ..q...3..Z.)...\...X.F..(...........<t.4.....p.L...f8..4.....5..k.....!..W...+e.@......].p.....(T(#W^.lZ#.G.O.BAs..|.. .....:..3FX..1.!lq..l..u\......9.....]......koE.O|$5f.".H......l(A.^....7.s.^.W]r..S#yk.>.P..I....*........Z..b...<.............!v.......$.5.m.2../.xIC{..p7.......tP?.a.(c.mR..n+...D.hM..I'.._.....]...8~.W..3....U.^6.

                    C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1464
                    Entropy (8bit):7.865999469884405
                    Encrypted:false
                    SSDEEP:
                    MD5:B239FC799BCF22B7ED560A903191769B
                    SHA1:ECA7F01DF9F6ED70DEF3C832594582FECE665A51
                    SHA-256:303C5A08D477D6D929AE5E917F4BF6FCEC38485369E251C6FB37C76E5C4239F6
                    SHA-512:42DCC682378A567E20B4622A1043131CF131BC66018588228F7A461252C5EB2738FF15926B4DC44F0BD4562067DA5F459FD7DD31DD46382FFEFE737AC61FE207
                    Malicious:false
                    Preview:Ba..2....-B&.|[...Rb..k.....]A...Or..!AG...iA.=za[...H.."Pm.2...ZNl..R....s.......A..So).....8$.{.A.23..l4."|..B.B.9D...0db..4.K..Y...xP..O...]3..&.tW^.1.`..b...".o..+.{.......lC..h........YG..!...[}k.;.~.`..k..I....R.Ui......V.toS.h.o.....*m.._A.0E....H...`D.(...Q..?.....g...a..C.h...7^.:..N.......Zq.Z..~.G..u..V.*..3..7.).<e$I..c./.`...".,..[.c3.mnt`.z.W...a..R.l\.m.~1..'...T..U.|.!.I>..........................mz..e.iT..J.a.5.n..S.\qo._U...Z....|6..3..F..nb.....2.+ZQ*l...K..<C..j..G.....FP,..'i:.tiT8.D..d..]..F.....f...{...4..G.....xu(..}..G..<....]a..{......%0K..dc........@._...*..."...]^.DE.'-.n.b...h.......8.k~.s[....j.u...........F...!...(ia.J[U.. ....uP...=N.aV....%_.F.R.....\...b}x=x..w\.?.A...[ .....R.....,.....CI...qW..yI.#.6.H...-..Q..P....&6.9tl%up.*UU929.......\.......)6.V.x. szqA".....3.h..X.mB.y....\..5...ec.DV.R.gu.(..}r.K.5..C.2..D.../f..K4..h..o.N...<~...:]i..............b/..Gf.Qj.k@.<kk..&.F?....D..(...^..$..._L.B..

                    C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.864424613946546
                    Encrypted:false
                    SSDEEP:
                    MD5:3CE446A95FDDFE7A0B9A05160AA9C315
                    SHA1:2A5A44AB4C33F4E2EAB5D39CD48CD96F2CAD2333
                    SHA-256:5D7E31381DEC293B4A0A82981DA42EB1856CD3583E938791B6B8A3F0DFD002A3
                    SHA-512:DFD1D2C6F60C9D3C34F558B1A34D271C6CD62571A6274384AA5FACAA0FFAC4676E09F2498F5D1292B3ED5FF7E939E3F4ADE8C463FDF7CC2FA757CA5E58C70141
                    Malicious:false
                    Preview:..<..FW.......HFT...!.F.%..\..Cw.".....`7....~.nq.9Wb.<.).A..R.....6.'.u.].L...{....7UD..g.OR..K/.$....j.Jd..:..hIUu..Z.x..S^.r..._....CF..:.E..`..#5(S.hX.>7.a..0+.E.4|...t.|)...Q..X...1.h...KM..1.|.#....i....."4BH.L...}@1...b.4...5.!]....Y...|.'K5x.^W..k.1.t..\..b....-g.......`..F.#..D..r.A..\..A..(ec+>1H.n.f...O.G.'...P.Y...j....D...tB...Eh=.VO.g..cB..2....z...T..U.|.!.I>...........................@qp...T...`..D.Z...8.I.TJ.4.j..;4.-c.Y.r....v...Tg..A..;.N.V....x.)v.U....Q.rpyv.x: g(UT#..o........,......^.I......1&v.|!.7.1fC.C...9..<....D.jl%i.<..q..../..j..bB....f.#@.-.c..%_.L....A.....M....).hC..y...J..t.k..O..}4lj..j...0..9.^...7.{....=v..9...o..P.{B.o../..w...t.C+.O..Zd..=....P._`...>.md.(.......{..q..b...J.8W.A.n@}.&O............<..!..X,-.l.G.:.4O\..2z....)....KpJsu.......F...U ...Z.,..k.g.......'...c.lZ......w.I..".-4....|.e...Y7-.."..rkq.V....U..CW._..2p2...G.S...S.p]..r4..*...S.d.h...I..vg...6.;.....Ck.%..y..z'&.1.......%...../

                    C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.843293247170097
                    Encrypted:false
                    SSDEEP:
                    MD5:3CA767061844F3D25DD7C689B4355AB8
                    SHA1:8CFAB6D2C2B0AA3BD048D15EBB39CA3187714446
                    SHA-256:5C505F4DC209F55019A2EF89746540F447E427642C22ED02CB2226F7D9B0667F
                    SHA-512:F4CF0875EBCF0DC797F294F237407E59FEFA32DFFF0EE203B9E42F92C4A36286CF09E7A6870BAD41DA8B787F44BB893342618C1DC4E8BFD93F5BB66901741D77
                    Malicious:false
                    Preview:....2...........I......;x......Y8..M.4...E..}>..X.S..^hVm...(..@e'.R.1.2.s'.P.K`#.."..,i.R..(...+.....M....R(a.}Q../x..t|h.L....Q8.[..j..m......q...Q.Wr.5..U&Y......-L...j..s?E....`G...?...,...+q...6...O...J...r.T....p...a.y8.ND..T_W.X...0C.~..Y.t8.(c+R|,......:..i.T.u.Cp@w....u6...!......lm.P.....kkw.5..u1...Nw!..\!.]...+../.35..6.a...T..U.|.!.I>..........................K.....;...j.q..p4x...... .}..H...$.....2D.Wf)b.z_P.."L....=.1}\.b.D.E[a...w.).g.#.... .I......6~..q..p..@.N.%..W....`.....3.B.K.4...q\q........F|....,.5 ..[C..z`...Y.-q......:.}.S...3vJ........hJ...2f.|[...t.l@.!..l,\..w..t...>...(.U........@ ..wt-..m.L.=._.k.VY.+@~.iP......c..Y7......!K.......H}.Tb..R.....%.....z7.4V3...|R.....Ow.;g........_..>...*%.,nG.WV.'y....8.0...z..;._.U.{.".,Ix.DNH......../.C..qy.M.Q^..`QR.....>ax..Aq1...n......o.Q....u......g.^.;..&c..x...0..i..|.....$.....dn..U4.^.v...s2.%...l.]e...o".....y=..p.4..+.!H....h_......g./'.&....X1..Y8?...p.0)

                    C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.853576836983684
                    Encrypted:false
                    SSDEEP:
                    MD5:0935A8890C56BEB835C4DBA654E05BD8
                    SHA1:A971476E26CCF983AE1634EA2A22862BF177AD17
                    SHA-256:0CD1FC3E7E9A4AE12CE900A951A8EBD107C5C8BB41D5DB0D2E78112AD29EC66A
                    SHA-512:0B5343BDB82F04FB148FFC3DD691A7D56FFE2CFEA1A37B68FA66A7D027C717739B951566D727EE0DDBB43D42ED17EFC064F71B893A0B20AD072E23D105617112
                    Malicious:false
                    Preview:..F+..f..qg...... ..`h...%.p'.....\e.q......\.v..;.x..G.k...b..7{.x..4..X.j.rV...l!<.....x.L..X{.b.Je.~.&|....0..Q.Q.CW.....-...E..{?s*......Y.....D.4.{..D,.......)%...^{.t....*.9H.{.V.&.{.:F!...e2.7.9!..'.{4..~.~~....7.T.bV..h.......-p.a.%K...:.:!.nZ6.F..S.${.....9.....iN2.>....<.."I..=b.B.pC..s....yYY.L.o...n'..1.n....O.+'>Y\..3...T..U.|.!.I>.............................yf!$.....Cg.t8.Q:..=..P...b..GV....k....C.5.|...Fh)v.,$.......-M.D~YSr.3...D....b....9[.HY#.6"gX......{.Q..&F.g-..A.W.Z..U@..dQH.C...M.](.f..Q...O..d..j."M#.p.z.J.......8.u.n&.-T=9......[.<.#..`..q..<.f..s...w..f3..PF.so..U....0...}".i..t.^H$..iD.60..G+..;....*...7J_..l..}...i1 ....\.)m....m>i..4..S/.....K.*c.:>(....[.i.l0.TG .....7....W..^..<...9..c.......C.....).V.2...........u.gh.Y..4...F.O.H-.'}sh.T.=.:.e*.8...~...m.Us...x.x....(..;....<..$.U.;)-..Y..E.........m...U....2...\..Z(# ~bG....RgQ[+... ./u.I...P.....4....-.A....?y.!..;.s......Sz.8.N....:..2...i......?..Ik

                    C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.863144220397379
                    Encrypted:false
                    SSDEEP:
                    MD5:9D50F4F33A1CD63FEF8069459BFF93A9
                    SHA1:3CF00F1F005DA90A4C2239BE7C296751E9B8BBAE
                    SHA-256:FB4BBE8E3A4B6BBA421A303325861BC43CA2C1D96794DF5E151F5A42DBA94482
                    SHA-512:3764564C5651034392BBB15FD49896049E470D92CCBCF5AA58958C0008344185687CEBAB196ABFFCF57B5A240BE0AF7D2C7468AB735EB2A9EEE424E26F762DAF
                    Malicious:false
                    Preview:.VUU."..[..W.......|..3..g.,U...a.X.m...V).o.)..AQ.~.'...3..P..re-.H.r.V.a....)Huo..$.w.e..>.&...r..Z. ..]....)...P.......b..?.....d.-Yw...tJn!..J6w........j.....i&...A..m..k..5...6.M...C..;.../%..L.. ..y./K-..A.[..........eH.#,....6...'....S.......V..c\B0...D.......r.F.h...h......Q..S/....Y"..Z....&..(..0...|j..C.@.?.......17+[.......Xg..#......T..U.|.!.I>............................|..........=s.i..W|z..l.<.f34/.gP..eU......<.'.-.M.W.U.:#.....eh...a..#..y.....t...Av...Q.?...wz~O..4Z...4.R..4...>.+...7......[...-.-...;_]G..G-.q.1W..$g.&n..%.K>......1.,..u..sD.......O-.y...PwUd........B.f.5,F_.....0.......z...p7......)[.~...........4J...j.[..?..A^I.m.i..N...........8.....:..9E.r..z........3.0&8e.Z./.$..,.[..SR....4p3.. ..$V..$.8k..BQ.%.......)MU...</..!..G..p.D.[Up.....f...2...=..\..no8...5.R.dK.C.X..Q9.*.o'eV. .*.PZY\.......J.y.....}87._@...<SgT.O......j.q...(6..~.)........%.{[..Z}.?...K...W.&...j..>G...om...[N....;..%l.-N...-.]Nd`U..mH.^.T.

                    C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:COM executable for DOS
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.872758956170493
                    Encrypted:false
                    SSDEEP:
                    MD5:599CA8746812FBEBC4E2893FCCEAF4DF
                    SHA1:A2524C6F6D915F1863B0BACBB61721DCD30E4F82
                    SHA-256:EBFB1D95025AE8589EA587FAF00BADCB476AAAD959693D9D92DD4E63C558CA1C
                    SHA-512:2CD29C983395DA3760995C2FB973EA51E23A8AD4267D3FB7BB5C8742A4289204A851E40EB22067F6EEC0BC0D5D5F5D4B376BB5B41F3740B6D06B4144379492B6
                    Malicious:false
                    Preview:...QPG...,..$..&.z..zw..Z..d...k..>.5.....B.{..w..........{P..i|cJ.*..O..4!;..Q....<!E....."..u..V.G8..o]......q3s...yrEy\.7....V.ZDH.U..$<p...M.......@.z.......:u..\a.D..m..{..A05.=.0]|;...Lg.F..-s....O...d........K..[=H.S.A...%~I..S..9...}......(.>A.[(.BN..P .y........$...W..[....\....2<.i..>..M.R.yr,...w\...k..t.CV..8e.....8...2.Wy..T.TT.n...T..U.|.!.I>..........................&..&.hC~@....o.r.....3.v(a.....kc..."..l...YWu*.../..$BR.\{X.)JV..H.j......X.Js...!....:..7&....E='.D..a...x..:.......sVg..B...d..`.?.}...........{0p.D.....t.p.F......q..ev.....O.zE.h.d.b;.tixC......B.......N)..n.]~.T.%.J..]...........5'...c.NK./...)..+B..e....ky....1.}.+..k..ZQ.M.......v....y\...=.kQ...K...4.C.<....P.Sg...R..Q..Oa.;<.EDjc..I#7..".U.@..e.............I.'..~2.....}..;F.....C2.o"...;.VT.<,..y..l .?.i.?...".o.zw.i...~N...XgkZ..c..m..z...rI..6s...bz.......T.......w...9..;nQSD..m0.....".'..>...I..2;.C...."G...\.F.g.D.U}....2..fz.R.W..*..K....

                    C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.871385689425973
                    Encrypted:false
                    SSDEEP:
                    MD5:45BC4FA6ADA3C6DEF52FD1710BC29969
                    SHA1:973413A6E6540F8D1438EDEE696E18467DE4AD04
                    SHA-256:F9387DABB09DFE4CC6E0F87842DBB8900B4C073E4EE9D2EE3B6E761A6AA4902F
                    SHA-512:816491CA309187C5348392CFCC5451BD0C36A31E8921CF8AA2D2C3F9455DDA3EF7E0A7BBD04802FA3128E82AAB11394CF172E00C37DCD66E4B00FE917CD00DE0
                    Malicious:false
                    Preview:90...\_|;..A...yy...J.R..7...e....P.*V..i... .&.|.!..u..#v.I.EX.?S....`...Ds'.f5X..........%3...`...-...\Uq.u*.@.t1C...**.e._"....X..i.......D...| %.Z.G..........V...&[...~".3&.....*Q,.....(j.C|.....w..QI...3..b!...=......$.#....RV...W....-...AAm$._..t.v...'...Y2...G......a2NA....9.fW2nX.K.K-..RM...o.......6....l8.BA.. _.1..]..@D....@Tx.@....c.ro..0a3...A......T..U.|.!.I>..........................Bm...n..b.'d..;_w..'.G...A..f..C.U9.{........[.e._!.:....z.......=...........l?....8.Z_d"...q.P\.%rJ:=5..ER..tZ...&g.<|..(:.,...H!L...$P...^......+.T...6.!..E[.s]'....^v......cK..........:./..1.T..ZB..c0.f.......K............(.\......S..?.....d{.y..P/&v...j.._...N.Tk..b5.TM....|9S2.T.mM.|....l`.p(J.:M...#$.#..v..v..3:..lw..7...E1..?.[:=..+.Y..n..OT2x#....zfW;..f,`...H.._n.b....#...(....Q.,.Y..rq.)...<.5rz.\...q.&.....8...)Q.>(\./#..L.L..cP.....4..5h_.....s.....&.p=<..u..u...oy....j.y<{...p.,[@.....%.n.z...v...._...nw...g#.Rnm...P...A.&....&

                    C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.858754654949151
                    Encrypted:false
                    SSDEEP:
                    MD5:3F39E6EE456D937AB0FC27B72A57DD0F
                    SHA1:0E089C3229C7EEE37A849121CB036AE3FB113A98
                    SHA-256:3AC4A055053912B1C54FDA317D55F3879AE7727E6F10F78792A0AC25FEC1B498
                    SHA-512:40B5F2EA80938C3DCFB12BD54EC7608AAF8F0DDDB56F090E846EA9E3A6CFA74DD716A08A82E3BAF7F3059BBBBF44EA4D2695F50F2E7A083DABC074ED1C90A6D7
                    Malicious:false
                    Preview:{.'.k..\.Kc.L.+..=._u:..ph.u.IH.f.s.......Us...rS.\MY.o..rG..}.>...y..Jhf.m.).$.....{5dT....v...`.....m.e..P<+.L..7.......{.>.$.r..........~:.^..8....I.....x.....S.lq......:..|}}.q.9....R..t..`Y..u<..<..(.t>.!&t?.|..64....C..V../.....-4.i...i.B...i..km5....i.1..t..B...U...d..........7.#.*./..X..'...3..f6.$..hU.......@.X....qC3.0.eeh.......L..@.....T..U.|.!.I>............................^....13..."....|.g.\.......YV......D.k.]..SQ...!}1./(.....&..$c.. TT^.O...t.u).C#y......L.../...."34q..LT.`..<.a..Q.. ....J\...@Z..=z+.p..<.A..x.9.'...?.WN...,...,.b.3k.X...._Y..u.Za.....7e>.)Lo&*......+...a\.J.c...K.......T..:.....o,..U'...@$.K.M^.:~l.6.;.S(..X...q.z.M$..~xq.c.}....S.y0.......^hg..K.E9..<.......{...'_..5a....O...L.+.E..........9@_./.`...k....K...?.....w.K..UV.....g..B.u..g4)P.c.o.. ...Q.......].-.\..C.po.....cy.....V.e...g..,..|...M......L*.u...oMP....b....3.Q....Y.......;...(.G....Y.H....w....&W.a.RB...C&..Q.-.9....u...D.....}.z.@..

                    C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.849810799626368
                    Encrypted:false
                    SSDEEP:
                    MD5:3C3B1AE0100E9CB774534EBAF792A0ED
                    SHA1:DE381E0E62DC658E6FE9467F0EE913D4A9ABB3EB
                    SHA-256:0460FE124F1466ACA454F083A2C9AC7299EB4115597FE9DA0CDA28B8316CB425
                    SHA-512:14D9FEAA436D72082FF0C9B68B5E90AC9CEB81C0648DCD0D3DC4A13DA58F83541ADD948C3A7D724E6C85689052C534BCD54C2E3C60A3F0E30EB756E9D57A6202
                    Malicious:false
                    Preview:..O1._........J`O.X.....D9.@....L...$/...q..........SX..y@...]...H.(XV.f.w.T.PV..w}.)..].@.....7.T..\T..{Ah.e.@......L...q.5-.........?a..6..k.f.u.G^.)b..0d..7j:..&wZ...../..H.xg.?.2..8.X....^F$....`#X.............Mk......q..>g.hN..$.X*=.......E...d.D}..r?(0}.....Tuv(_...P.)..9...=..P5.3zr..O.....%H.k...F.]..p<K.I.LY...{......I...q .N..h..H....T..U.|.!.I>..............................%;..LO.Td...i.<[q...[^.n...HoJ1. ..PW.x...!...|h.......p3....i.*.Tz....7..J...7.-.9.;F.t1."..y..;$..L.Yr...Hdk..H_j."R..R....%c.B.H.|.'..`....K...'5.@........d...H..~..$..7D}[H.!...j..l...N........z.j..}.|.1....2I[]*`.....~...3.#%...Y.-s.j..8.}..,.z^...y.t.7.O..?....NP..@.;R%..K?..l.au.zfu...F.j.bK.H.....w.[....<....2..YPtW......`AK..3.R.....I.L.0.;...<....+.w8)=.J....6a+.Cqi{.!.~.V..#..=..0.....GB2t..bS.O.jL|\..........U.O;.PH..cU..R..2M..3.J........}.^..Y.}v-.k..9...Z.^..X...mL.Q,.=X...P...HR{.{.NF.w.~G;.7.K.z.G.E._..@......P.|}L.&...1.....q28.

                    C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1464
                    Entropy (8bit):7.847611422338244
                    Encrypted:false
                    SSDEEP:
                    MD5:EA4121C2B9151615E27FB3FDB752CAF9
                    SHA1:8C319FB77C19B3EED568E0BB4933DB9459A82A0E
                    SHA-256:9165841827CDE4EDC3511DCCF6FDB793352BA615F2C66986CBE203362D81890C
                    SHA-512:65C1F3FA1A5ECFADF0994CA0C7790ACD8618932D834674CFBB14894DE56456E9E4834F7464D01D90213B85D1B537FC8722CEDC06FE6ADD8B217108B708276E54
                    Malicious:false
                    Preview:..w.~U..iL......,.....p.Q..]..#..{e:.{....A5U.......N.......|...p43:...k.......&.....^U......@..@~5....G.s..:*s#LL.....J>LA...N..}...O{.i.7.?....ln........M..k......HXTk...-m.Y..?H}x7.<C.|b..H#w. .C.@..h{=.c...9H.Q.E..99..{+O?1...L.&`#.}...<.).X+c..j..Z.*.|..P:... .6m.Z.h.%.~..C}..~=vXC2:g...b...s.^..Ow.T.5..!t.=......?...z.q..\6.j.{.r.Q/..........i....h....._.....qx......2>.Gk.......T..U.|.!.I>..........................#......{Qgb^.#..G.C.m#.......ia.4r/....t._..d.`.y...)..e..u:;..lzW..q~......{*w..>.K...........B.!..[.cpH.(......<Ph.;?....U.-Tu.8..h".....S...~..F..BD.`..Aw..:..cL~4.3..G....a.5..Fm..X...k.=...+(.l>..2N.h.j..;.....<d..=/.<m..#t`j...w..{..:"k..V.]o.}....`.....U{..a.........\.l.!M\cA+.T.......ZOj.|JF,]q..7.@.m{..d.Q....\..qR.....L......Z..qu.$.UD..yS.z.}v..x.T....k.|.......N[.."cmh-.(...C...l....D...5.(.L......|.<..P+....p..7.u.(..`..@....D6.F,S.a..^'.O.[F(...]n...;:F.5T:..f.../.q...(H.w......v..%....2....Q...I.4..A.I........:..N.".]y..

                    C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1480
                    Entropy (8bit):7.853851611892772
                    Encrypted:false
                    SSDEEP:
                    MD5:C70C7549CE86E39A269C67FA09DC0987
                    SHA1:F91C99CD309A131F7670F6EFEB79D5D612875087
                    SHA-256:E19668715AB794455D522E17D2D86D433D332183B2503B4118D8402DA8F80FE5
                    SHA-512:36F89BAE0F0DE5339AD4E87FCC9DD8C766FE8006B3AD3A6E67A9EDF9F0591A98504EF9D9CA391676F611D3F6A0339726A10862370B04DDFB869A175722D411AA
                    Malicious:false
                    Preview:t27...K..4....a.fRT...Y....RX..Yq.6....'.(.....ok+3'..<....}.`..~.U..^..P0........^z.n|....&..H."E">..?._...._.gX..;...H.Ag.x.....;c)....SY.`wS.......p....$.yT3..R0.dV.T'i.|...(...<..Kj..Y..wLF.^.m@.\.).q*/.}. O...=}.G.:......J?w.^l<.B.,<h...u.d..W.^X.c{..y.T#..?_g=...S.1(..../.$|..,^....B....s[...2;P..h.V.8'....U.....i.q.....D.c..3Sw.7]:.......;.+ZP.D......$.ocr.8...Y..~&..G......&.=Q~.%...P.....T..U.|.!.I>...........................Za.0K.4.{]R.z.=T.3.=...C...y*...>.t....^.qd...N.8.V.jn&.....,s.@t..}Y.....\...........`."v.........O..J....?...]br..B?.t.."......uk..?N@.....v....!F...f.A-...0...gf4&j:."....H..:.=I..FTV........$.Y..Q/)....z.2.4....7&..w;k.....1C.]...~.%..........pf..f...".:.....].tW..~...}..o..E.F..X[..|.B....--...a.bf..Y.j7.tH?.....mJ..9....Z.|.;.X$.q..c.r.....".[."...&,.Z.(.h..?.)\.Zd.*.I..w.Ky..l...p<...=..?.j`.l.yT.M6.....M.....(.8....E..L..:.&.md..t..<....(....4..J.....S.m..=..dy..g....m...x...y..L......n.*d.G5C

                    C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1480
                    Entropy (8bit):7.857940351082443
                    Encrypted:false
                    SSDEEP:
                    MD5:0373E50451FA9EE9868010D62FA5F7B9
                    SHA1:55EB7409136EFDF7786B46D47AE088A97F259CB1
                    SHA-256:1CE920D4B0AA221A0F21BB7E3FE0A7E31AD7FAAF3AFAE142F6D06AE6988C4D18
                    SHA-512:C0698D61E5BE33DE08E30EA30FC07AD00624A746D246E2EA07F73BDCF16C5952A39685D664C75CF4EC7F2386E949F1C94984B8451C9250DA2387CF8E8DB9C048
                    Malicious:false
                    Preview:.....O.%y.l.".e....<y.......iB|+^Z...!.M.u.......{M<}...2|.1D.."..x.1.I..S...T..e?r,Kt.H.~.hy.r......Jy.Z....C.8.....V.mR$V..3]/U).r..2.s...I......tr0...~..l..g.7..I...A..."Tf~.+=.[....6.5..R.r.R.'3.Z.CY..d*.9..T.o8.Mq^O.w..w~k........H.....y.p.....mrnb...>....%rv...(.se.........L.....5L.B.r"z\.f...}...$.[#....z.p.&.L.Tu....F.P..V..9..!.m?..si ..3..pifw......t..e(.%.%9.A.>..._.._0....A....k...T..U.|.!.I>................................w.....H.....:9..j..w...O.m.).'*..k.l......oC.B-N...~.1.:,l..U.K*...!FM....p...##...........;.[ p..~.....V.(.....k...[.....+...l....G..'.....q.^P5X..%..S./....z>...KKr...A.]z...n-&..I-k.C$.c....$~.k.....p{..4.."e.\#+.>y.h.(P.Ts4..;.|>..A5_...D.9.......~..%...+F.6.4...)YQ..~...a.I..!/.... ..E#....O9..o.`t...k..E,...K!.@.A...X..{m..7....R..N.y6..@.=.pMWf...Q.....#...8:6U..FF9j....-.nB..B...X 4..D.9.9.UN ..N9.6..`5}qk.....nb...X....us.sB).].0... .V.y....../xd.z.....#........"....oD,H..X.}k..C.T....G..}].hd.

                    C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1512
                    Entropy (8bit):7.85810574782477
                    Encrypted:false
                    SSDEEP:
                    MD5:BE05D70AF80C873E1D343F3DEBFAA5EA
                    SHA1:72CC9E464E6A39CBC4C17393D60AEAF9F89676A7
                    SHA-256:230FF4E2CC67EA4CD83F988E89D89611748504F52B2AC8A802CAF01CBFC8E496
                    SHA-512:0A1C4D04C96A2FB484E918F94907038588550661968CFB1DE3D1591341BF3E19090EBC8FB5D58F222875BE8EE94B610158E66072A6A3C162A2015FB66C1BBB12
                    Malicious:false
                    Preview:j...K,...8s......W.. ...$..j5.....+t[.VI+...Rw......u...j..#E...;.N..7.Y]..Q..~..#&..JOq#h...GEw...]...zR.....tDv/.HsI..:S..3.isF=.p.%<X.9G.....tU.W....r...$.DV.....M7.sD'!..y..e.^*.L.d.c`a..`?....E>..h.eZ..D.....9.2z....+........,B.f....7.&.%.i.Yc......jy)...v-.6.'Z.?.:6.^..%..v}..L=.T...P..9...0...P.}.p....G.B1...r1z..:..A].{;.Xe.M...y....y.rN..j..r...*O-...5.k..HP..y.i|..h....~.1...0E.. ..d...nI.Z.../#....y........-...T..U.|.!.I>...............................A...Vr... .A...Yk.f...E......o..h........Nq......*mX.....d...Z.<....|.c...|..|d..X..|....(....me...L%..].~u1..7g...'(....(...P:..j&.[s.Q..^.{.RY.,..jC]('...Z...b.*.e.pvE0...?.n.......N..^C....b.....Z.T.`.J-..=M....).?...\.:.5q7F............. i....{1;..h0.`...V...JP_l.h..}...W}.>G~TgA){.j..._....b..M...t......pZ.d.K......[?.|eXA.... ....a....6e.(@..7.Kc|...X.w.i..Ez...q...Y},.P.H.9...nn...G.^.......D.h.....Q.i.q&..........Z..yw....-^..!....\....=.G.A...'.......6.

                    C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1432
                    Entropy (8bit):7.8585343568616635
                    Encrypted:false
                    SSDEEP:
                    MD5:5F0545863D1CA92C73D0B8F4E69445C5
                    SHA1:A29FC35492C271313B77B6B005F571CB97A6E51B
                    SHA-256:36F2FE91F14B79FBC8F300276FCFFE4E17047D1FB606CF79C0C1611925AC869B
                    SHA-512:D14D323EECCE525819E9B9C493D1C9BF565F214BFEB5DEFF6D2CD5AD1397E990BABB73C3FADECE52352280AD122430689B037400588AAD1DF01C30DBA930FB3A
                    Malicious:false
                    Preview:/.S.TB..z....m........0.......VX/..%.-..@...:...be.R../.g.....3l.M......3l..l........P?....>h..A...9.q.k..o.S.:.....+.9.6%i.>*.|.A...;..*zrw.hE......J...j.g@.?./.{~{DpT...U....">.u..4.1g.g.....(_/p-...k.\2^..X....j..PY..(........r...E..O.x..G3.....6d]B.:..w%..3....5.Y.&....;....s{.a-Rr.)^..|[u....+.YW.gp.KC...\...Mo....Z..8s....~V.GR&...b.2.;...Q...T..U.|.!.I>...........................u..0.....d...N....?......@........@.].o.e}b..#q*...w.1..8f=.E@"..Dc.`..+1a..Q..R$6/..[.W.A..=Z.mb..Q.D..q_.V..+..GK....a.[..$.e....-....|g..fuh.k.R`r;...s.p{..px.%} .h.*..1.._...].VJ..Z..Qv..~...^E.8....+_..$.?...6..&...;.......KhY.n.-b"..f.....#.......}.i...j....n5S.24.?..y...|/....YX.1p<'`...u.......!..@...&v<.G|}.v5I.+b)X..[..Lix....<p..q.2Drzi..B+*p...b..Ll..k.....tH.n.W}/...,...p...p...G..6..},.z..{+.:.^Z6%.._..!....SQ.......*..7.vsu.h..K.h9.F..L..j..n...ZZ.5..B..)...8...w..V..z............'../.U..*......Lm...g7...`TE.r...=.`......A...HE...4.

                    C:\ProgramData\Microsoft Help\nslist.hxl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):7336
                    Entropy (8bit):7.972115287923678
                    Encrypted:false
                    SSDEEP:
                    MD5:51EF479FCD12FAA9D8E754ACB9780B54
                    SHA1:D21BDDFC79D818FC95362794E368EC58645B67B9
                    SHA-256:6570480F29B09194CF57CC2FB11C21F76D2C565C73A91361B618990621A88D89
                    SHA-512:3097F39149FFBD47A4C3C19CA6C4E10960C6E45F3070367D66B7CA2B7A7C202E86FDAB8B8F26797E665633E86BBA8E50EFF5F58B552C668796444053BB69A1CE
                    Malicious:false
                    Preview:...s....Jq..eN...p,k.vj~.t.'.........h.....\&~.I.2......W=...A..@6..1.].+h..@........K.MC....M_Xsm...+L....F.1.e.......uf~..Am.].E..>..........l........S.+...~...}..;e.Z....x....#.O.....t.W.L.taH......o.+.\3.+V.,.be.%H.|...hHzC..;l.......(..T..@. X..vH....$...5d}...a.m....I..7%)......r....r.......1.n....l.x=..s;O&....m..\.%~...r$,....7m"@.1.s]F.......&.Mg....<P3..'.6.......*1... .EV.:.p.z.C./;.w.". T..........-...H.Y.4......b..yW...a.....K........}....c. ].LX..../. .....Ft...F.u.4.t.P.(..d.......y.M6.....H`.._}.7...g...v.<.Ix.....}..*.*.M..t..Q\.....bei..F_\.|..).....D.0...g.I)A.R.0]^1.c...y...1B.M;..#....... G....]vC'...h...+..".......3....h .z.PagJ.s\....A%.alR. WY.....h.\.....]..........Z1..`h...w...b.rm,..E\....I...a...b1.p1_.....}^+....l.i!.5"...a...O.sM...\X....FL2..m...?.~.|.Z}n........5..0N..).nH:*K......j..h.d.P.#....$...=..LR!d.6.*..[..O..._...z.I...l.M>.<O..C@.9,...O...6E.-....V.v.....>NM...u...!...G;.@..I.v...T6...w...M._.F.....s.

                    C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1096
                    Entropy (8bit):7.806190937685905
                    Encrypted:false
                    SSDEEP:
                    MD5:90F5C9EC9645033FC304C27862AAEA62
                    SHA1:06D6BD5758EA5BA9B15A0B116BBDEAC89D6C57A0
                    SHA-256:E825BF40D97FC676543BC018D97F7BFC0964B800A985BF0344A54B47C924C5AF
                    SHA-512:78AF565BB5D851C1210DAB260711B1BE68AA3956EECD1A9CA60EABE047AA8E707EBBE92183A0680924FF34E8F43B507DBCE5D9C64FCC8366566EA7F6250A9753
                    Malicious:false
                    Preview:"....=.....O...&..3@...1 >.(....T..U.|.!.I>..........................4...vr..R...._@'.......c.!......x..c...R.P}_k.s.N...^E.....6...~T..Qs...F.d.l...f..S.J...)..l......q..n..F.m.@.....&..\..y......H+.......c{M5i-j....h....V.:g...D.a.c...o...q^[._..#._.OZ.T.....=;.J.'..}..Yg.z......W(k.,.#p.s..;.n.Vg..=..{....J.....e..c..e....?.2...+6.X..l*9J.Q.x...rm..........a..[...>W8..Z.).X....[..t..z^.Mb..t..M.P.bzj[.....A..M..l..H.Q..&63X......w...N.7....o.3.sO.yaQG3V'&_./..Y8.[.|1..e6.MM..Pn...@.........-......g[..I%.......4...n.`I....".....I..:R.<Fk8.....X..x+._....j...`*..@ 0y8oM..:W..rX83..$.H..\[.U.d....)|a....L.?............j%A.g.*...]S...{<]....D.2..#Q.......}....]..R...a........j...L....[&.o.C_.un.S....:x-(.Hq..[>..[...P;OP.*.N.;t.;.........%.x......`.....4.......BlQ.V[....#.=.U.b.t.,"N.(...!.[:...y2..L^+..J.9...7W..DI.....`....2..........H.u......._{..7>...........w...=.,..'6cr....h~..{Sy.Bk..G...w9l..F.?....~...f'..3;B.SA...Y..t...E..Q."........

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.835950784351117
                    Encrypted:false
                    SSDEEP:
                    MD5:A9432C001999170FADAC357AB051413A
                    SHA1:A7854619D139A05ED744B420A59E6F58DB4C1FC4
                    SHA-256:F130626FEF9966D8DE1982A985EAC8ACD9847F17918B2C7C518B3BF9D48296B9
                    SHA-512:864AAB7C9738C8472AAA3FED38C6FE046E6E93A3D628A154E1F3265B4C0EF47F3FDE6E5E9F3F494F573D83E4A9D365C5B2B46E146C43D42961B14267F2C5BD88
                    Malicious:false
                    Preview:.k.uE__{...:u.|............T.c..d.......i.xU.Z...........(..C'.=m?.Mx.[...-...b.nL]fP.K..N.S./...V.....O.Y.?._8.:......a.T.a..i..QB0.1J....Q.......|.........R.3..czK.....Z.....)..XR.g_2.uUh..4..8...)......./.*n..&.}*0...s..bQ#.s......+?....9M...o..C..X.|5.R.,p.>...:.dR(.%.....{_......O.=.^6M'm..("....p4..l....l......L.._....R..jQV... [..R....w.Vr..x{a*......c.....T..U.|.!.I>..........................iK..H....|.?....~,.....e...+.".[Ds..`......$.%F.6....?._C.-1.%cH.*..R\...z.g%m..0..<Q..w7.RR...Y.4$ak.N.......R.Fzv...^..2.8DUjng9"G..S.v...O....t&....m....b.N...=.B..CCq....R'X....''.....RV=.......#...!.Ht...[......?.,...O............V.y..[.. ...g`..d...v.*.~...T..M..%$......8.....{..g.x..Sh..Rfx9. ..|o;.9..................t-...X....V.1#../...<...).6..?...s,.P..)#.....cd.U....B..q.z.w..5.V....#.f}s.1.|.`.............k..^.[<.rK.V.9d&.~~..8.7. KN.....k..;..... .E.......p(..rk.P........o.......+._r.T}U....../...........~2).4J.2.n.f...n

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1160
                    Entropy (8bit):7.803190608854793
                    Encrypted:false
                    SSDEEP:
                    MD5:5EE9E02A61947CA28ECCCEB18C90886D
                    SHA1:14E6E3E48DCACCABC1C9635D10955927CA43E4BE
                    SHA-256:0C9F5EAC3608151517F91EF7C6AE54719B7BF2B39A337F6A6B50D54EC323CC83
                    SHA-512:B0181758C57D541EDAF09F7CBE5AB7FDF7C383B01902B5860FDACE272B09799594241655829B4A9FC65C3C12E7534B2E263AB302E130353AB59AF5C146A01764
                    Malicious:false
                    Preview:W.W...Fzx..d.|.x...9..kp...b0p..)..Q.k..+.r."...G.6.8...c..s{..H..~S..=.ka...V.p._(.@.B.....T..U.|.!.I>..........................Q...):......H.n..3......H..j......5.....Y.z%...z]o5..z.4.F..|..j1R6b..<%.+A...9G.Yn.`S....D.V.Yq.F#.n5..\B..._h..^.%..d..g.Z....l....!?......C.....an<.][....J8+.j.S+m5.S.........._........)...+....K"..\.dLC.sK3n.....lT.$....BQ.Fx...36........<Z.h..F...L...2....XM......p..O.7...D<..{...*B..b&".d...(._.Q.........d.ms.T.?8..k...&...4=fi^...............8./..Nv.~c....=}...p.^...#.-.G....c6../..M.P..u.M.=..>.l..G....{.....4....1aG....j3.....}ZA..}v....?.t.?.. ..n.O..:..n.^.....V.w,........>n........4.5..=VM..b....~.t_2......2u......Nq.1...S......FKQ$.Q..C.<nu.~ .rCzeT.V....D\..t..A-....a...J|...}-.5..=w......c......(.y....e.%.o...#N}..m..|..3..Xh.>..E.p..N.H.....M!.....f.......G..D.....&u...c...c.....h.G.._D..+.....U.[...!...Y8/;n|g9.<"S.!...",s`d4~..3.d.)j...O.J...t..h......3R.g.F.^../..;bF..47...N.sW.

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2440
                    Entropy (8bit):7.927649882149807
                    Encrypted:false
                    SSDEEP:
                    MD5:0ADA1BBEEA69D2FF2BFB3D63967F3784
                    SHA1:A08603EF679696842E76FEFBE9FF7699BD764ECB
                    SHA-256:2ACF9B01F4D1ADF1D86262764A517E277B7378714A8AEB7D9674C638004AC521
                    SHA-512:79C3E5C8C27C3246F4A82F87E454D70A5479B2BE20F048A885A5D80D2D93F5FB225DFAC44077ACC071E2F76FC63FFE658D4EEE2CC8F0E031871F1FA74631C811
                    Malicious:false
                    Preview:k..."Q.J......k.....$:v..)...A.....w.Ut..k"......s..U....g:..#a.../.'....6./.NM.,.._.c.(..z.v+.z...h..!.I'7..t..b?..?.#....&^.....g.f...d.-%......FoKz..... ..;.6.....a.@..OE..ZT.5.U...o..VZ..f....y~.D.A..<S`...(K(.........ri.#;F}.w.=.....].>....W<.{mc.z`...;VdI./..0.=...Za..>.W..a.._ .`AI..E.R.H=.....M.@[...E Ba6...f.L..H.l..fC.m~....N.o..[..W'+..OK.b..b^M...^.>7..)Sm.....~.?....X..q..3X.......%.S._C..f.;.x...cH.!..B!`*....`.....e=F5..Q.n.v..........t..)!:./....a(....t..W.[..Q.U8U.c.s........0-.(+....Mj...6f..XN...l........H..,..b...H..T.G.b .n......r... cRW.)....|(...*M.B....[W.P.H"^o.....0.g.....T.,...iG..VS...>/hi....KE...OS....+.w4Fl.H|..6.mo..;.f..M@...U..,.L....7.`..!!Y.L.....^.....tl[....?...D~.!NRy..\.&..u...y.N....G.G...*Og.`....D2.......$.>..V.1..aV.....7...$C....U.Uq.Mb.?.&M-.;s......DD.{z...A.jVh1.......4..r......<..On..V.gk:..~....QL../.....?...7x.g...q. ...:w.......|%,Pu...DH.o.l...tq.~...K~Y<..{...p{..8.....)...@....

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3816
                    Entropy (8bit):7.944896420958302
                    Encrypted:false
                    SSDEEP:
                    MD5:6763C6AFA36333457209085AFE4EDD69
                    SHA1:DECA2275F4F0BC1F345B1632FA90B149B2C1DF92
                    SHA-256:A16B9C0AFA186CEE0B9E4E4A24D6B44BBA27574A1E37878697F2F40DA68B3687
                    SHA-512:4DD48047A5D32D808DD38F2BC57C95F849033122B1F3E9FD735426C806F976AA645305AD83C8E6D49D0093D051FB294AB838CB5852AD89366365B0A4BC04D834
                    Malicious:false
                    Preview:...y.iZ...c.%p.B.^...C.L.#,...0...V....[.0Av..........`O..F.. .F.=.;.....a..8J..@....`.Ih..+..e..R...w...jM...aA....: .cIb........q[....`K...=/..}k.X...'..x....GL.c...M.:.N [*..N.....{.....$....q?5...Y0..T=/.s..s....Y(TDa..=..i(;K..#.o[..e..bq}.....A...Qx.....F&q3L..v.....C.R.@@I`;.K.q.5..}.[8I..Ld.....}.uS..RM%.....Z.go.Pk.A..f..m.).R..=2m.&U....:#..d.$.\...#WS..k.u..3a.?J.Z]....../Ij...W.ZT.H...V....j....C=..[.`..we0j.b....yA..).}.3..!.tI..]}.a..5,.S..7.u..H..e.5.....T.......xUr....BR........p...1..i....f,...m....[..sFN6..Y..j.k....F...#...2..au..~..VcE..%%.z.h..v`.l.V.?a.$'.O.....{..'.?..G$.n..\6].=Q.C...F.X.eK.]m...I5....&).}9....n.'.`.d:....r\~. ....y...,.n'.....qh,..3....u...-...........C/...>.A.s...!..b.......@..j. @Z+...c+.MOi{...a}.R.....|.v0^.z.aJ.3<..W..5.6.6.}..M[hm.....##.2...-..b.Z...w..l.+;.k[...X8|..r..%.$u.F.L...!.. ..T...x.y.I..m<Lh1j<;.x..tt.....:O.......Wk..`D..2y.C."(.9.<..H|........N._..g.3..>+...T...i.....8...

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1256
                    Entropy (8bit):7.816949684250291
                    Encrypted:false
                    SSDEEP:
                    MD5:60AB45B96E1E486803A83DC2BA4DA96A
                    SHA1:E3784E660D04820FB6DD76B2C5A9F8160E96C151
                    SHA-256:E4D069BC065065868EEDE3A4635438368A052D2151D29FC7CFA266E300D7234E
                    SHA-512:A4EB755F95B3C84CD48E8C3DB2187CAE1C275BBF5D4ACD22AA8E0BD44DC4FC1E5885E60EEA5743A9868EA61D4D737AF1FAB0634FEA01FFC337CDCFC8C15EEBA3
                    Malicious:false
                    Preview:=.u.....5.6x..C?'[...o...........z.>g.-.$.Cl...oi/...#....& #.t......xr...."d..M...g.,..v .......PAv.g..~....e..3. t$.......G_~...,.Y...R.E..Bw...I.|(.(..%3.......^........h\<...$.M.`...T..U.|.!.I>.......................... ~..$c)].....6.B......s......!._..|..a......p)....Cy.......j.%$'..T...T..6..2..W..@.....2..)>.hx..8..."k..G......E=.... ..=1...[n=.%....O.+..@......I.C..d...d...T.Ck.;i..H..:...4...;j.H......G$F... .Z#...z9....2....9A.s..U...+......g.%..f%c.#.Of..W.h..g.ZI9./s.....3....+5.%oZ..k.=..I.p9..}[..,.z...@T....D...^Ur..|....j.m....xc.o..F5.-)S...T.T.x..G..,....fkm..a.X=........T5...c.....(u4.a .gzI...6....H...9.,.......Z..k..F.(.....!.jF..%9z,.....V..>....:>..B....+..<.z...Z@W..Y...Qp...0....(0....&%'..h...F0Z.....=t.&x..|.f1L....g'..6~...Iz..R.[.z...?_.....j...[....9E|0...Gc...@Qa&.6..I..*...V.YY....G"......<......"...L..R......P...>).4}.1s4.qG........=.84}.....)....h...in...Y....BDp.O>y.ej(1...`..j.c......|i....a..R..aZh&.T..

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1256
                    Entropy (8bit):7.841117103327788
                    Encrypted:false
                    SSDEEP:
                    MD5:D4167D47B2F0F791B4B2E6941A773FDA
                    SHA1:ABB8B4FB31378560FE76776C4CD77148B681BAC5
                    SHA-256:8A2A276391E48A233488F40B5BAC2B7DCB515A25EBB2A68FAEA44813992154E8
                    SHA-512:3917ACAB3D3BD6DB26BCA851AB902CED977798E010EF66F883A9D6EB41A95CA8E45B98BF6675FDC628772B0FAFB20577B0DB73A2F888A2307B45F840CD54BD32
                    Malicious:false
                    Preview:.[.).J\.5P.kS..K.v..y.!....K#$v....Xh:.._r.%....5..x..J....f.V.S.&....?.z.Q...~3R...;.P...>.j...............a{...o|.[.........F....0K...u..2g.)..p%dS<..7.....?..3. 8.......'...c9 .lZ....T..U.|.!.I>............................YK.?<f.-..'.D~p.'.2....3$._.Z..,.!d..#\.d..u...E$>... ..N-...XQ......k.....y.I.~.<k.T@.......R;.. :7\$..".xyi.3....*...J..b..y.Z....Z..n FW.E._K.p..W.k.G..v.....8...0.H.g.......m...6...tww..... t.;...*.........G..`f......P.*9?.!.T.1...Q0.ct....c....f..7..(|...1.~..Wju.c.{........;.........}s?..M...t...~..Us....<G.V"..v._.[S..:.,aR..W9.>rs%a~....`x....m.I.C...'`B....w....`v5..{....g9......D.u.].j?p..hT...:(...X.U.+.<6.2.fW..\n...n.k.[........j..../uh....y-.[+g..ac...RqI......]A..N..[.......m..Y.<~..\.B....J..)F...t.......B...*..&....=.#....>j..1.....+...Z5..h.O.%..S.g<.4$...o..P'.r....F..X..4...%...!...u.]-CSN...a.....................FPd.Ej.........{'+.=._8...m/.$;......+}..B..............,J.Y

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):7.8434152876318715
                    Encrypted:false
                    SSDEEP:
                    MD5:7768E2D385A8450E909346AE6219D3B4
                    SHA1:A6BC287B8A47E2DD2C30847FCD2E8D711A30BD73
                    SHA-256:881FEB89CC7AB21F14CC6344B1A18CF6C5913948F5098E230C5600035B67E4FF
                    SHA-512:746942E1568D279CF376A1FE5E6A283F305E6DCCB3477FD442DDDEA471E73AD3528245A45B10AE24722D813747E680CE2D5EE9D8A1D789E609D8D7DA5DAFA164
                    Malicious:false
                    Preview:.j.;..GjB.....FJ.~NU.:~.....j.....Fv+..Y..A.3.'.,e.~.....=.M.R..S>..4.`.Z.U^.....??.....ds$.f.B...Rl *.=.............S#7.)...............6...+.a......%......j.Nv...T..U.|.!.I>............................'.&}P.H-....qG.y...D;.)..W....J........b.(.!.._....U.`c..&....|O.'.c.?.'.$..x..\.L...D'.j.v.6.. <...t9=.-.".\..i[.B?...A.#.).D.Ey|.%..g...*l.....W.r.A..y]Us......4.....t.... 5../.....m{"[.1E...l..S...y.o.R......F| .~Rwk.....p..T_..u.t............E?Z..w..>c9...z>....R[..l..M.....Ki..;..^.........;.p..T..G.?.U.4.....xSAq...[r..*.7..4...Y..;.Odw.$..8.' 0L..w....'.Hp.H.|...^.&...^#.[.-...0.p%..@4.P...(8...5..1...(....y9.:g..RD...i..e)j,......j...B.a.f.....j.P...~.]!,|.........^.sx ....c.25#d.+s..F.9x'.......K....nDc...12......Le...G{[.I4.-.S..`....6.DY....i.Kh.@.>\5.X.F..:C...g~#.}A....c....R[..........M.:h. ....W.Ic......Mz...460.j .yF...y.{../........t.e.1ny.=~.T9........u^wq.p.{../C....{..!...;.(.W0...] ...q..W.M...K...[....y.h.as!

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1560
                    Entropy (8bit):7.8674037767333305
                    Encrypted:false
                    SSDEEP:
                    MD5:4AB2D7DE587855E698C6615FB8664DEC
                    SHA1:AD5ABAD7568C678BB2E7CD5BB19073869B4A97EB
                    SHA-256:98F69F78D093791C9F5AF46104CD076AAB70F147A61CDF30465ECE831B17BAE8
                    SHA-512:075E9419E87A2813A80396C1075AA6728325D76C95C908236C6C90B6ADA7D30AFB90C83511C9985D97107795721DAFCB36AED3D83884ED618D0A36FECDA007A3
                    Malicious:false
                    Preview:J.a....m...#OY....Vd.TW.n.Z.\u"V2...7.x..#A....^.27..P.><!.....R.Z.?...I..........)..U.*..!..Id.P. k.krF.....z.d.(.U..I...,.|.2.*....:S.W..D.-..c...9>.....(/zO....vU.e....a...Y.q..nAn.....?.>l~`...p.z,..<Y...rBv .)..2O....:"o...s......L....-..,Q:..0......a.....g4...-....&.../'H.CP..}.K.J.?...../.!.....`9.2.|g...rt.F..;.......2......S....A,...._MN...k..4;B...c..NY.)e......*..F..#..$.8.x..'..-..S.....W...k3..slS....18n.K]x..v.NB...U...C6...Y..".>..*..\..z...I..xR...T..U.|.!.I>...............................<......y.sx.......'......^=....:...y....,............Ll~..j.`..D[...K.EN.i3X ....;.G\G..iK........3."A..+....E.XV.a...~$..@z.(C..(..s=.UR.N13....>U2....o..I..2._w5....,....}.TnO.....q.[$.2...i..... +..l(....?..%cbM...4aSs"m..d...>K..b.Qz..v..;.J'G}].x.&".H..Vfk|...k.....d.:.............6...g....O..(......h..?..)....w.Q.....1h...xY....*....,&....y.^.on\m@t.....F+.~....H%...8..4'....u.;.>\)..C.~....0LW|..A.YicI....e;..Y..m..m.E.

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):7.802314136846171
                    Encrypted:false
                    SSDEEP:
                    MD5:748F40E4EFAD079AFD40335A41717F8B
                    SHA1:0F9EAEA79AB646E4FC6BA724BE6121196C5418DA
                    SHA-256:09690361986169DE8D2883254E6D978C7C0EDAB4BB06F1EF99B50C1A151E5580
                    SHA-512:09A14D4E00144ABF5DCF1A7643C4C038F72321A300458B86692C90E0FEFBDCC6727FEBB26EF065A4FFFB2291175BF2227D8040B67D8631197E47C004C48DD0D8
                    Malicious:false
                    Preview:....gm=.U...G2.p.".,,.._...K;Q.Nb..lx"`9.H].R..$...1.A.. $.2..|.q..f...LjZ....6..p..ji.........Vrb....._Me`-t..+.U.R..x..........h.........]....W.U...../....F....?h......T..U.|.!.I>.............................>./t.+D.^.T..k.p.<.(.Y....p.@.v.t.\.. ...PP...X2.r..2.Z.W.u.....#f..x.k.A..x. .$...7.P......K...Z#...M...\k..c.g.4.w.mT..@I....r$..|DT.......1}..=A+8..."`.....*.]5jK.1S2q..4..wo.H......V.N4K.t..k ..s......../k....G.".ZU.....f....wzwN.l.T/.....E.br.......8<.~..;.....O..].]E.v..%...!.@6......[......4.z..Y5.....=......~W2........II..JE..R..uw......-.5.P..d.6..J..bk.....-.....d.q..+.K..!G6.~..NyC{.U.u.~>.(h...U.O;...q}6=..0.J.T..U....@{4...Zs.R.X...y.EE..0.([.k7.F$.......ea.l.....$k.D.L.k...b.....Lq.../.w.h.r........-J......P...c..d..Tg..R.i..3."?..K..r.}]..........C.H.3.g..B..XB%^.+......L..k>O...!b/.y.....Q.t.....~.J...<zbr...7.q/...Z{...a............U..,....C....o./..!..2.......a....e[..u..O......F.. ....8./.n....S...Q.Ys....e.[

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1416
                    Entropy (8bit):7.83438853506267
                    Encrypted:false
                    SSDEEP:
                    MD5:C73E30562388095B0424E5068EEBD0B7
                    SHA1:092E7B1704E85757D45AB4853DD84DAA98F56548
                    SHA-256:7006BC7C8F1829190A72739C5379E4658BE80D356929294D8D0A8C036B8F33AE
                    SHA-512:EF276AA085780171A20B8736B9686A933117A6D98BD3A3FF925BCDC0F6A8F936B99EFA7C57E3EEEA8242A8B6E894AD54FE4BF03D55110452ACFB539E0265556A
                    Malicious:false
                    Preview:.A.KX.h.8@..;.s...t&F.Z..n.s......V..R8H...`7.W.2.ZCi'.."Da......-F...+.4?.... F...{^.....h...R.[h.\.G%.:..>"+.._...7o.:.B0Rc..>.Y.C6@V.!..d...NX...?3.K.....>y7.R-...?..].aS.=..v.qm..3Xy.o(..o..WE....TC.$...,W..TH<c.fF.">82i......Q2.G...a.\i4..cq~s.~>.#...4O...1.....r..C..A.....x.I@%.6......Vxd!"..".~.......?WR..hD...C.+...P@...Y.......T..U.|.!.I>..........................Z....*C.!..]r...c..@OO..&.e..?.....(Y......]..d...U._#..d7....w6..EX..p......(........G.U.{..h...w....+.>..aW.^.~..].v..xW...V..)._....P.:..~.yO~[k...l.G...s...QF............2.X..dh.bw.I..G\.dP..\.!....o.W....U:.t.mzUuE.Vn..NU.3J.Q.}...J.].a,...tIQ..G./...P.".....*T.Y....c"...{(.!..i.0..{...8....#.....{j..d..5.<.2......Zi....u.^..3.R.'...F....3qe.b...gb..1p..0.... 8V.!..I>..p9-._6.?w+........;D...e...,..!.P. R..F[.u.._[...~Mv.v..7X.U%...'.%._<.._......`.Sw..m.k7..!._..L[..$.Uq..x+..<kkZ..>.on.=.......Y_.R........$.m/k..P.E&.#......u...iQ.^...Y..{>.4.{C.9.P..Mt.4_.

                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1816
                    Entropy (8bit):7.879573900859275
                    Encrypted:false
                    SSDEEP:
                    MD5:F538C615BDED93021491A592814F0BA7
                    SHA1:D5235FACDA96ACC8EB0D92A7F972B18C49B10593
                    SHA-256:E85721DDBF994AC0F7595582C99D6DEB3638FBABD662D2693B85D2A19F17A821
                    SHA-512:43144173383782F0D022283209A18CE35D1326B0FFAE2889A20773F9DA72B613CD44A0416822B1D63244513E63A4745751ACED545546EFB0A8F310B80B325B53
                    Malicious:false
                    Preview:.....8GY...1.D.'._.!.+K....!.......II..P#/c...u..b%.b}..$....i.pw!8..v.. .F7.b^/.4[Kn.C......M..kGA;..RG~.m..]7.@.M.!.#.hxc...J..g1.L~..f.6A.]D..F.h....B.x...L.P.\u......xI.. \....{...)..ycO.6.?../...."<..*....Q*...rP......^5p...4u........l.p.}U.+.B...h...t.2.$m.a...>.7O].TFg&;...rE..d..l"^.....Gv.(...l+8h..Gn..].b.XX.......J.....G....51........en@qh..+B..>.,....Z...o....n.J....'N..4.E<P.._.uB........c.R...n......+Q/b.icA...b.r.!.xOc~..`....0.h......a{.f:.Bc..pw..vF......6.E.E.)..k/.N.z.4....H.N..x....y.R?..J@m..]...3.U.....8$Q......>...v<s..J..W=..b..O$...B..=.G.8..........P.T.F3pY...;.U...O......e...'B.xH... ..ne..v~..f.....9.7Jq....K.........n<(......o.b?rf..A...N...P[*....-gm.'.......C....z.p..$.0*.],.vn...T..U.|.!.I>.............................h^.e....5...u\."H................l...1.o.+D.q.....5..s^....vI..../...L..........]m._q`..........^...}.b..7.....C<Rg.W]...@..N...|..NR.i0^.r.e..........M.s.fj..yh.ZO=..l....fC..Ql.......g#,..

                    C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):7.8174876707495455
                    Encrypted:false
                    SSDEEP:
                    MD5:09CE1198E002D0272CE99F0649D3B8AA
                    SHA1:D9FF3809B76CD7D600D6AAA981F502391DF4F51A
                    SHA-256:455850598FFEB59599AD35748948AAE68BFD3C79DCF74FECBC20FA5096005599
                    SHA-512:A7CC5F2A1A7683738BABA80D80683CF307ED84CCFAFF53724EC9B4C636F191463D7A7EF07E6541CAC1037C58DDE790401B1EE8B0D181971497A22C9A023B3AA4
                    Malicious:false
                    Preview:.D...UX..$....PoJb.zC.Sy..`w../I..,4.....MV..}&...V...:......gpjhVb.#.3.v....@...Soq..n.[...Hp..e..O..5.SLQ......+}..)..K....L.|.....T.!..SJ.....W..G..#$.:.}G......I.7....E...T..U.|.!.I>..........................;f.5T.!..K{zF..].:.....+W.&.H.z...rj.].....S&.e...S..1........t..Q._z..V..z.g.;o...".dn6..I...u.J.^......w...i.9Z.....0.2)C...q&.>.L...^...',.=t..............&...\...q$....q{.&..<..[.S.bp....b...H...$..T}..x.o%.T.dH8m..;..+%>O.....c.u........l.VF1.I..$...]...d.:W.^.....k...x.........|..X.S\..'.$H2v..O3.~.#....^....6.^..aR.IFHO/f..d.RKw6I.%..|.-......Q.....f..1..u..B^#.u.I..=....t...1...I:i..D....K....J...AtED...o0..75\...l _T..*....i..xY.'.B.Y...m....2.......;lA...v..G]...{....u......p../.14.....|..../....o/EP..zBG.G..Sa....@.t./(..F...*.m....7m.R.....(.._7...d..V.7.E.X......&.....(.y.S..L..s..3....;W.Nc...[...iB.c..t..k\..Z...>..;)w.O..+icE.#..Vajdb7[.{.>....Sj..J:....g7......E~.......~...m....0....o.2E&+..)$s%."{/.vN.rA^.j..7.S;........

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PLAY.mal_.exe_1445cdc43efb964b32befeee25a179accaf97_d3ad2702_0d741ad7\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8776322938149091
                    Encrypted:false
                    SSDEEP:
                    MD5:7E85EE03CE975B72B4322881335953B9
                    SHA1:C3E24BD0BF6550D0B9BE3E3D222A81FFE6047E5C
                    SHA-256:54A57F71E6BC2525978BCF7AFA060C9B259655C18787C5E1C9FBE0D92226A73E
                    SHA-512:F3DD4C8C0DD9AA8A43731D60AC2EEFD94494E1D8D9DB06A0E551D4A09DA1A1BF1F404A2DD189711879943CBF693040F366BAB2819FDBEBD99064EC062223178B
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.5.7.2.5.8.1.1.3.8.4.3.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.5.7.2.5.8.6.4.3.5.3.1.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.8.1.3.3.c.0.-.e.c.d.2.-.4.8.8.1.-.b.e.2.9.-.4.f.1.9.8.3.0.1.c.3.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.0.a.4.4.d.c.-.7.0.1.e.-.4.f.1.f.-.8.a.9.e.-.7.b.f.3.5.d.5.8.3.2.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.L.A.Y...m.a.l._...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.4.-.0.0.0.1.-.0.0.1.a.-.2.8.4.f.-.c.1.5.3.9.2.b.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.7.7.c.a.1.9.a.8.b.6.7.9.f.0.3.a.1.a.b.d.8.d.0.9.f.1.2.3.c.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.4.1.7.7.7.3.0.4.4.3.c.6.5.a.e.f.e.e.d.a.3.1.6.2.b.3.2.4.f.d.e.d.f.9.c.f.9.e.0.!.P.L.A.Y...m.a.l._...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PLAY.mal_.exe_1445cdc43efb964b32befeee25a179accaf97_d3ad2702_1fe7fa4f\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8802786775267577
                    Encrypted:false
                    SSDEEP:
                    MD5:9807D8ABB51E67D7E7214B2A42239621
                    SHA1:EDFD8010242E7DA7A36B65D7B87E60B8625D939D
                    SHA-256:B074F296BE7FA6FD660586B9A4E4312978032ADE286F8497E8B19AB91AFD5D4C
                    SHA-512:236527CAE2D2D37B6D9964FEEF5DF3358B51463AECB367E9930ACA9732672135CFE89F97CC581DF4F1D908339C1B37E406DA6412743BF280E58240BF120DAEA1
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.5.7.2.5.5.0.6.2.8.3.7.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.5.7.2.5.7.7.6.7.5.2.5.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.9.7.6.e.9.f.-.c.9.9.e.-.4.3.7.4.-.b.7.3.7.-.1.4.2.2.5.f.c.4.1.8.6.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.e.e.3.9.2.0.-.d.c.7.8.-.4.2.1.a.-.a.2.d.e.-.1.a.a.2.2.e.7.a.b.1.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.L.A.Y...m.a.l._...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.4.-.0.0.0.1.-.0.0.1.a.-.2.8.4.f.-.c.1.5.3.9.2.b.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.7.7.c.a.1.9.a.8.b.6.7.9.f.0.3.a.1.a.b.d.8.d.0.9.f.1.2.3.c.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.4.1.7.7.7.3.0.4.4.3.c.6.5.a.e.f.e.e.d.a.3.1.6.2.b.3.2.4.f.d.e.d.f.9.c.f.9.e.0.!.P.L.A.Y...m.a.l._...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1115.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4556
                    Entropy (8bit):4.450296899699322
                    Encrypted:false
                    SSDEEP:
                    MD5:9474151664E27EEB46ADC52D4460A2D8
                    SHA1:B76B2CDF48DE5194A98C53A65F41F53F43C930B8
                    SHA-256:801ED6B4B8238A5C1B362BB9133D8C7CA4C90263512F5106045FCAA97B6CF772
                    SHA-512:ECE123A638793AA11B6FEB17C80885024473720129D96E7115B1F9C195F83A2C922E203D103108BB43BC627C263C7FB6E7F67F918BC667F4671F464C5BBC5CC9
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1674200" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FF.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Fri Sep 2 06:09:42 2022, 0x1205a4 type
                    Category:dropped
                    Size (bytes):957392
                    Entropy (8bit):1.3723198026432557
                    Encrypted:false
                    SSDEEP:
                    MD5:2CCB07D2E4CDCF4149C56D4094CA6E87
                    SHA1:335EF440324835ED43AA7EC8AF87C82B559A03A4
                    SHA-256:4FB750627C8E949789A3EE55AE592849B5BEDA39D9807188FCE1F59DAF8E2C98
                    SHA-512:18472282C857229F8645C8FE0A95723BA4B933889EE8D30BD7D795E8EFF2DF48134494C03B1AADDE1F40F12B179AFCBCDC57815C07A24160AF619352B052FB29
                    Malicious:false
                    Preview:MDMP....... .......&..c........................P...........T...(1......................`.......8...........T............i.. 2..........|1..........h3...................................................................U...........B.......4......GenuineIntelW...........T.......T......c....*........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8ACC.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Fri Sep 2 06:09:21 2022, 0x1205a4 type
                    Category:dropped
                    Size (bytes):959142
                    Entropy (8bit):1.375379342930634
                    Encrypted:false
                    SSDEEP:
                    MD5:414A90AB5F05B863F391E01826E810FB
                    SHA1:01BBD8050102C1C17DEAF00CD68B343829D57A38
                    SHA-256:84D39EAE4B83714BC06AF06B2F0D1D5ACC7773992B21FF6FC7F7C4F135790CF5
                    SHA-512:017DD56A3C8A825C52333AA541FE9C510CD8D10246024E4D12FE9B696F7F1C8BD1D2B28288CA5FA610CC07F31FAB0E1631C16F66E98B71D916A3D567C7F612A3
                    Malicious:false
                    Preview:MDMP....... ..........c........................P...........T...(1......................`.......8...........T............l...6..........|1..........h3...................................................................U...........B.......4......GenuineIntelW...........T.......T......c...."........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8328
                    Entropy (8bit):3.695088789305334
                    Encrypted:false
                    SSDEEP:
                    MD5:AB7F45EBF31CB24DED7287D4E501F36F
                    SHA1:4CFF31B2A534CCD41794B08587B5F6C3DCA2736F
                    SHA-256:B3C702239A64E4996F92C86D73DE64C168C8DD9564DF9440442AFC7D81110580
                    SHA-512:59FBAFF9B664031227A476EEEFBFBFFDA40484B8C08A90E6D45C1C0E1051CC9843B439ACDBF87364695FA7A31AC231BBB7A462CDD659A10DFFDF98938D290CA2
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.0.<./.P.i.d.>.......

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE60C.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8340
                    Entropy (8bit):3.698318739156516
                    Encrypted:false
                    SSDEEP:
                    MD5:180CC709B365E0C91CADB3EED13B6E95
                    SHA1:794CD1FA935A5C5D3D68C2C753982DD9083AA8EE
                    SHA-256:E09F7EC8D26B4D3E451A0F67D4F812805FCA80CC67FD81590CC1E0E581BA4AFA
                    SHA-512:8C0C53CF92C27DEDD117EBF4F7B224AC3ABED4D430765C95428243564DD225C1B41A4FF2C779E58BAC61899758BAB393B4B067809109B9BF022B84BB37F7D322
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.0.<./.P.i.d.>.......

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERED70.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4556
                    Entropy (8bit):4.44745166367665
                    Encrypted:false
                    SSDEEP:
                    MD5:BA5044156CF70E83EE9A98539A470BA0
                    SHA1:49A3411AF63A713BF8E78094192B115C30AF9D6D
                    SHA-256:2D504D8AF76B3B1B7D1BC7D931A0DDBB5B6176DA537602C42F632E11CCEF80BC
                    SHA-512:D91E35BE8ABEA234C6035D775182127A4DCBA11A49E478F1EF5BEFD67C4AE95AE69DBE0019BADBB4C04C67592D75E72A1E09B68544D9F3E1DDAA82D7F7D8AB34
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1674200" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                    C:\ProgramData\Oracle\Java\installcache\baseimagefam8

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):70998744
                    Entropy (8bit):7.1920930730820665
                    Encrypted:false
                    SSDEEP:
                    MD5:17374D0E39C32C17ACB8AE323ED5F4CA
                    SHA1:FB40D69D68F2A3DF56B85760355D317122F93DD4
                    SHA-256:23F8E3C4FC82B23827147A2E607EE067850DAA4E1BD98DDF1DA13D85B282E508
                    SHA-512:202B77D17C60A15D3C881DB679A7F9403796AD0B9D8599BB9402EC3DFF3A862401A3107DDD9C3378BDDF07728B3F6BE6E4129C87C57D62076E9A538668F86321
                    Malicious:false
                    Preview:?.49QT..[..B.<.x.e...P]f....`.Tn..Th..I.R..>.[..>Q.`..a...:.j.{7#\.m.......a*.1..k........../..I...Z....nP..i#f..^P$..+..).._........]']o.T....~9."{.........n.\E4:.....y4......XN.@..\..P.L...sX...&.....zBfhi.JY.c9kJ.......p...oy...F...fTi.GLP._r..H4..~9..K.s.}.1./....... ..\.f..H.4;4;.j..O.......h...W.&....6.J....$........J...e^....R...-)...O....E..?....G...L...I.....I.s....A..0....r.%.W4f..._.+\PN...,D...8P...*.T..................+.{.O:.....l.>8.s=X....wSf.v...l.@.]..C.....%tOU.;]...G...e{..#..h.....a..z!b_.........g..."Y9:f....+Ib..;)EN.e.H......;.o....*>.....:..v..D..o.U.X?..3%w.#l.k%/j...pT..R.@iw.N.f.L..)..xHb..'.k....w._...)_w..*..m.".s_...@Tj.PC..N.....(...\S...~..N.....|...E.xmL.........d0]......w^N.W./.Y`Y.......*...j...^.).3;x............Pl6!.7D?.......W2L......O}X..C..gj.SR._.N..R...$...n...B..+.D]..x.e...H.}...."..L......v.d...5.'_.=AE?mfg....sr.IS).......:....|..c*.t.....`g.....uY}.+..",......Pp.. ...V}F)....e#...>

                    C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1912
                    Entropy (8bit):7.891145908319616
                    Encrypted:false
                    SSDEEP:
                    MD5:3152D820841DE233983BF8043EB4A4EA
                    SHA1:CCAB6091DCA52221287A3BC13CAEB7EE31142229
                    SHA-256:037A7AC44C24BC80E5414BD3EDB4C4037E448FFCDF4C147E87E2461294BFEE66
                    SHA-512:8A2EA2D5961E0B6D33CC702E3CE711867DC19E2844A46ECF7CEE64D7E2926625EC7D3B9888E6FE52E0C6D24532CC08D028041DEDA3C18775418CEFDCFCA05BDC
                    Malicious:false
                    Preview:E..}W!a.8.P..q......\8)*..... .S[.8+..........f.|.....3...u..!.G{.P.~....\.,!.RQx......{..y". ..v5...H$hW..u9..J.......6...#.C..])..<..OH...e\........-.!^.w.;l.U.-..B.....H..E..2....R..6.......rz.......~..tT...j..sd.....v.'...!.L.w.T9Q.....o........<...G.@....'...h...LA.I.....z.QQ....>.....`.#,.7.1.%....?..@.....(5..pB.z.{..-1..u...k<...T..o]...%Z.hk....Y8F...........f....&..;a.P......h...,v.%.s.t?...>.TBj3G.tU#....F3E&^R?.L...:W...e.8.[..>X.i|.b"..=,c.J+:....1..O...EIx...m.+.6U:@....f./..i......o?.$..:..pYw*..P.D...!.....w......v..)NE8/...>.{.....~...=..:n...,K.F...X8......K...D.z..g.gP...f"..T".....z3...-.V...p.......}.X.\iC....S.....t..Bf..!{......O......r.jVk.s.Z.H..a..j.P.^...B..d[..`j.g..h|...,..e\NcI...&..t...k.....]..w.I6..aN..V.Q......u..m....8G.y....>N.&S!.."C-b.%i,J/.y./.YKS.jcIV.*..........T..U.|.!.I>..........................)...o{..O.]......+.)/g.Y....xW.....c7.s.0?..{....q.|..|...."Z..g......b..TH......f..r..?.$.S.U...]D..7~.jdo

                    C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5730392
                    Entropy (8bit):7.998218407656717
                    Encrypted:true
                    SSDEEP:
                    MD5:6222B05A8F17B4CDF67F0102A1DD3963
                    SHA1:03033BDAA22D456D3CEE148B97821349C30C5189
                    SHA-256:2EBDAFC2B6E85AF9D95ECC78E8DFC17F5A46851E632274E50678A2E75C50D605
                    SHA-512:6FFFE6D6F6BBE5A1BEE0CA9673D4C8F2566E1526A4D84BE5C206FA8E094E6BE3DB6FB64B85788CC5DBCB261FD4F1EBC6AE83E35BBE1630907DD0C88038E7485D
                    Malicious:true
                    Preview:.fp.....=(_v.....|.4..+..n(?'.....0.SYM...+~......=i..e..BU.....1*......w.L|Y..t....'8l.......5N7V.c.R....p.m......k]w2x...\...h.N....#.`=..1.TR.Q.....H&R. ....R.d...=.S0.BE.n......(..(../...g2S.5k.Aw....A..VP>...8...E.&.j ......(.B....m......db/.9..n..<.E...-?X;x..,....ea-x..>=4;E...PD...M.!.l...:..<.n..O......r.M....-4....pU!.8.....nDV.0.8N*.~.........V.]..i).8.....L]..]Y!rr.....I~EG^.:#......j...._._96i.H....22......{_\.u.N..@.;...j..F....*R.Sj/W....I......<5F..05..np...S.3E#4......}N.pH6.&.6 .......,..}@&.ON[T%..j...dM'=.J.....:.].i.|..t...1....<..#.<.p..B..D.`.z..g......z......QNj..$.(;-......m.....gbM..|..`Qp}C02.......8R2L.Q2.d.#.}..F`g....S!#..CO........B6{h.....mh..MR.N).~.\.X.\h...%\t.==..C..Y.w...s...A......D..H..(..J.gc-....3...v........TY ..~|..........d3..}.. .m&...<.......f.x..Y..o...+.^\.(.......H.k...S.A.....]b....gM.l.W[..~.7....@.{q..v...|De......2.( .....LTE..+Q.;.1..............p).l<.]~.L.M./.....X......^(a..hZ....E`.JM.

                    C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):998120
                    Entropy (8bit):7.99978509937797
                    Encrypted:true
                    SSDEEP:
                    MD5:E334B39F149E8CB938E60A89E447D480
                    SHA1:386ABCBA59ABCEF25BB27684650647C865E0B54F
                    SHA-256:8CC70B0B754B465FA95689310CCA370B0B14EDF669867E12ED2FFEE2E9BEDC8E
                    SHA-512:B06E50D1909A66FF40E2C41014490BDC285F4AA126C62A89583682E1DD8C714863488DAFC1F4549C263B8BC591D094B81BDBA9E83EB2AC0B4A645970723B090E
                    Malicious:true
                    Preview:.r....3.m....M...-.9.|..).<n..B...0.9....sV.Y..X..:.@.d.!......._..D.0M......ep8y...K'.\...~l.-.Wo.+.@*.6..x$(..C*..v..8+8.U...@+C=q3.JN...5..=.@^-.....b.j~...qd?.a.5...u.....'D.^A...Da...}O..e...5/..L.I..Wa.9........3!.:..|9.^.W..:.u..>..{...5Ds.qJ..*._.j..i... .....s?.=.e...QX.....*:....R...M"......E*.=.-..;{.M{...hx.v.^U.Z..p1.z>..2R..-M.i.YW.u...d.#..M.......S...R.5..h..Q".Sh...Q..7&B.a3.....2.....&. .Lu..Fg..L....$..J..e..#...L..........f......2X@..s..w...}e...W-.G..FP.-..(...F.. k)!.i.v...@;.ro...t."-.ud..F..A...h.....G...-.hM....L.,.....A.O.L..~.pB.....3b.&......Mw*Bp...5.....:.....A.1Da....8B..@..MQ...O.....s....p.q-.|H.qn|?E.HJ....i.^s.P..G...a.....1.Z.....;...:..y...DPQC....M]W.Sl.(.C...,.....b..P....D..g...J;..D.....W..(V[.....)/..&..5....."Nc.(.i....1.FTE...............sl..j.\....wjy.E`.....s..4..blG3....7..+.?IY5..a.b...)...^.|.G8.I.F.>.......!..O......q...BR.\....h...|..8..ns...64b9.......i....nm1.+..\Y.u*...f.v

                    C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1375656
                    Entropy (8bit):7.999879159751151
                    Encrypted:true
                    SSDEEP:
                    MD5:D9002130F4242DC8E809AFF562CC6BF8
                    SHA1:C0EEFD359BE2F45C44587D6656F17ECEE3136C18
                    SHA-256:848F640530A3AC8B07A751B90803FCF2DBA7A0B1527E80D6DC046EA1767E1DB8
                    SHA-512:4F8EBF20832D14649F699B9438DA3E52E2450CB08295F3FCDF18754C22B65E13C31889432DEA22FD773BADEF9339623DADED36B3F99564EF9C07ED388DB10299
                    Malicious:true
                    Preview:4.N.......c...['..q.."(...)ge1.\?...2.*?.)U.~e.n$^+..mE....FV.."[.{.|~.[...{U..=No........(...h....d... .....UP;...I.6.8)(.6;.5I..^..qiDP..0..G"j...09...=P.Y.j.........0<\%.wia...H.<..../.'..*6..Z.?-6M...j>/.....<...d...AT..a....J........gK>?..c.L.0v.C..|..?l@k7.....s..S.,....Y3*g..8...e`......+..[....N._...{......*...fC!..@Me....<~.....O...g......'i..G.....J......./.Kq.........]H.e..P5a..._.c.k.Y.c.ON..B|/.....H.\....S..9..T...v.x...%}#.YA....o.._....]T....qy.9(......!B-MT$....v{P.....(.~...M...N...........G..................\...Y.zwz......g....._L.N.NA.oz.h@..3.JQ.,..aL.Z.+...........y.1.w.o.a)..M[..`#..E.C..^...k.k..mL.....C..t./.).Q..#.h:"... .#.\....O'\.Py.T....n...by*......K..._)^.m.2>/...Y.....m...+..1H<ub.........1...z/BG._.....VY..s.n....:.]....=.xn,.b.....@....Ko.I......+."j........_(0.;....L.2..aoZ..,X......{'..|\....._QzVK..C.V....G.?.....wz.S.B....d,.......z$.h.3...^....5.<..M....P.t..3c......M.Rj....8%.ZD\uh...-.8..

                    C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5207768
                    Entropy (8bit):7.999966412295427
                    Encrypted:true
                    SSDEEP:
                    MD5:3636098AD5A3F487ADE97AA79ABF84AF
                    SHA1:2BD6D8DF3C275FA14A3E7DFE189D9551235EA666
                    SHA-256:0AF4546B94C23428C6FEDF50691B2DA73905D188917E1DA8AFD198F3D8B9384D
                    SHA-512:8AC844B42E15FA44372661C9751D4899BDE4B2AA0D20AD765C8D3E59C5C412A2C31A3D02208E0A2B4A2118CC4426C0FA6DDFEF444CAD651C43ABAF45AA04004B
                    Malicious:true
                    Preview:..H#&..2>?....8..J......iO.Lf..~.+....[S...'.O+.....Y..........[k.h.R.gn..i...x.....>`..\.IH....f...f.A...D.....5...eU.8...C.d....{iq...@s.}..;......$S.2-.~\'......d..'"7..Q.m.E.a..........!./..(.}....sC.g........RA.hp.....\}c..Ao.b.....1W......H8.......e..h"....'..E.p..K.?0.{..}S".. .& .s.Q......Em..z.`..7.nM.kI..'.~1.0.....p9..%..a..|#.A.k.v`/...kU.=.[.|...=O!VkH..........z..>...Ij).T.HQ.@..J....e..K........i|C...o(.W.B.E....'..E.r..g7.n"o._.....=..........I...p.[..WF.e....<..D...]..Q ?..x...3..^p}.x*1........r.".n.....O...........Q......K.e.d....B.<..:......~.....1$. A=.~...6........u... ..am...~...7.......'gL......-.E..43.B..jj..0..NW..y.......%..s.yr..#g.i._.(c.W..D..V.A1N.....2-.#..R..^ .2..M.4...".z..*.W(.m.X63/K/...v.P....32V{..>A..|4A.B.m...yg...U..cj?E.c...Rv..D.s.Yw..D.....CL...C....b.=.....%.....[U.-Y.5.......Y..^2....R.h.).Z..1......c.. n.GU...qV*).6X.u .<m]#...|.?....Z.k..gl..?........9....j.....&............Qo..

                    C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1896
                    Entropy (8bit):7.898735813165513
                    Encrypted:false
                    SSDEEP:
                    MD5:7728BBDE4BC0115505BF24BA900C0843
                    SHA1:945B4DB73762602FFB99F1B25D0892A5968B1DF1
                    SHA-256:A3ADA7E88D9A6D16AA2600B4911FEA68B3FA51E030133BF9A0A11AD058961554
                    SHA-512:395C3CE61B1564420B8B2C3525349E0975C720239F7BC989F004E8E817B2B64F6EDF044F4672BA5E0A7320CFF760620CA9DAED2BD660DED0C99835B92962C032
                    Malicious:false
                    Preview::..3......U.Ull&.n.P.V...&$.h.mg..n..h.$d..HF...7>.s.....~'.X.......d.{.D..'.....G.Bg{.w....a..]r...b...k4.....(`C.......9..O...4...Z..1y[@...K..vW#.h......0..c.~8U..uT.4.e.=....h...9.3.=+.8d...'.....Q.T26.?.q...D:....8..t.\6B..+b.9.......X._.......D>.]..C.+3..).n..o....N.....5I....f.[.D.<.Q.....Ex5..."sK.g...../xK...(..x.C...}W....Vc.....qq.(.5)W;......7..jO...X~xa.j.u......ai........hF...uX.d..Et.t..vSC....D....p..0.}..^....'.9Nw....4@..,ruV..X.e.z....D...8.HP"T&.g.....A.m:.i..Q.g.W...p8..n.......2^r.....I.\...1UL....S...e>x...(.e...*q...:.f/R.W..\.r.X..X...z~U...v..A.@..e._.!....w...(g...6+.:..oc......]t....(.Q..S8G..../..:^v..]...$......t...:<.~..0)......s..{}H.T.V.&.z...F+}.G.'.Y."4?...#vdU.....Ig(...@..C.i.."..(.=.1.$..[.GH.H$I{P.10?x.f.3D.X....}K.N.y..)....Z..(..{G.>.2.....~....T..U.|.!.I>..........................`_qUa.I..C....\...D..s".I3.c..O.'....c....s..YR.|.}..[.U....Z0%.E}]..(.U(.........V.....v.FR9......B.ZV.M..xBV7hxm...\.:.<..

                    C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5801320
                    Entropy (8bit):7.998380365036347
                    Encrypted:true
                    SSDEEP:
                    MD5:1FDE7C3152B3439E53005CFC15EB31A0
                    SHA1:ED899CDC613944C81429536C168B0358FA1C2A48
                    SHA-256:C6C38479471E9E6513FBB9A81BAD9CA9A81EF29BE47A9592B078389A457705E7
                    SHA-512:43477CF4D955022D54749E8E1B9594E09293E3885B719D9E9516CFBBC9D008E1C0B8165AD620710548AF154779BEDC06291C6519A4A1C0B5434053D041CEB956
                    Malicious:true
                    Preview:..'.Hg#...A..z.}....6<.\..H....}.....wC9@....QN...Q.uj7..k,....8d.....N....U.A...{.A!...Z...;.NP.. ?M...g\_.....H....G.ci.-]B.X....O..$s.T..B...-...D.....R..r.h".V...,<V..W`c~4<Zd....6/E3..h*.......5..`a^.).N,.deR.R.(.K.Q.0..J...Q........qb.*......`.o..6+.....r@H<.F.....V.....+.(.o. z..l...._.W.W(..9.3........*.c4...pZ.Z.>...gi...~1....&..p...OJi&'=...v<..g.".h.j4...V.Yi1....i>.."..Hd..K.......o.9.........b.......C...1.g......n..Wh......$Fi.......a..l/.C..a....../...M. ../.....N0..s%..POag?..z..W..|......9q5..(e..s.I.%|Nh.ST>=k@P.....o...8.4m7t\...u..d..N8....F.g*(EW.....Z.:.TH2Cb..$.\$}(B.........g.T4.,C7...6Tz....&.^.S-.=.....7.....V....L.bh...U;..D...W.W\2."UQ.......g.~..4...0..e..#.~...._^......Q>.w.Dd.C...r.hl0.q1...mPajX........9..V.R~..4 ;q.....D..X....B......w...`...S....'zh.....f....O..G1.0.s...n.=...`s...4.De.0..e..dB....T..P...)Ea)y...B..ms<&..gE.&.?....V..nC..q...:...N..(2..).7.....]S}.I.Px1....9XM|..290.......8<..

                    C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2248
                    Entropy (8bit):7.929211516053304
                    Encrypted:false
                    SSDEEP:
                    MD5:DB95A7388E2522FA788181FBDDBB6DF2
                    SHA1:BD9151CDCE9FEA600A0D293E7134574C6F1AACEB
                    SHA-256:8FE743FCB50BB257E431D26A3729968C18BEF588E017BF9B1EDBE040BCAF9F5C
                    SHA-512:B253E84ECA32A0EBEDFCDB77A606DFA17B7DA9349DF00582B6A9DAD2B331C08BF59E702B73A04EB8BBF27512E07B8DB082F5067F0E175F7C02E516AE4F26B8BD
                    Malicious:false
                    Preview:..xax...b....fZ+6...$.{..cs..O....O...Awt.. .{..N..zH#...v..ee...w.R..4...g&8@.rF..R.|?[U='y......P&...T*a@.BC....K.:. .j...V....c#h...V........(..{q.M..R."h.Kdd#..{...0.:.....`..WKz.t.......<n.W..L.,.........%...{.|.i..M.~. ..[Y...&........]..s.../..jcJ<a...;3j>.+.fn.+....&o.)..I.*...)+.....sIIb..l./a...k(X.....T~.i.(.P|.d..h...A6.K.:.88..J...../.\..c...(.....c.".Kq.db..b.5q..c.BO.P1..../..d...w.@..z.W.;...p(.$..G..G..j.Z.B..A}..a.~O..[.`..|.Pa.x~ <...g..+......d.,R.D......B..#h.. J..0..r_.a..?...*O.C...]....PAhs..l..\5txM.9.".Z1...~.mu..m...D..i}`...Vr..D....t........r...w... #.1t.G....U...........Q*r.y.`.QQW..] 5z.s!.{...f'.4.Xi*..K`..e.Q..(v.$....N.Q.>.`..2....M\...FIT.4.J.Ux..d...Dx.q..?...../._.H4_q..N.U..`...)...5........@<.o.er.p$...6..L...G...w..8...~....=.......=.........S.6d>..............F...Z.}....!).M2..eY.......s..$.T..1a~C..Y......s..|>B?..._t~p.[...N'.($...IQ.K...E.al....E..&.E.G..!d....hf....G.u.C.c....kt..(<.:..Xz.

                    C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5589352
                    Entropy (8bit):7.998581939120852
                    Encrypted:true
                    SSDEEP:
                    MD5:060D83FB53436E5F30B38BAE44247FEB
                    SHA1:ADF78B2992B21B4F1FCCF3521498E621487B6F0A
                    SHA-256:180BA746C5BD4D38C010C9D88624B5D3F1A75CE7370E8510095526E72E89F3EA
                    SHA-512:B9E86AD523714D9AE1B98D3B29D67BEBD161BC3D10F44F0AF4D622F8ACEDFDE0B1FBD9B84EEE49071BFB7CFE0C136CA799998740EBF85509D1DC701DFC0A1268
                    Malicious:true
                    Preview:H\.z..... #.d.[G...X..d....8P.... .....nG.**..5..X..=.r.J...E.z.Glc.......s....- ..dsh.j...*.A.$.....#.k.b..!."+G{..;.~..Sj)+A..q...0....\_.<....Jx...d..=[j..B..e..*2s......,..aB..5...*!..>.e.`...P....S....V^.).$b..G3..B=......P'..8..!6^(.=v'/....H......0.=.'...*`.L.......N....q.....d.h...#......^....?..U....D.Y........A.9.e..~.......x.#.HnvU...uY...0..N.......{.......xr...'...8.u.t..|...;5H8..O....{.........6g.*...0.8C.>.J..O...hgZ.....1........c.i>{...c..>.G.LM..FIv9.Q..j-9y.U.Y[...l..^.i..We.^....'......JpJ [.....u.t.2..U.g...YS.v4...D.$..K..[.;L..+.r.;.'..,fN7.T(...?.?[y.f...1%O.]...v.._...G.........9.:....}RT.5...H.`iSK..`>l....Q.*...7...H._d...hFD%....E....2c..Y....H.,#.l.........Z.....iW..Q...6...q.....v..$...C.AQ./(...p.}.:....?..........;...g...K..e;..=..6........k....{EDO.V.qh.^.v..c......._.@\Q.?..+H.c>..a.v....B..P..*4;......Q.k...s.].....;G"..q5.9...,9..tW......qQ.....m...Y.].....Q0.j'..1."..Ak.G..4..(.Uo..#.S.,._..

                    C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1035576
                    Entropy (8bit):7.999827973019257
                    Encrypted:true
                    SSDEEP:
                    MD5:DADFA82322EF0B7500C776BAE769C71A
                    SHA1:27EC59B5EEE740D303BE8749B4CA25BCDFC555B9
                    SHA-256:6D5D0A9191ABBAD12C2A50CFD9F40993B4D1D8F2411B4F4CF12D5064E6D28E6F
                    SHA-512:C02C76C8CB459DD3D3CDBCD96469AFF4EBE8AEA89B4571EE197E419F92A698531C5733DA4AE6864A1EC1D058B50553E4E5C7BD33BEA8E8E778D5396E85EA3BCD
                    Malicious:true
                    Preview:..K.......vTj."......q...w...0.K.R.6..k..l.....D*..?...!...T..y]..g.....D.D.p..;OG.C}.........FaV.9]......(HW[.6...S.Q.......O.va..)...O..J....w..B..!........iU...S....t...E...&../ub.}.iKe...../.r........A..3.&......%.r........pKxZ|.>.H F.!:..$..~..n&.,^.TS3.......Q..w'...%...h..pg.].1KI.5?....c.;TK....8d..'...........X.o.&inmB:.....l."Q`.....)..v...&.&{..).#B* . g.C..n.....K..p2...U..V.......}..KpeY..Kn......-..Zw.iy.x?Zs.U>.EO......w..K.m.w...Z...U.B...N.[O5..y8.%.5k.. C..>k...f...S......q..|.{.y.y#.N...?y...Nd..=..3..L!..)....-ZX.#s.....O..t.VL.}...o...v...Y..+.....7%.I[..$q.|^!.h.U..._....1.....F.......P...H.r.$..S.dxN\b...%......}...._w-...Z)&.b..9...A.s.R(2...?Rd.}..X@ ......N..`.;...;...n..'TN..v.V......%`.._`...@..F...[...S.R...5d..|....Z=E......*..\.".U..h(Z........LJ,....[..RCe...1.v..7...1y.c-.(.w~..j.G.mh...r.Na....M.N<..........F..5E......".ym|..u..qG.n..(m4u.u.".b.?.Z]...3...b}.`4;...4J.....Lh..g..)..|..:.=...5.w..?..i..R..h.&9...Ab.

                    C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5154888
                    Entropy (8bit):7.999966398621951
                    Encrypted:true
                    SSDEEP:
                    MD5:BE8FF6A06CB04747E54EB83183F1DA35
                    SHA1:8EE54E139B3871F0ADAB3046D8136D0DD52D3C87
                    SHA-256:AEDFB5A46E52E997809DF4AD04D15FB4CF440AD4975429F84BCAFE48F427240F
                    SHA-512:579D8CBA453E6F2B602233ECD3587F36FEBD7EE97322E3E9B62BF997B9EB461BE6768A27D3631B1B2AF0F9ACE1E2A84954121FCA85D7A633B03B0191DAF60631
                    Malicious:true
                    Preview:......w.......%.6...H.I..j..m..P.il11"pm?Z6.....ea.VD.7.-. ....q.5?.'|...{Zs....y&...n|...a.T..|3?.Ex.<.G:...u.....o..t...8.k.A1G..4.t...E..!......g..s.q...*q-..O%.tb.P..Cq`.WG...E..il.FT.U5..|l.S...X....."...9P...k..Rr...vB...}.A..........B....*^.=..i.......W5gP.h....a"/..I.y........2.6...!).g..Jzpd.0.....X......e..~Bi..*T..>....2.R....H..r.}..)\..&..5I)...U.$..i....F....?j.GO.)K.s.Z.}.x.._u.M.......<S.9.!.{j..>...o..>....E..k.w...v...|...F*..YM6r.4....P....j...NbM.......#e.../-..dr.>..5.*...\Y.d>.Q"-..G.O,./...j..Ut...+T........+...#.ux.. ....*.....M.u.1.a..{>.`.t.......x.z.9...F...Z8.aQF.Ew;...7..'...+.Z..{j.{ir=[.3.W......*..W....(...k......uA....rb.O.......0.F..85.M....Y.........c..~n.}k.2ILd~4.}..........".*f.<...CM._7..yi..80G..K..u/3%.ONb)S..._.o...Y...R)....{[...M......`ct....Nh...........!E.{..a>W.....0b...X..v2|.i.y(p.l,.!.^..[..B,..n_.e.i.!uJ!.sn.oj.$...&..........j.AY....n....Y%._..u..........*k.S..^....y..'.@..+Ix.|..Y.

                    C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):822760
                    Entropy (8bit):7.999755613155927
                    Encrypted:true
                    SSDEEP:
                    MD5:9D034D4AC287DEB8B3DCF524C0623657
                    SHA1:FF42E404BADC60E53FADFB1643190DADD1F57BE2
                    SHA-256:C0FBE09EF47D560498A2EFF6222EF0B3649F90CCA5606A4E4AC62DDCF9CC0087
                    SHA-512:792C9ECE39EC1110656D834E056E94C90640737A77BEE0BD1E7AE6082DF6A43B244BC9FD5AF3B85F5D96C0AA275DB6E665DE30F356B40EA496FFF6711D961B7D
                    Malicious:true
                    Preview:...d.R....$.....ft..f".t.nc.X..7(......[/.&.@.u.Q..B..7&.4..E..f..8u ....{...l...K]......#..Qou3...4...0D..5Yz.f...O..K/_n%.|..../...z.*.Up.....A..J...k.j.*.l.....?.}......e}.."...6".{?f...".o=[r..W.."$Zd....3 ....7.n....q._.#...|..M.\^j..7..@..>.....tf .Q.......l= ..p0..F............xE..lO.{..uS..^.u.zZ.V.C}.o8eo.=.H.V.}.&...{./+U.;...>.l..'.4..\#...I..%y.)...Q6........2..-.%Ma1g........Z...&?.o;.._9F...4mq.)^.$q.....m].........Al...S..n.I*.....<..B..}.0.R...<.h...0.U...qm".t....!.....E.[..$..m9"Y.R).;..h.....[V.I.w..fY.2.&...../...nC$&.@=.w.....8.P.k.....ik..@`A....u.........v...:....j..............ktA...a.Vf...TA{`C.a.....`\.%,...-2...,..iko.?.a..0y..'.}....3.g..Q....L,.)!,...N...x.z.....2..[..ha...../X4h....O..SD...g...E.....3.u..:fXh.....c.wp.4...].(....:+.F..'.%...........K.3y{N....J.re..A..b`|.aQeA..v...R.*Wi.KR....s/.....xb..Q...L...E...&g....GK^..S..X.M...=....:..(.s.b.<.`.....k.....E.....Wjl.3......7.e.[F%wNgW......u..S;2...6

                    C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):810840
                    Entropy (8bit):7.999746955035157
                    Encrypted:true
                    SSDEEP:
                    MD5:FA537D5F94D922405C7DB91491442BAF
                    SHA1:EB230F3F9965991E5C880E109726DFD3EAAD99FD
                    SHA-256:2BE0D3354D69A29B856C7D21B3611F8CB11572B143817783122C99479E671E82
                    SHA-512:BC7B401762C6643B4265AC8CADA6507C55CE828D3179CBDB408920A2D55E6E5E5E2A6938F77087B086A9DD58005EDF453F5F38913236D7010C15F03F3D1097BA
                    Malicious:true
                    Preview:_...`...6.B....}.ZR.w.7IF+./;....._J`l~..."s.;......ro...+.;.g.v.~=.}.o....+?..X.-#z&..s..q..e...@'i..S'........s.t..B.]X..e...w..K.f..:.g..wBqhL....!nj;.._...6..VU........(..6+...kS.....b....$t......z...J.w*&I...h7.....I..Sy..v..$|}1K.._v....b..mC...I...NH/zhg=z."...X....x...\.jMR+K...I~..m...:<.J..(I...rQ.....M..m..;.&`..M..,..@`.[..cD.{.z.3C*>.....\{.).Ur.[...%.\...R."Of..1..\x"/..;:Xp...d.P*...E....Vgu&.5..W.".Y.5m.[c...U.;a)..#..N......V.P8......3.x\..M5<.5.k .....k.T;..P.H9.......C.....DK.C=..M..Ky..<.=T?..*..G..H...PL.;...BCo(.D.F.|.?t7.N.!.y.t?V.........uV4...}.....J.h...._..DK2..7.}h+....\.$.dd....I..7..{..8...}H...Y.+...qF....:.-_l... 2gm.`(>.@[..33}......%..........S^..1.&]..B=.......I...C..@(..'u....yq.....Vs...H'8d@...Q.=Q.......l....'.....]..bI...*...<..Gh.....%j.....=.c..lp..vQZ5...Qj...#.(.s.l......(..#.d6&L._=-uB.u[..@..!...n...Y.hN].Dp..V..'n..".&..R&...x9...'.....I&F....h...,;.B?.<ED.(..cm=:....}c.....^A.5,..~m.q.N.H.M.X...o

                    C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1547736
                    Entropy (8bit):7.999879851980539
                    Encrypted:true
                    SSDEEP:
                    MD5:2007F0F30B9E7C82F846FD078FBBC100
                    SHA1:E9957EE1F9384298328C2139D9353A15CCEB3ED9
                    SHA-256:0512467574440185F6FB7533786D95A17D11FCB97FAFE603EF773E9732F0B66C
                    SHA-512:26D8EC3EC9912232F7715977E7B19469B9777929CD064073140D1A6E7153AA5A713C6E6BDB51C5B2AC01E71A102CA8C51311D4ABB949B0A82C713B6761D340EB
                    Malicious:true
                    Preview:.0.".Fh....o........+..m@..g.Jd...8....w....;0...?a..FDb.'u.-.CD`e9|w....{0=.dl......x.k,...{A.zz.h.6.>.N.3..r.[5.R.....Y6..+8..Ip.K.....B@..YcJ....K7...x.wA..w...re+..U.6......4.5"..`.......I|.(.....b.+.wnz..E/.os.g.Y......X..s..Czs.4.+...._.3dl.I.'.?.1("..C-.]...T..]C.....vK...Y...Q....*I..8f;....\...*H...$.....U.stN.|...5.R.8........z..W.2..K=.j....0.....JE.#...x....AlM...........5]FL&...C....T,.....i.k...)-......T..J.I.*.l..o..hv.y....;p0-.Z.......k.B%.W.2.../.3.R=9.............U.E.R....R.+Ah..q.EcX..[5...)[z....#.....T.9k..3.w...P.Y...}O.==@..Z..k......~A9iJBe.~...U... ...'-6.h.t.Xo.~j..{...W...-......N..TC..#.[xAk....e...B..M.rpi...[u..R..=.(y.....)1.+:..Lz.-../.. .....j.b...K......&.Q...6.|z..T$..P...v....O.+.i[c.=/..>.....7..W.....%...D..._.ua.Z.......a....l^?...d.s.D.R..n..K......>.i-DA37a.....L...n.>P-C..5...D......MH.zY...Q...j/....I.B.P..... U\sj.=u.B....*.5..p...K....d...%-..J...X=W.q.y.U,.Z....%...$..b.r...\...2...=yW......a..P

                    C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4933976
                    Entropy (8bit):7.999953388942102
                    Encrypted:true
                    SSDEEP:
                    MD5:E2A8063899A95C386028F2B6B61F54C8
                    SHA1:0A691F1CBED62AA8A02374E252F6406DCF7B3860
                    SHA-256:0B33DF19FBAF513E78B954EF8A64FFB89D476F3DD9F8317824EE42F7CA14610D
                    SHA-512:F5E501AABA097DCC3DC12B10B5038E637FAA94941D94435ED0B3CFE9D7D70FCFAE1AFE502EA0A97BBE6D43A73A33F3B9EC18682B7A7342E33B64BEFCC8EEFF81
                    Malicious:true
                    Preview:..7.:.u......%...?'.>.[.!Y..~.!.n.....;.......D.....^...`Q/..p..o_[..j.@.T....0.^9.....m.N-. N...K.f.Y..?...iGq...9..z5\=.....P.._.p......)..]..nn;..+:$MX...k.l.9...]\.w..aK5.+S..,..j.,...Z............jk.e.e...+.)..i...l<.........ywk;B..1....\.#..t.:...v..P..dS..b.U......<I.s.r.Q..(.B............E..J!... 4..Vv+...w.{.`.M...R...24.OAOqrF.U....&<1......Zn..S....:|...v.h.n\.+7...{.o.H9.B%..l.5.3] .....,f..t.....b....p_.HL.....<Q........;~..b{i.......S.Vp..;....X.l..}3o.X.sH...U...S......&.....X..B...t.c;/.1.j.!....{.L..;iH2.h.......s..h...W...E....;<O]'...)...R..|I.Z.?(.X.}.".`.<.QZ.Ya...{.J.Kn...$F.:d%.CS..m.b....v....5:.Wm.ml.;..3*Z.;...WZ~$...8.....?.......X).Y....6..i.T.k8O..*l..*^...5..+.U......5...^....t....:Y....N...;^e.".C..1kJ.Oi...5d+q....h9..W...C`6.3..)X...c..n'...-.CH-.M.})...7.wW9..`...2.B..phz...D.....8.Ah...!.c..ZZ&.......6Q..$..'.8N3......A^..3.P.<^...!2..[.....g...-{0..s.EeS...-.i..k...y...k..S..{..E.A....`g'y......H....Nx\..3)...l.m

                    C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1896
                    Entropy (8bit):7.878423518146497
                    Encrypted:false
                    SSDEEP:
                    MD5:8C898D3883B385BD2BFCF064F238199D
                    SHA1:F566E3B090E64B5BB74A66D94533AAA0D375B8E8
                    SHA-256:70AC143B0CF3755E4AA24D24B23A020D86074AA1E5BB2D58EE9A404F99C75407
                    SHA-512:9B236008695D05E544F814BFF1952C29D0E891814B4C9278032C199C65F9039212200708889829416D853CA827C799A1270402590483AC5F86931E4AF3EE4F0B
                    Malicious:false
                    Preview:.td...jZ..........\*.....u...}.s..j..p....."..M..S.L.$W....n.t?....w....q...J...,.=.E.,....;Q.....<AvT.I.S.......|S....ez@.Cr....8..V$b...,1..<..j.....@4.om$...=.....;f.{.....k....q..............`I..r.....LS...>.w....~...ql..U.(..^...^;n.M...Kqg.V.D..+...c..q7eU..nO.]...D.h..u.9...w...Z.T...1`a.T^....AG`]..;..C...:....D.p.k...$...]}..%....X+(.@.G...8.cn..=.+.....2..t....5..d..&.+.za{!....7JYD.g....Z.J%..Z...|.f...G..0.5..s..$.PlX..P.......*..W.C.....#{....ch..;.4.UPh:...(..rP.2FdY....GDN..`.7.>FnK...........vdmA .t....?..W..jj}.JK...<ah# ..e.....5..b.Er..o..~h...'.Pn.b.....D.`...j........3$...6-&Vq..c.g.e,Z.......["O~Fd~5.u.....N.;s.........5..Qc...A...e5.O_}..ID.I....0\0.......).2.v6W..W.....d.W...>...&~..;..$.l.....{.<......NW.U.yM..F.....nF:W...Q.Yh........a.&...fX....~.l@...T..U.|.!.I>...........................<Qls/...@..g:lp....5.*...oPSr..........?."..{.....P..H.>.....G...5.g.+...:.n..2.u.....<L..(x.X1T.J......\...>)..j.kv..

                    C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2248
                    Entropy (8bit):7.9107285950519675
                    Encrypted:false
                    SSDEEP:
                    MD5:41FD2FF7199CFB010EE0B0F64D6C842A
                    SHA1:C3A9977FB7429DEFDFFCAE54A63AB4D616266718
                    SHA-256:FBA9D804EE95F04647FE014C04CFBF1F745554D726AE6847365B88872184A52A
                    SHA-512:8AE2AB2FDBBC6F0BCBCC30790C9CDEB9F22545703B2895E5F0C55D89FF2F77EEBAD164F82E29F1260D41ADB6DAADE52D733B9D5E9215A1D9B7DDF5764FD425A0
                    Malicious:false
                    Preview:.U3..0*.....=r..!......X.W..]s.6....{D....iR.G.f.,~J]4.......P&f.|w.pC...e.....@..t.-.]y.Mx....p. .b.q...!U ...U...3,.........._ot.....[U...c.~[J.....Mh.<.V..zv..?x.Fd..C....MG<...y.......{....y,.1.....4.:._7..I.|..#+.R..1.a..N.............%.i.........1..'..EUSl.c.#..0.^...d.4..J..._h.w".....N,r?3G..~.S58e...vv...I.xaQ...r.rB..!}..5...3.....#..||!wq.A.4....;Ed3..V...T3..N&..;...].X._..:.R.2..G....Q....b..j...fAk=i.!z.....<.Z....O}R...tT...[...|...qY.$}..ZGL...o.e.-..|v.y..U..IRf...)....h^.V2.p.EJf....d.u.N..........U...^t;.ZD.9C.xK)..IM...\*~.._..[Iba.....".P..j..AR.:.....7,.x...V.3Ka.K..F......c...F...._...d./..U..+.A.X..J.M:&{...P%......1.[].D.C.S...........,.Me..L"..a8'..1....7B....L.y....HMaKh...&7.L....+ej.Q.zL..)...s.".}.#..K.$_F..gaW..}.....z..|.....5..r.zJ...1....Iw..Y...#R....Q..nk..K.L...E.a.5.ou..f...Q...2.1......KC.[.{."........C...N..Y.D.[:...ch/.. ....&...h.Cb.#.........~/\..y..NB\.-..lIZ.v.........:TD{.S|.....f.,.|.(...V.08..

                    C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1912
                    Entropy (8bit):7.902822344204786
                    Encrypted:false
                    SSDEEP:
                    MD5:5A3C19B495E7F7B8401109F2E061E3FA
                    SHA1:8153BB8B931A6EAAE45A259C3FDF897D77682F96
                    SHA-256:8B325B8F45D1955B38D30EB5454112C01430690EEF94511353F47CF2775BDCBE
                    SHA-512:6DBB038DC5166D58F93531CCE5088E3BA17E4BD15EA165EF31EE1B2D7B22149E8A6D2FB9D842660C5B54CFA6CC8D548554C2BC665D2C8C333159A2EC55286BFC
                    Malicious:false
                    Preview:..9....=..?..H.4......&.'.l.~E...[..7..>7.L......L.~.S.S...=...*Y.^.jzBj......BQE.......#,...o|.......jH.s.a.a...U.;.."..._.|9.Z]@j.<...In.C.....+..?}...1.d..4S*..X......^2}.fXK.PO4..+Ra......z..............W...m.k9..P.E../...... ....ls.I..6?...s.,...;nVw.q../:.u.Z..6w1..qs.6.R...rd|..}......'W.Y;O.....@kH.g..Nb..L..c.>n.".`.JW.1......:...?V..]i.h.<...,..:{~..8G.../,qt;cCq..'..#bDz...4.$..4~..}.dR.".1Ng....!.M-...,.^.....ab.z..g..8...2....#..R...-0 yk>...F..+k...P@..n...5..Ww.....2..{..S..H..4.h.......H .,z...EU......0.....<te..l<.}.5...-..q>.p......,..X..%z.l..o7.....0../3.p...%F .ZE.YP..,<...:..d.y..1.f.k..).E...:...2?b.u.2.v.T..Ri&..wP.J..Pi.O...9..5..,...........$...b.....v\..q~...g.(.f.....'.0......*.....)`.,... |,.....|v.].. .....o....^.S...s...6.L..YQJkO'(.\.(....1.....X;.~..."j...%`..h7.Yn.f...T..U.|.!.I>............................u\..<.^S6..!Th.[..g....B..#.....WD.\.U:....G.]M..._..:.Y..(.J../)b...F-......kg.....:.6..Q#).sB.\g]...5.._..S

                    C:\ProgramData\USOPrivate\UpdateStore\updatestore4df22196-a1f2-426c-aa27-062a9f86aba6.xml

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3688
                    Entropy (8bit):7.948987056378643
                    Encrypted:false
                    SSDEEP:
                    MD5:A63598504A5397260073F38F24B20D9B
                    SHA1:ED706A493D2E6A60C3B3F211825F69EE0E0BCC17
                    SHA-256:7F75ACCAA6962D6EE9E8A5B9C1A113B911C5BE744FD94995F5E52528FEEE620A
                    SHA-512:A77BE94BAF093CC14568B61AA36D47FCF1DA3BDD79C04E60D8467630E30ECF7ABECA8D72262EA0EDF3AC6394F53BAF692407EAEF6D2BA380562C1CBA1CEF4BE9
                    Malicious:false
                    Preview:..D..F.)r..3w"h.7l..u..V.a...C.<....Z...s%B.V..J..&.i(.wq.d(.U(v.-.......$Z.'....9.&T5..%./..@....>.c......p..+.m.w..O.%z..\.....1.;......../fx..~.....Qq@F..e..$.I<..U...J.<.]....LLfc........).fl..g...x:Y..S../V....6N_.d...Ir=.>...NE.&Q............@J.,d...]...t.i.OD.......=P.C..W....f...)XP..w..}....0]..^#(....$.L}......C..q..&...J>..H.~9GI......qm..o./ ..1..<.f..n..Qw.....)....Q.......~5D...J.I0]P.g..@.4.t.OT..{....[)&..Hb8B.L...,...T.h.r..c...(./..`........N.m..[./.A....+..#.......K^..u8K...}..xqM_L.|..M.A.B..x*.*..S...>..J...L....V..*..g#.....Z"....E.jZ..A7.O|w...]?.A....16E....6....^3.A.......7...H.A.[Uz..g.=^["C...j..%..F.H..Wy.J..J....>.K...pf.,l...<...Ae...m%?P...Ds<..(.:.5O.:T6.....Y^.2...."..O .@O.0....{.v......a.....H;D......u!3...._....20^N{..2wd.<..G1Ro.qK..Mp3ij.J%.J..:.jBe~{)..n.;v......./f.'..nk........(....*HM..3..r..s...(v/..m....b..8[.@.....b.w0Z15.~.h.x.....@mf... 9.n..8....2.R...P.:.z;6|.}.c..O............`..o....

                    C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3560
                    Entropy (8bit):7.940951543777706
                    Encrypted:false
                    SSDEEP:
                    MD5:FEC505AB1D87B445090ED5AED0A68D16
                    SHA1:497CD49ED023DED7D2681C6C439451EB514709F5
                    SHA-256:A4C49C80ECD830935FB066B92B5174D57FBA0076DAEE973EDA9D7C03FDFF9F7C
                    SHA-512:40D4E9EC8FC7D59C7584100257D25B09A5EC8A6CC883F92E0FC9CCF6CFF57EF8C817302FDAB53E252E39E69EDFD5BC83D48E5A62F8FC78F247F3C66C2429159D
                    Malicious:false
                    Preview:.F..D.VM..;81........?.6.v3G.4.m.,.mI...(..#Q...p.r.X..5..\y.c.$......j4k. ..#...DX..v..........,!..<...&F/.u.~TL...)P....H.M<...RWlG-....?0"@...C...T.`.......0.8.U.{B4f.._.:...HAT...uWA..x...7?.Qm......9.....e.....C.}..Zz.)J......~..r.Q....}#.w._........"..UW...l.*....d.....@..m..I.s.sv3.......?.:..{:W)...~...X>Hv....V..a.tu..{._.e)X.)..V/.NTj...Z ...\L......D..-.f......U...\...R&h...~.\T..TK3.@...:.......F...;^=..v....yE....V.8..hL.A..$..%9..U).....2.E....:......P...out......7..Yh.......'....6...L..H.yl..U.&*....D.{...^.q......B=.......p..{.hX>.>.].1..~..dq....|......GL.P|eK.E.D...{...>..>.Ey`........@.....L.o...K.t..8Q......Z.|U.(.....E.4......w..8c.CvK.lt#t0V&..D.._.@.N09...)d.*......)..].ww.G...#...H&..P.j"....x.*.[3|.W T...oW.w.j....M..]....PO..:.2...'8.{....6...[..q.h...ND'....p..=.'.H.........E.x6....^_..YKn..2.....73.^.!...6...%...o4..0YI1.........Az..q.f..<\..u..d9!3..J...lc..sm..[A>....i-.<.).$...c..@{./.tp._ez.V..v1M...i..

                    C:\ProgramData\USOShared\Logs\NotifyIcon.001.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9272
                    Entropy (8bit):7.982005571965997
                    Encrypted:false
                    SSDEEP:
                    MD5:16DE8696534D91EB4CCDB4A771F8AB91
                    SHA1:834E433CC8CAAAAF0AFAF51B399A82A807150A44
                    SHA-256:27EC3A8B57E91F5D8A05EC0A012DB3182AC934AC0C578C3CF36BA38C1F542837
                    SHA-512:AD3C6634C7BC68D68F800D1EB57836DFE4D99643A745085A20A7951C8B9E7BF7BA51F63DE901CCC6495ABD7D9DB5716211F923D47F152B9122583CF314628724
                    Malicious:false
                    Preview:.g>.$...[*.B7.&U....w...!z.b..$<.m.G8.....[..U(6.....>kN..'\d.f....q0..E. X1.u....$I....$.Vl...:aQMG.k...uK.....R.G8../..-x.%..h........h.O.D.[..C.N.:.l#.1G.g.g..r{.L..&.Y..a.Y...;.,..p...SC..wd....E.~......Tvm..s^.%.$...5).w...O..$9.DX.A...b....w...1.....1J.l4V..:@.sk/......z.... ..!...<08:.E...*. h6f57..'.Pi.aP.<y.....m.+t.x.nJ.a..3...*.Mf......d..$O.....v.9.X..S.U+z.g.......P....)I...g' g......./C(.Q......K.(..:.V^+.'XO.d....8.s....:.~..^-%a......B<.t.}.......A.7...J...a...i.).....@..... ..z.Q..;.T...1..!>..6..L.7.#U..p...k.4.H..1x...*..4Q.W^u..iwr4~[.....Lv.00...t..8.idX.....C.[.(....^.D..F{.....W...~..,..'&...P8.....O..U+...........]+..{...Z&%b...)3..R...!..8..r37...is..q.&..._.L....X.g...............'..:O]..P3.O...u..="..~...2U....u..@.x."H.}....'b......_..e.>%.l...|GP.Q...&..r.M...&}..-...8~..._.W...h`.).]..X..I..a4e.xF#...L....C......*...#....eP..5.k~.1e..L>U}.A.....}.t......C~.0../....P...c!..`S.x(X..d.Q.......p?....z.. 4....!U.....3.

                    C:\ProgramData\USOShared\Logs\NotifyIcon.002.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.961177094019131
                    Encrypted:false
                    SSDEEP:
                    MD5:741193903A6745B5FF5F50EBCC33AECB
                    SHA1:B30FF06A929FCD1D25DAA28D313B4CBFBE8BACE8
                    SHA-256:4F749609F13D29F329077BED810DD7FB9026D38A1F58B4CD790CAC4F00911C41
                    SHA-512:C87481DC490457E5D8E3498E3D4CCDA766E5042BE75E99FBBC03E0E5F29A5C4B8E4B4B1A4A1C24BE96A7F6B935E60DEBC5999009327ECF1B85EABEF648A4061B
                    Malicious:false
                    Preview:...6#-...c....bv.LL..@lU5.7x. l..*.........,..+..)}._..q?......r.I..n.^..l...\...-..C.RD...>..C5..5..!.&. .q+v..?`v..t$.0...k1.B.'s.:p....N$.8k...:...9..h..NN.D."OG.}s}.Q)g.}Q.$\...u2rh..J...,2N..b....)...v.y?@.......c.H[..F84...?}>.....@..e..q.Xv..........nv4..C........p.{.-YB..v........5.k..[.j...$dg.h\.&S.3J.<.c2+" ...,V.].2A/..(.../k.H.`..w.K...r.Q}......f....#0.-.(8...?..S.]..|.Q.......9NhIY..N&..( .....ap.W0.UO.W..K.$53,<..hW.d....=.i..p.(..r|<...BlQ...vq7.?....g.W.F..@.o.~[`...9SB.A&..l6d...f...:......J|.{...h..)@..5..O..+.g..C....#M.O+C .r .o..]L........-d.w..VD"p&.cf...p+.........F.z.'GW.xG..s..kx. .RN..U...X.x.....q.\..-.^ ....\kC......<b..:..]....#G../.....I."..N"t..m.S<99..?.S.v..v..^6..}....Y...Z'.Vx...."......y^*..-.]i..F.'/:...T....OC.[`c.9j..............|t?...a......2.5.4....X.<..-+.....sv.8..w..g;&j.tb1.......U....au....n6|,68.[pNia..g.....|.a.*.$..]].."..WZ.^P..'.Wt..F....2...0ho&....Z.uQ../IFW.GU..F.qo..2<.`..P7....I.

                    C:\ProgramData\USOShared\Logs\NotifyIcon.003.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9272
                    Entropy (8bit):7.9792839491131575
                    Encrypted:false
                    SSDEEP:
                    MD5:50012B939AC4F216B8D948F10AE1DF0C
                    SHA1:DD2FCC6C1E9B9D375874F508C9E58F9AA2534609
                    SHA-256:5535CCBBAD7C6F84BB28D3FC7612BDB79D902C1ED9D7059BF69E49FE679D1EF4
                    SHA-512:E18578533FEFF368E8E913CA020F48B6E02A275552836D98791085CD25CE84FA77DC65EA1A1D9C753152EC8732FCBF065E1B619E56C08E831D2B6660738146A9
                    Malicious:false
                    Preview:)....m./OJ.).1<.p.u.?..e..=P.N..Z=.g@...!.&t.M.#*Y.$D.=O.9...R&o.1:4Z;..GYt.-..,JjO....;.@.+..04h.c .Og@.*...C.F.-$....V`2'...r.I...ES..s...<#l;a..Mf.h..)w....PH.`Q....\.e,H2]..~...2.IX+.V._@I.KHNQS_o.R~nh.!.....P.@. ].>..J...9b....vX..Y.$2)...0.\#.....i..n..GNk....$*...%..g.....(.*nh.v.@.7kh...ae..5.z.nW...w<...j@.(.V.....N.Em..&)...H........N....'.....K.-..\H.)(#.h..xe...SF.....o...n..IQ.j...^.....`...r.4;....i..e2.TZg...1.M..|.r...5.X..[.V..!.9...........[....^.Lm..v..L..D.....H........#......_!hL.Z....X..8.cf:*.c..&OI.....]......t*.#~+X..z.._.x..Oo..c...N.x.j0.n.8......}7.".7..#.J........Q</`..Z.....X..XON$.3.-..HQJ...i^[.M..U.AM..._(......._...?^.pq$R..[._.s%.v..a.ah.._..DGUpN.k....#wP7..N.....a.jUt.,.th.h....t..<.#.'&(q....m..).E.+8v.,...tR...8...y.;..o./im&9.b2..O...N.'.k..|...D.2.-..G%.0....,..=..=.E..U/...6G......`5.$..U.RBo.bPj.@.....$.p.K...twd.fp,.54,t.T.H.....%.KyW.K7.:........X...R^-+/......\.4...|.3c4.}.I.H...u.M".%...._K..R.._.

                    C:\ProgramData\USOShared\Logs\NotifyIcon.004.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9272
                    Entropy (8bit):7.982154731733636
                    Encrypted:false
                    SSDEEP:
                    MD5:D00087175C0605B94A267285BD1DF5C9
                    SHA1:3605E05AEC05F566650D9C830E59CE925705ABC6
                    SHA-256:A016ABA3FD21C57A305D5EF70EBC27418490076E881B2F5145286F97B70764D0
                    SHA-512:ACE744F88C047CA80B505C775B2708E826EC81D12FD153C848607EFF418F09408D94AF078C65FB675BB1144F8F031F37597EED14E31BC24BB8804EADFF920DFB
                    Malicious:false
                    Preview:.t..n..?.m..j.\..6.....0...d.U.. V.O.E...p;VZK-......4......w..<.....)..`.X.j_...fK9..]S...3w)'P....N..n..!%mP+..D.7.....Z.W.R...Ru{.D.+.m.bp...O<..$.]3..V.qn...).]TO..v..Ms.)....)...n.|....@#..z<lE.^.V..~....r.>.....Y..t>.......fZ.<.O.b.I...k...RV.......s.l..i..q;.Zl@..L=l.K.$:+.X`...#....F.ah....h.9.q.~.W...|.'D.z.\.=.f$.h.`.l.a..../.......Z.B.*...L....E...C...5q......4UJ.""#pDt5..7.r#...M.N>.v......y.3Z.!-U.`.....W.I..l;.DE..f...<......^%..:..1M..kNU2.S...,..R.......]%...8sTF.P.o..6.T.f.......!J4.!0N...k.u...A...;.ek..e.q6l.)P'.L..A[."V..V..6l.k0;.I...`...8..Yd..... l?..n...&...%8eH. .Ij.....S1Y.r}YuNX2.).9p.....x.].@...[..B....s..P..._.V.h.Y...........[....m.gU5..E...jM..~|..'. .,%.cZ...F.....>/fT.P..L..YD.3..).G.,a6.. w..q.....!.`@_D.R(\..&..d....8_...Ly#..3.DR..x..9.Kx.39+...1D..c..@...1.R:...B.D..U4^.b'...l.C.._.e..S..&r!8....V.=.U.._!..?.1.......8..c.N.T}.9B4...v..WW..V8.....L.....%H.!.>...@ 9L%g.........Y.'.3.&.z}5R....i...%...>...'O.@.ti.

                    C:\ProgramData\USOShared\Logs\NotifyIcon.005.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.962884485965568
                    Encrypted:false
                    SSDEEP:
                    MD5:43CF5DEA2AD1E7099BD8ACCAB6F19BA8
                    SHA1:7BE23BB454A9BC96A786FD4897FFBA9DF1D59506
                    SHA-256:1F7B70BAD6EAD3F70DC22CC8CCDDE7E66E1096735A30727F7218FE89CDFB11FA
                    SHA-512:EA647C46FE4EEC2B500D1284DEE24AE4193032D0134CE7A39CB52EC92B4EDA6201DC83642EC5F1E572F28D6EB5567C455B98BB09C0C2BFE45437F32BE54AD82C
                    Malicious:false
                    Preview:...L.HW.a.g#..sr._CL.7.{...1...@$.y.R.)sr..p..g.<d.s.?l...o.L....(......a......l..2 ..[.....M..(............z.e..+.".J@5.:....h..|.K...\}.ggZ..Yea.`T-....70.h.u.>..h.J.'..L9d.W.........[6.4%...\....*g......<.$}.$^....A.&.....Y...........zR...tS.q.Q..l..(..}............Lp.......gvL...Q.bP.............#~../v..=....b......).Q#.&D.Dhm.H:..FE..H.......q...`.W...t...g...^'J@..xT^...NO5}.d`.=.....Kn....Q.zP.........v...9...n..5e$R."y."=F..S.x.....'..%..../G0.@$.....3,....=.F.....i..;yba&.6A..Mut.....o....._F.........."........\*CI.U4.(.*....s........F.S..+......|.V....YR..=.....Kg.pgu.:.%.+g......f.y.....:(b. .Q..d...kg0.L.e.....H_C.{.X.=..yH...9w......S..af.t....\B..w...@....,..|.g|..e.mg4...V......QX.$#...u.....{.T{:G...Ce......1...v...Y.tR...o..t...P..U.R..D.m.w.#.~E..EK3.k.o........k.....A.B..8R.....K.D.j3.[._|.C,vJH..cR0..c..#.8P...q..0wV....y..p..>...oW.........X(..u......M..U.9.3.......N.....)\..q".!...h.'.%{.ana.D..BF.e8.....

                    C:\ProgramData\USOShared\Logs\NotifyIcon_Temp.1.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9272
                    Entropy (8bit):7.978035154063798
                    Encrypted:false
                    SSDEEP:
                    MD5:0EC2DB9B19629A23572F53D47B72DD99
                    SHA1:A7E4527B287B1BBFD98B8810D6E8B583F89C74E7
                    SHA-256:72692C5956DBCE891DDE449E02911338D49BA4ED6375984D91E7E60E8D832C6C
                    SHA-512:2B4AACD689C6F7133192107C7994A2BDE2BA591023A7785853AFD899B67CDC370229476DC56BA9234837DCAAC0BBEF39D8C68327D0A2562D103E93F6E2D75083
                    Malicious:false
                    Preview:miF.S.(.v...`...:..x...%.hL.....0...J......].......n..>...zI........n.......[*t.ak.F..._uc\o...i.....V....w................6...|.9..=%....GdfX..QS....cM....kO"h`..3uI,.yI<sc..!..c.....;....o..D.....%.f.h.J.....Q.j.W....)..r.Q@..Q.....".....}.eG.W.u.|........T..~iXY....S...wc...wG..^..=E.C..U5e.z.a.....J.3....o.Y..|<...D.. -/."*..|..#.........r9]t...........|..Y...AF.}\W8...=xu.x,....^.5.Z........C.U.!...T."..m..b.{9..C...K.M..S..qh..N=....n....K.....E..._t).@7....>..!0.|w..2.F..s.J...X...!........w.Z.C........-jX..@.b.+a.i*.V..>^.Pl....;<Q.G.w./..%+.7..v..C...}..j.......kv.'.{W.-...J.@..../&...96H...U.,...f.\..r..V..".Y....uZ....u.yp....{..c^m.@.HL^;....(.-.!..%.S..i.O..>..3..ff.g..........Q.....@E...p.M{......X..A."/401....uz!0.....6h..f...SA.TerS.0.$.._F...0.*{.r.x..Ij#.t..8).%7....P.L..d.Nh.;..S.>./5v./81r...r.Pa...S..8..'s.i!k{..d...X4.=......~5Kt..Yq...5.+.qa.C8.*........%..S....I...JO..+....I.!..j..?..fe{.....V7R.......Q.+v*

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):17464
                    Entropy (8bit):7.989771655437521
                    Encrypted:false
                    SSDEEP:
                    MD5:98FA1E644C8ACC488AB51ABACF9DDCD2
                    SHA1:FF39AAF94A6F41ACB15A5C664A00925F3F0CC87C
                    SHA-256:A06CAC9A51EC71631C37D3F07980060AE9FEBFA7CB28DEE3974771D36D8C73CA
                    SHA-512:E33F1F3223523E4CF59800B390D05BE91E47FD5F4EA69FFDD07C5D3C6913A15D5C244CBFD3A8129421F988BF0C2FF724CE8775A2ECCCAE4294215F2004F6C241
                    Malicious:false
                    Preview:..v"..&.....~.T.......M..N.+....0....L.....X>. ._[...I.A\D.5....2O.,[...d.P.H...s.<.Z..@...f....)n....NM....v...n...a.F.......1.eb.x..W.j..z......NF...._.R...[ Tt.d...@..}..Q~,.<..X.z...........n@..u|r.."..!dF.W....KQ.~v8H.O^.}]z9o..T2......[Flq6.A..F..AX`....9a.?.....i..<..YF.LV.G......)..3...y......8n.<......<r.O.YO%.z..4ve..V......._...l.....2.f...<%-L......v.4...../.w..N.....,X.......d[..F.'.^].z.{s.U..r^.R.....x.]x......{.g.5hsa..c...?...$..Y2E...8..I-l...Q.:...\mg.z...u7s.....YK...A.......[.O.Z......1.j..[..c....j.B(.>......P....'a.....H...O.-....VL.....WOryd...`<...t*.*......G...^"....A..1........~).[..Z.J..W...7Ij.H.&.o.`=.p.99.{.=!vy.^._.N..Z..q:.m~q.V7..6.4o.W@.0.{.XD]..vN....N[.2T.G.9...^.*.o...3....'A...8.m.i.;.1>[...<.%?]......".>/.E@....0..y.......zl."17m. ..C..,@<..#Dh...W..i;..\..k.......^.b...}..Yg..Wn..H5)$.D.5.D."...4...=...yD.?....7[J:z)+{.x&Bo..6..}.f...J+...2..[../I...;...........;H..e./PD...D...O....5.U.\...

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.002.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):13368
                    Entropy (8bit):7.986317890645505
                    Encrypted:false
                    SSDEEP:
                    MD5:1DF51373A7A748F7BBBF9408F90C3036
                    SHA1:D990EF1B19A25A0C880DC744602D350EF6430163
                    SHA-256:4AA3DCD093AF713A75F250092CC212D3ED1C4828DB73707CA210E04995E77869
                    SHA-512:74582B1F449892ABF791F028EF1480F842E520E9BB8AED1C4F6E1147D6116A1D5A0E348835DAB80BA2A496583C31AE88D606F0AE30C08F9EAB8B0A377EE71332
                    Malicious:false
                    Preview:KU.@..n(.....j..U...H......m..FO..b..OlQa..:.|.'0.t.Y~.... ..u....*.......z.uI....k.....q.g..1..t...V.aA.1d.H...!.)%"......OI=~s.uz..j.K...hSD.b....=af.t.x...*.s.e.j.w.~.ea.y.........L.....$...qq...Z..4.uF....-qm.dR......,..7...}Z.QG.Q~..Zr.<.$..]\.....!.i..6s.=...._Q.~xT@.....Y..b..-..g4%....z..z....7_ ~.s-..tC^.?........5..l.#Bo.H......X.......'M.1...X....$0....gq...W.(.x>).r.m?TF.....P..8.7..u.Z..H&.os...F>.....?/..D..#...Z/..W.A.y...|Z......)5...8V..&^..x..y.D"Mv......V....~I.w...gRS.E.....|!Gw$..k.v].EC.&..QWD..:7.7a:E7..n.V.!E.i.......=.E..hq.W.P3S*n.3.W`#!8...PH.1....N.2nz.=#."....w...H...xo{#. .y.-3d&HK....r.;.r{...C....a...=.G.\..)....H..I 6.:m.h.._.x.q.B.........Y..wm.6.I.}.&/z:....>..dWv0.q3\..%m.z..D[^.0...:.{!...{.9.*Q7....7.#Z..3.h..vB.t.Al...\U.S...^...`>u...`.V.J...as.X.^f..5.....<...........44....5....,o..q^...U.....v...1..ia.R.I.^...=U6.....z../A.4R.2..S.?ZCE...CQb|..N....lu=|U..*.......B...x.I\?.'j.r...B.....{..u...ub.F}.C..

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.003.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.964568604108494
                    Encrypted:false
                    SSDEEP:
                    MD5:052F383DC3EDB1091E3BA28245709991
                    SHA1:DF766520606636DAA2DAE95D190CFE966C8746DD
                    SHA-256:9BBF496B66A2E881C133A14019417AD21015F9FF5F6F3B4CE6E530C94C520C7B
                    SHA-512:9217F1041EEEC060E86D6AE7CD040DBC52F4385BF8056AF9332CE6B41C33B6DF4C050BCAA20DC52C71E59B61AA3104C9A9849F0EDDC29714B4D2989F23AC994C
                    Malicious:false
                    Preview:.d].X..e.....$.....L.w....[D,.....3..p....k..Xp......J8.......w..D<...-....O..-...0........R.PfOs.C.&:.$.Uux3....#!.....Z.0..v.c[AR..hR[..jY...`...i}.So.Q,..g........z.........[8jG....".'<.~..O..d.B..+....D.}.NS.......YM..N..R;J..?...B..k.$..~.I..P..j...[. /.Bx....D.Q..&..TJ..7 .._..Fw...|B:..-..l.z7U.-.V..IC......M.2~...B.a.._*P..T.&..*S.f.l.......y.T.RU.G....Q..ZZDTG..bH/..A....;....a.ah.......i..V....x..'.W....L,.Y.............]..*a...h.w..:.d......X...4.'.K_O..c.u.qcW..v......D.$...H.i1`..C..ya'.;...c.{;F../+e.C....$-_).9..........Vw....5..@..iT..|.@.(C..."#...ARU.;.C.0]tt.y..,.m......a..O.%....TW#...L....4"xO.K.'.L...;....\.:{....#X<-.wS.........4.>R.y..).}..C.so..G....>,....9.N.....O;B.].>...o..q..-.-.. c.$h..Y..c.A........1.{.R.@.B..hc.,.....rRH....XpF0.........O.E..;....w_.kNL.{../...h...2@.t.T....wA......F,r=.;4v......s....\...x.%*..2W!.|.-M.z......SLW;.z{D.....'...B...i...+t..0R.....8..I..!./.=......}.bm.U.... .W.w^...r.....d...U

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.004.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):17464
                    Entropy (8bit):7.987220808389513
                    Encrypted:false
                    SSDEEP:
                    MD5:B714427D29B62AB855CB54CBD7EC5B1C
                    SHA1:68ECA0AAC5DF6A56DC469AEB1FB4C55CF3394C69
                    SHA-256:75D7F799868E5F97AA27BC571964BB73075B49492E90A204CEA3AEA235E1BB5C
                    SHA-512:F1A5F7AE4E1A63D11E06959EEECC82DDC0BED6E89A41851B23A00F33AF93B4A5DA3CD29BCB0D58ABE52F97EED28DB79AFC9D99AB5EDC6FA06A6E315F3A8B9B84
                    Malicious:false
                    Preview:8...|.h...........#~..Da...D.L..B..u.#..E.......(.zrI..c].A%R.........._x...&.kN.?...`...T0.d.F8`awFl.$RP..0.PC.^......L...nvf.X.3i..:!.j.c.........i/*..n...e+..Swv[y:8..M.U.....v.2.V:.6fz[.....L..A..(....(.... ...I.a.a2...+4.\.5..QcW"l#....a...P...z.P../.Ud.>........5n=.I~?...4!.....KU.,;.gW..#.1W-_....^#....9....1...8.).a..m...9.I...,..;a....-....#.9....4F..#v..FN....V....... .3zA....I|.....9.......k......q..Sn...Zr..xSp..2h..M..#..Z..#.28j.L..I.@.J..,s....b....}.S`../.O....\...`.F..uy.A...\~.....p}\o....+Q^A.R.?.0..\n.o._.O..{M........6...u.=.F./....$.P....J..+O...T)..T..fxs.......w.....0V[.s3...>/.d%....$F..oV...7i.J.Y..V..@P..n.hl.....Xk.m8"Q...h.K ...-.J.k.V....F.sA...%.9I....J.w^.......CX.4N......Q-{e]..q...+...B...,....sS#>.b.W......S..t.DGd$U..........aEe..6....%.N.../.".Y..):C...-u.|...E..WH...}....._.......P%.....jq+8..#.E.u._}....fe.......2@.~;*....b.u.{=.H=.....#..}.?..;.$'..:..Z...........`.ER./!C....r.C........Tp[.H.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.005.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):17464
                    Entropy (8bit):7.988748609415695
                    Encrypted:false
                    SSDEEP:
                    MD5:E10EA44EA8FF256D404B9730216EEF62
                    SHA1:864C0B1E410C72DF9CBF0C27310175D5DB6EA66E
                    SHA-256:2D7D9CE6BF160011EA7CB71589E0B4B84962DBD1BAF22945EF7345F630628840
                    SHA-512:45612677A82CA2EB673D77D2BF5DA33E6D9178221891B48FE9CA93EBD8E147A0C58A53DAD2E0E64D0EB3D4DFB6DF1CC5FA4C06340B44F4D3AB10A3C3EF9D2059
                    Malicious:false
                    Preview:.mf'.....-.WtS3..2..w..W...&i.p.x...:..Hc....wh4....2.~...c."eB...7..x.kv_KXeHs.k.....R+..O..=a..b....=*F6.F.<.i.}`.}......]I.Y.j(.x.gpP)..Z.f.&.f......wp}e.O....,Q\/@t...`...g.xL...4F..T.*...~..{.p./....O....GgP...<...A..6.:J..%.g........:R.!4...3vW..w4..6....*N6O.s..#.....K.".]1<......ks2.{...D.b.t=..:...@0D?.....Z......`...Ws. .....Q.S.=.].'...R.t.c...-.p......&.Y.>..<........!...".,.....s..e.....D...J....n......N..}C.O..^pd.&<..w..~.wqLHp...Qc.z`..E..6...a$./.6:.7...'Eq.#...(.zB............&tU\..vO..K..M)....Cz....R.u....L,g`..lG.n.`Q.<.q...P.?....{.+@.K......jxO., 8...zd W......6.-G..zR..h2w.S..]..J}..'.w7..hE.M..N:........mj.FJ.._.t..M../...`.\....g|....*...l..... .fV...:.C.xq.0*......p.P[..V...gQ..[=!.9....G..<..dtkM..zX.2..R...O....l.,.1..V>...=..FZ.p...`...o..>....:............f.....j.A.......YZ....R....1./r:0. ?.`X..P9.[%..~.u..q.j'..uA/.8...w.e.{...,E..;...Z|. .Q:.a.3>.z..]{.'+...8K[.,-..V....{}.q.)..S..........+q..r.K.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.006.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.966977053368053
                    Encrypted:false
                    SSDEEP:
                    MD5:9DE67AF0656F3752FBED80FEA46EC026
                    SHA1:B84F2B7176F6DF4DBE9A3128204DC885CBD394D5
                    SHA-256:78D90DBDBF339CF4BA80ACB6643C8A14F1F9A0E91EDD9C8EBB10FD2B06FE3563
                    SHA-512:CF8685F7C94FE9F9D4F7BF160D53D416336FC53795D2402DCF0E2C57C6560090A24E6ED8CA6D59570313491606FF24033C7682D4B53F7FBFE9545EC6C957CEF7
                    Malicious:false
                    Preview:|...1T!..o..L.3..\Y....(......!I.0[ZG.UG.:..v..f......\=..7W..8P....%...c.*&..&..f....._.Ec'..}.155..==N~.G....73.....i.N.........b....=...;.D.......r....O.KWY$..[:>+,./.\.LrL.....Y.....I(F[|j.$..e5.Y.V.....%...K..Yy.....".....O.^...Ui...F.`.......G..~...*.m...GJ.....`U;.|...4."...G.TCV.Y[........"...?.........?}.Z.NK...9.|.A.*.....D..eP.C...Z~......z...SE.o?..[.t.1F.S..\q<.WJ..b..c...72..\dv.7..k.9...d.d7.j..=7..\.....>c#S.f.7.g....\....h.#..\.O^k.Fm0m...."...!r....GL.dt.........,S.'&e|..F.e.#_.=..f.o...O...k......S.=...sO....8.D....s.b+BBu.x4...64RB,-..,...'..tmP..X&l.>..XW.B.T.....;.;nn.b-.T2..l..rH.....L.s5...{%.E.......%...xL.-.k/.A.....!.H...G..........T.M....... |~#..^._.,.dl"Xb.....8..-....G}..d...N.<.h(.....^.W.RZ.A.....F*.kM.Kj..N(....DL.eO.....h...nc..,!R...mr.A,W..._..Qdk.j.(_.c....{:...C........2....S2..E..s....H.....z7.L.=.R.i.h.../9W...v...n.A...@.}>.z3..{Z.....Q..R@.....2..w.%_.B.*.../.....x.^~..N;;...ku..)..JbN.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):17464
                    Entropy (8bit):7.991700389157916
                    Encrypted:true
                    SSDEEP:
                    MD5:A375349675BA460E04A77F519882A8BF
                    SHA1:66E0A7C0B154689CEA1803EC720CC2CE5BEFA0EE
                    SHA-256:23DB2FB983FACAC228E23AB2CF5976264CD00C5CA354FBE75C4B7B671330A80B
                    SHA-512:DF094917058A220AF78706113960556C12B52ED38CD63A9A53CC0B63E895377763F9DDF870F255600D457B04EF2C44189B67940F18B471C07E097AB0D86D8244
                    Malicious:true
                    Preview:..#6...#.|TM...mVT.a.. .x...G.......\..A.~.#..z.D.....)i.KT.\@......s.*gN........,.}.:.o..|At.R.......s}o.....F.`>%<b...:...A..:...U...w.1.C$(7-9S.O......@F....S.#/.........H..Z.b..\._=.`...,...:..qiH..2k.p......./j.U...-\.#..q.P"...>5.2p...Q....w.. .qt/....h.,.....".V.ed..............6.{7.9g;_.Q]o..3Z8...7=....%..=.-....I.X,YP9....).ByX\kDq./.......8:..6Z`.P......h.O...{...=I...Ft.>7E...."*...4J....5.....VH.R#..b/..q.r...@'.2..../L.s .U.?u..k~.T.J_.../.=-..d..~.G.x.%.....q$...#........mA.h9!2.E`._(.c1gQ...1.*A....oU......si.k4m..l.`...c.....*.dv.h..m.../.yv`....0........O<90.b...w.I...=r....B...T..ty_.4...)M.!.....L(..~[......]1....5u..2w.|/....d3].0.kg.Z_d&..r3.H...ZD..l.x/.L3..r...2.....s.:%,....!F)..._.?.*.-&2..2U.C...0..e.P..l...L..#..%Pz...Oqee.l...p;..*...g8.*T .'..}...L|..s..p:G...#.7.....)...q9+O.q.#.A.i]6P.V_...x.../..Z...G`<..D".g.......DfW...`.7u1\/......9..pQV.8.r........b...F.TL...N..A....@>b....-...4....o../........+>..b&.L

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):21560
                    Entropy (8bit):7.99023685190583
                    Encrypted:true
                    SSDEEP:
                    MD5:450D55B11280A74823A76A90FDD0C59A
                    SHA1:F741EDE11882AEB860FAE23CA53DD6936858CFBA
                    SHA-256:7EE98E98308662A4BB8B46B8E9309A45FF27AC042740C7E89934EC06F35A5E70
                    SHA-512:8616A5C5A3836508FECFADBF600E4E1EA04001C205EE50597416AA9B91C15AA3E69903CCBDAC4CFE49EDFC57441A8C9C272E84079798484F83662ECA15595587
                    Malicious:true
                    Preview:..c.)]...8}..Y?...>..#:t.......w...#2...*...4.Vo.*..&..^./..V.j...#.u..'k..Aed6.:T]....8...Gw.}X.>.I..0Jl.....1.=&g-.(8w.....)..h];"k.K...^.Y...OL..4`..?.r.+.#(.4..H+....t*.-..I..d.Q+...I(@8.#...Z.._y..f8h}..e..m.g..C.....r@..&.y....$.T..\j.H.....J.rD#.e....}.oSfN,...XME....C..T....!o....."x.L.f....9.V.T.......[;..i...8..2..i...K...8F..m.3..<.w3.sz>...u.e.e..fq.......$v.....7?.......*.*.ix...V1.I..v..l..e..>.j..x..}.f.'Z.K...\.....)a....1*c...7}.N.n.*......B..d...x.H-.|..<.qIt.l? .p..]v.......L.).....|...CY..S.-...3.;M....q.........#........Z.....;.K).f,,..?..I.{..O....z.ix..u...V...[..r..A: .....kYz..&RX*..X.]..&.J....o).%{..~.jTB....u........P.o....Y.....t..?u.Y......~r.s.....Q..H`qM..5. 4.u..Hd..?_p)}=..ly.+^...#....Vb...6...}.|.J.An.]$..d.T..^...[gc..x...o...RI...Mn:...7L..T.I...)........Q..O..~...!F2.P.Z-...2..:.......o..]...P.....<.`..z8...*..x...E9.s..c..Fgq....\.e..g....?b..xg..O6.#...LK........Cp..f-.P1..Ow..UZ`Q....7w..?w

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.9597941299002315
                    Encrypted:false
                    SSDEEP:
                    MD5:62BC2493FCCD365CF99F9941DEE5BA65
                    SHA1:04801352D8CAFC9C289C8D5D4DF9DC8FBECBD8E5
                    SHA-256:9184D9DA92095D38EDDA9361719249946D1CB91A0E442DE51C847E1673707DFA
                    SHA-512:CB13EE6C3B8ADC0711BD7D74CEC0D6C401BB7020806725EE8A55651148E2BEAC76C9A1F3F91BF58E2160DFEB5A255861D0F75FD397D8178422788692CD958B94
                    Malicious:false
                    Preview:.H}..y....[......C.x..,.Izg.j........l.......u.T......b......EJ.u...N.I..@..xU&..#..#r.r.._..4K..vD....g&k....i{O.....`1,....xR.!.......'....N'...<...|.$...?8.}@...q.K.....T..86..b....M~...%..../......).../ru...L...Q$.=.M)..&5......1..]t....]....R.]z..4...".9. .K.E..o'O.U...e..vP..^......<..b...{..~........{qA..G.s....T..Q..&..Iz......j.qv.sgd.P.8...E9,.....v.^iiF.(.A|.u..PZ.b.B..4*\)O`.{w..c......).u3..Z.............qU...@w..(. ...6K.y8..S.......).....(..u0.4.$.....! ...v.A[..p.F..........,y.N....$.r..Z..}..G.Z..J]._.0......8.......aE....A0.m.3}..!<H................;.]......H=..wz.]...&.........(....#.l..s.R.Z....a.m.Z..8..=...."......kl.W..........R..;jz.[</'./.@.U...?..%l,.+N...I.V..}.P .A.`.c.Kr.M...2..VL]..n..G.3.S...N...Cd.......B..B.;..@...5d4?...a.%.]W...{.)...e..S#.r.L|...2..-....u.).of|i..*..6&.C...<...+X......R!._jS..#b.wgv.Q.!.s/FRQ.&'sY0o.J.f.m.OJ:4.%)....l..H..=..M7..{.P.......C_....."x...T6..h~...Z............%k.G)e.D]W..

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.010.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.958920309780559
                    Encrypted:false
                    SSDEEP:
                    MD5:316B64CD383A5AE262F8549EF0213EE6
                    SHA1:AB27B2D46BA375D4CEFF484F94AE7DB6A68B2350
                    SHA-256:F6F216E4BAD02DF83AA8531A8B68C182B8C9831E2778F1AFD6C93DBDBD4DB010
                    SHA-512:48951553681584145B118035FDA4C572212B374081E89E5C3C786A321CD326CCEC87A0DEB09CC0B5B2C48F052615F0EED68184B8F48027A4F548E9A7348D44E8
                    Malicious:false
                    Preview:ksw..p..59.<g........(G..m..5.+=.l...1....y.).G..p...-......l....s^$8.x.B'~.z&....z....t.p...u..^..m.....;..-.A....q...O..r.<...a...M.:..9..4.*.z<...a.2.6."..~....2..Q{f.(.....t.W]'18....w.bE=..\....`2o.9...w.\..cJU..Z..y..'a.DK....,.."{.....b,.h$.D.H.}Y\.b.'..6G...)...G.Xx..v......v...3\K&N..X..7.8D.?Lo;.y..h.j2.....`R...D4..l.My..z&.O.y.s.J......!"M.E...n.YM...._.B..4.u}s.........i`..1...\C.;P.G.oT.5...(`..r....%.1...k-...13%.L.......A.\[.nQhk.Nx[s..q.......Ne."J/.@.}...!......,q....g..V..K.........%.-nq..Y_..}.Rv..........n..G...J......#...5.Q.^...W.&@.}.9....c;*8..h...$gY.k......S.p.~..T$.a...G.......c.s.ge6.....r...v.....@mlJ.:......7......._Z....F..nC. ...f|.N..n..aC|.R..-yx...R|.....?..;.w.0...pr.n.4.!.9......#.9ZY...6~/5e4.GlE[...M%J....."...i.>.j.H.>...k.....f.3.g...0.|vi,'L.wI$...$..~.g.Q.%f..`.......E^<@...[.J.1.p....;.>k..........p..J....N].....;j.'l......n.1._VB...3....8...i.:.,xW......8.Li.2.uY...a.B8.{..T..K3...4.^U..k.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.011.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.9603494011548355
                    Encrypted:false
                    SSDEEP:
                    MD5:0E2DCA2EB0C5AB05047842C5EC951C7C
                    SHA1:7711F6E715A841635DB70A3F9BA183EE4AB231DD
                    SHA-256:326C3F10EF9557DD2FFDFD5C5CFDE2A82C491F6C35F913D55462E4BD7FEEA1E0
                    SHA-512:F6E446531953EA8CBAE3568476CF01916776B7BFE1201E1BE102262CAAA0DE250D226C1715BA68D2D12A831C7061F61F3701ADCD877D1E19F99ABDA657848492
                    Malicious:false
                    Preview:9F.....G...@.....f.Y..C..hm...0l.kR..b..k..}7I.v{Q...j}."..'.z...z...R.D}...Hw..V...........gT(.....J<t.\R....6%...+.....S.b8].....;._.~.......C..|z...?.B....6vv..H.7+.j.W....n.lh..zJJ....P.Y.CxE4"..hR..F.....{..B[K..h.N.y../.$.~.o..P.v....Y.._..j..&.;...m..>.....V.)8..%.....s.......S..rU%p.:.i.Y...y..........P.@.h....b.(... '..!..I.:..PS>.9.,8_P...Y....H...h/..@G...ZX.78.......d.Ok...s..?..#(.0.n..j..I...GE..{.\.<D.PGh++n....xf5i1...t....1..t5p....K%.S.F...p.0*r.;....C....N.x...%.&...p...n.1..n..H...X.?=.X0.P.....|...}.e......d:.!.PY"..JWJ....l..n....Ph..g_....]|P......[..@.O)&..>...]7..%..,.hU.+-.....!9...%...;.c.....E..Q.gQd....X....o.~..F....g&qE.B. L.{...!(n....'.....l.H.N...q...a.0Sw.....C.P.....U......z&".....0dB..N..+.....`s21.r<rx.....s".)..p>.z..|.-........!.f\oMV....".X...0.eq0...dg..).l#.cPdP..&Y.s!.{...d.O./MYe..I.?...r.h8*F..eIf.S..EW.......b.o...`.[.x..n.......q.".\!..b.L.X.Q..@.3.4..1.[7.J.5..... .s..^..Y.ZRU....7..!....1.......X.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.012.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.968709250147401
                    Encrypted:false
                    SSDEEP:
                    MD5:C5859425F97AEBDDDE8B53B4DA53C78C
                    SHA1:577BB389BEE0C6DFAE7519C2E6788A769A8DEACF
                    SHA-256:53C88483F738E8FDBA754BCBE8303C941383BDECC15B68B4CA35837B828DCFE8
                    SHA-512:903611BC842488C4FD0F5B728E606AE47D6B8CBA1329BB523EF989AFFC7E505D4E4F9B85D496FA1DE180B8DB8ED5BA05B411AD4703EAF30A33B11E0723CAE0AC
                    Malicious:false
                    Preview:.2......I....K.....S@T...Ts.D?...p.W...}.q{_..8..^..t..O.h...iqWIU.-.O.N^f.M..[3,A..a|...|.V.S.{..p.<..u.0.3..}...E.z....... ..X.7...R.i&,...F8#CS/.1..y.a3D.#....d..`;.e.f....xR@..8I?.......4..XR..[W..L...Is.....{}.M.">~;.H.....-..fg..P.......D.@.]P.W..~?....."m......"....8..H.y}.....P....;.....I% .._.jl.b.[.>3....?.8..W>z.o..O...&.6.P.{.c...\...0.x.sQ....[.....[.())43...f.V...J..yz.s.ir.m.......j.b...I.'IF......{.=..@C.....|. .n.1... ,.+[p)...Dr.. .Lo.)=.f....N...HL.,....@.r..,oM..+8^.Y....<.4^Pm....S..tRPK.;..(.LQ}n?...5....;M.....zM"A...ZI.U/.../.~......5D.+..2...W..x.J.....8_c..m......B....g.#...&...D.j....}.W8.:..h.Ju<.V}<.k.yr.%s1M....O9.J.I....O+..(=.......IV!N..Q3..y.\.I.a|.!K.B...X......_....[*....a...l.$........ap9...S.{.k...,.u.U..Q!..-...w......%e;.J{..D.*....}Ep.]Z/...a.;....C?.Yr..8.@..!..*..0.z.............o.......s...(~...C.....t"..ZA.,( ..y...[....`x.P..`{...R.z.:..*..RV-.f....0..z.G...{.S..6..&OC.?..c.......K.w..5.$..b.....A

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.013.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.96542684569258
                    Encrypted:false
                    SSDEEP:
                    MD5:2F17D1853A983B7A0E6FE385BBF78958
                    SHA1:EEBAB3C082FA88F88B5D8148CAAD41863DAF5417
                    SHA-256:C1038C7F290BA2B39F9991858A876F6C35A0DB72CFE2AB04C2BFA972188257AD
                    SHA-512:895C5EFF4DD741A4F885354151DB35800CDA56D4BE464CE6983C23556699CD13C1B4FD38CA67BC6AAD573B76402A3A6FF75F024FF96F06B1EA0BB484A8A3A4EA
                    Malicious:false
                    Preview:...q..|X.....H.....0..[...f...|......h........dy....G.F.a"..Y].....%.>...v6>.`..%L..:Fg.>T.lz.}..{q.....0.Xc.WdH;..de'.!T0X....^A.8.t....l.W...@.z...7 .'x..S..3.......:.L*.L~..J@......Y|.. D...f..J.B..Y.u.7~.....<..Y.......{.M...^.9.RB .*....._............E./..xe..w'..{.-.&.5....4.q..!.R.cI..n.?..>+M4J.\.O...KR....41;..1..*.....G..i.{...V.....B...&..Z];...wRd......7o..*.%.ky....m.....*......g......Z.....E>c........h.._.....0+.......f..&f.x.m...!. 1...ie.......u.......\..,k<.A..D. ....S...&..".S..)...Z@.[...W............/...c..p..:...2.8.'.H~n7.....sX.Ws.f.b.;A..;t.K..*...*..c.E.f.....8.N'.........0...de.l..!..g.....Cme.%T...2...+.k...G2......MN.<.-...<q..&O..........M$-.{._sU.......s.&..U.....p.^....+...;.V...|....bm."B.<..[........A.....oq...l;/5.n..Ll.dM.."..]..C..7Uf_=.Q...).J`...x/.Fm.."6H76...%K...2C...IG.a...7..t.9;.?...<.`.:...}.N.)b...]..C.#U..|Y[..*.B.]..;...+... ...#..ez%.$}.S..E.G|/.X.!..J.>.v...........<.......".4....7

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.014.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.9706996827247
                    Encrypted:false
                    SSDEEP:
                    MD5:5C5436DAB6AE310EAD06317B26B9DEE1
                    SHA1:4B6EDBBE0E61DD73D110D4FFEE89D967DEED3827
                    SHA-256:1DD81130A9416EBC03E8A8E92A59682BA228DDC7BBEAAA999C2182CAB76FEFAB
                    SHA-512:CA0837585C874BDBF38471B0B4B9E74B9B46254092D11F169A0B89514AF324CF5E9A148752EEA659811EAF8C01063C979134D3020D2160D6A91C0E553279FF8F
                    Malicious:false
                    Preview:...9h.....[.^..5.-."..$5...l..b|Q.t..g...Dg..O.~s[..g..}RD.......Me......C....U.1.P7p..wz*..g.f.se...g.v..]..sN 0..^.....U.._$....z.?!.....}J..cG`.Wy~...iT....X<.t....z........1.:.....o.....9..-......f..:m.q."K.F.@.u".......c..M.)hH.r...:....C...!...H~pa^.H.......[^.c........kg....,.2..Q...).4:L.4.!.J..y.C..m.(.g..v.o....lk.1..>.n.#....}D\...i.,.E1.#.0.6^..7..J...1j.......'D..s.Uq..M5.z.X.p:.;C`-..--+....8.t......`nQ.&.,.J.Vk..,"t.....D!.........*.^mQ+kQ......l1..yF<.3..d..17...&.{.l.X......l....b...{U8...G.5.^...+VC<..$|3....;.f.,%.=.ik.]$Ti...".Y%U..Up..)..m? .....6Y.E.I"~D..-P..%f.P.w..,5.R@..[.......$d^h_...6d.>.1.O~.N..@]..HQA.r..-.Z..A..1..?.k'l}`..?...N..Z..8M;.J./..%L.CP....T..3.Qf. ....Z.....wA...k(......~H.d../."C.<;...:....".nO.....-oJ.mD30R..f06N...3..r.U.nz.&.Q...'pa.6.......}cPP"$...a@.6G. ....l.6.L....u..~.....?.!k.....0p....{(...jl..C..L$...&.>N.[#v.eD..Ek..~.....g...K..o..n.......M.\@.N...Pp.*..`......k)J.....Fr.e.H0..K.

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.015.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5176
                    Entropy (8bit):7.96251841854765
                    Encrypted:false
                    SSDEEP:
                    MD5:38BE6C288D05F344A514FC202FC81105
                    SHA1:BBB2D91B7004A682EEEB55304BDD2A13C4364E79
                    SHA-256:8EA86D2C831E1DC2CFCA8AB9BC637C61613AAEB2459117E4E2052BA1935DF789
                    SHA-512:5D5BE00D695CB2355B10516871C7AA1D9354EC063218CA0685B5CA1140D70CC8D7619FECDB78BA0E8549C13D3297C7C7BB31D732071F20159890C4444B3A2FB3
                    Malicious:false
                    Preview:.5.B.....p.....u.y:....;.....u.P.C..}.=..3...E..,.._;..i.%[j...>k.e._.5.1..$W..\.......U..[.@p..ugJ.0..v(.\..#.I.....Y.`...Z.... ....y. ...,....^.Q../..E.....Cw..5...r...RB8.C......J<.@.G/..M.>....]f.,D6......-._... ..z......mWa{.....9.\L.CiP=d...I....e..E}BR...J..A:D..%.b..(.4.<.............2...?Q..tA>4e\.......:...5..%@.%.).@|.a.-....~.*...{.&7...Xx.CL..Dp/..5.;......X.ZA ..@..h.....!S;......{,......0Z_...?.....l.y.(.&V..]OF{T...(d....#.......l.:z.....Q...:..F.E f..8.J..*~.......B241.s...Y.e..A...;......KU/.........?W!..r.......*#....uk..x...........y...>8.{.!.q.'..|....@.e..1..w\..O.#.0L.l...~..iC8E.qnj..p."IV....v..Z.EDc.1...=4...i......}..p.c.......2.W;...[t....|.C..u@.W.=.....T.}m&'.W.mI...........#.....C.*...}.~...%...n...20..'4...!!.....Y@......x[.h.k/...G.=k..d..M.nv..v.l.z.B..2..WH..u..b ....zjxQ.7..B...}..J...9..)A....3..R.kh.8/I.x/OL'}..HGoQ..O1..s.....o.2j....-..~..6..9..Rd.w.I..pZ.L.....I..L..N6.....v.y`.j.1f3U.c....S..R.z.J

                    C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.016.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9272
                    Entropy (8bit):7.984054859314201
                    Encrypted:false
                    SSDEEP:
                    MD5:8589B2CC3CA5B18A18B8418D226A5D88
                    SHA1:A4C5265EBBBE04C4275982B30D08953F81D8740A
                    SHA-256:FE63F07D8AB4309380943177CC4AB467E5C58CE62B2198AA62D51E17BFF73743
                    SHA-512:9458C887FCCC23382FBE6A92E8D520DEEDF7F45562C854AAB4E2DA79771BE02BCDCD7A3B08B386C4D4ACEEB9F531A703BFB334B7602E084DBFDF4FE93028FE1F
                    Malicious:false
                    Preview:..|..+..*..@...Q_.jvl..b.....L.E./7^.._....-./d~..D.....et.vk...q).u...b.+T. .....IV..Sxb....q...M#l.b.%..95.?..2..#`px.T....)...C.....C...-.z.o..@.....`7.t8@1..W........8.Oi..Y.pm.....7.....o.BI...j,.MX.p..uIt...c.....$V!.......=50[.Z..'.Lz..v|G.$.-....|..1.l......@@..O@.../.ze.........;u.@CLj.......DP:|..].P.y.....8....3.3.-.s.I......u.Ox{.0....d@7C3....... >.J+~..^+....d..2....HH..7/ .w$..{4...w.)..<hv...W..n:.J.kk.m..`..X...d.}@..m$/b...is..y....^.[.w....ID..a..........S.o..v.Qp.D..S<^.D\...2.};-.2..e.&...Of.....p4.#....'....qs.U...`&..[NL#.r...e...+.D....VT.....^X..$B.s..u..fb..%.Y:...T.M.......E..9...........q.Kj)~l....B..%~/]Ql..N...]o-........5.N.r YZ..b#....R...d%...|T.&.c./.!.X..VV..vP..Ts..:...[.......Q.=.r4]..d.m..".#f.....wDE`..i...;1C.:j...l..P....1..,....(.........(.......uk4V.\..or....p.y....MQ....=@F*.PX:&.c.}.g.b,I&!.7%...;.M]S9.h....o?..$...[..E.. ..C....*.....2[M1.<k\...d.BA"..l...F.k...."..6P.&,xf-....a..b..jH?

                    C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):37944
                    Entropy (8bit):7.996563221555066
                    Encrypted:true
                    SSDEEP:
                    MD5:EE23553A88EF1C781D96ABBBB93DAFED
                    SHA1:5A097CE233928DF32B7FC120170EB5EB996466D1
                    SHA-256:9B450A9544422A4B10DDE8CF34BC9C95E55F50AA4F311BEC72361ABC78060DBF
                    SHA-512:99964475B38DBE3C664A068C9ECE28148D957558A81DB46C17AD742FB859C3703F1F63BD928F9D42252009467AC3EC5228561585A0B7C386296F9C6DD2E4C554
                    Malicious:true
                    Preview:k....o..d.../..........$...Y.4P=..Tk..y.00.f..CO..qR..U@.-7.C.^.......}..u.....d@.~....7.:...,..w...G....;eS.h..7.c.%.......dX...u...W..(..)"XslKXnd...?.E..C.&#k...mG.f..Q.....]..Q...-d..a~....... .2...q .~z.=.N./H................X"".i....d....\fJ..z..y....5%....5 ..A......\....<....I..i%..M....H.0.`....2.8S..Z~/.b.].........y..E.i7.-.qo....(H.P.c^Qh.:.|K...Y.\.3.b..]..h!...{.._..z......@..l+p...qA....1...v..4..b.@.\.[0Nel>.=..d."..N.....*t........(N..B.h.M7....bE.k...MHe..}..u.a$......cF.d.1........va...MZ....&U..NM."^....7%.6..(...9Wb....}........x..s..j..L.l.z..=.e|.....U_...K.;...........C........VO.&MJ...L.}.5J....i.L-..=...0..&o{..6..yf.A._....3...........z....HZh...x..}.6...I _....%..M.=r..~.^"73..Dp.E..k.X..T..k...%...T&...d..C.`.q3...T.Flg.P..M....s.S.G+R.IJ...[:...D....7?...dK.......};.O....l.......Q..x .B|>...V.TU)mu.X.^.f.9...N.0R..Y.0..q..^.@-.1..y........W{.L.....Qt....]~....b*..p.R..n.?......j..._.J<tm'.Z..ts.Ea_.D..

                    C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2136
                    Entropy (8bit):7.9064465917839755
                    Encrypted:false
                    SSDEEP:
                    MD5:4763ACBBF03B74682A2B00B44398DB48
                    SHA1:C1EDA23CAB62F3689654C1A20AB4D072A781026F
                    SHA-256:CCC1E441AFFA24326DCD71543DD83CE446A43773C22F8D52427AA27F17F41D51
                    SHA-512:853CA11191FC4043B1609E2BC1E6EFBFC3F1D87F6C7402031CF45601DCFCFC8BB7DE1590CEA574D226D1FC3BECCAA60568C881EE739939578F74A8D401175BB5
                    Malicious:false
                    Preview:...9.V.T.......\.d.....y..x.W.*JE.k..NV.fyn&......(:7.7.t.......5y.........-...e. UN.F.U$|H.........{............4\.Ol..5.......k...N...5..*...._....,8...&.b.K..6.....*|..u#.G.!PE5....W.3.J....\...m."..M.U....8.....'.f......:....M.X....1..k..<.... ..-........JJ)..._.(.;...]%.i.wv..w 1..M-.-.1.XJ.x...W..........U3'.s?a...9. q...k.A.}.B..t/..5e.}.i........=....(f.......nm......d.....UAR2'..5.S.n....K...5....<H..l...B.*..oD4....d.z/......r+.(C.;c.!.......7.?3..;..yD......%..&=.m..[.../.'.h.r_.W.h.....!...p...8..a.@t,4@.`m..Y.6..5...p1.$G.7..;...v.;.[...9..+6.]0..#|DA.28..Z[..~..nXU...I5......XkeAh.8..U.V...:....zz..icJT.a.Xu...j.G.&`.<FD.,....D..)...1...T=.8........s.,1..u^...F.o....q:.......r..MT%.zH..g.~G.i..f..]Q.}~7[4..~..H&..Jv.5.R.v....M..a....lNJ~:D..F.,.....\....{.|T.zC.?x..)y...yC.D..B.I.8.?4...]a....z..U)|.i.CuJ'....Ms..&.b..8.I....R....) W.k.[F`W.D.J[y..y.p.}SA."....kf...C6aB..Qr.X..9.!......~rN..j&.A.x./.:.0.1X.g.1.z.}4....E.

                    C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2072
                    Entropy (8bit):7.8915922325928936
                    Encrypted:false
                    SSDEEP:
                    MD5:8C336FC37F8FF6BD329CAD8F41F48441
                    SHA1:A5F2DC398A7F63AA122E8FAFB2A87F9D07FA088A
                    SHA-256:624F4102C481DE23CB8C0FFEA807F619CD17BA4A15F4F98CEF294797C3FA831D
                    SHA-512:67F551BE78F8CFEAD2A58033CF13C5E5DF2137133D4E479D2DC332E353098344C9BD7132F984820BB77E18D745B6793E3779084B535693789809B7EC3994A0A3
                    Malicious:false
                    Preview:@.,..f}o..}....)I.P.9....6R..$.A!.....x...F.S:w.!u.\P...f...q.Ar.....;..E...?.21{._E...x.e~.|.v]_.):}...&...7m_........W.bW..$.T....1..)...;x.lm.....T..#.S..0.u...V..T=$c+.p.'....3..A..!...A.f..T._.nMQ..V9@.....<...TxV......r,#"B$.........U~..,i.....J..5U...E....^..l......W.F1....jp..[.\..... ...#|r|..D...T....E......5O'b+..c...WeQ.g.Yc.t^VJ...4.....o..;r..+z.X......,..i.<.....x...MO..7N;w.3.x[.../.V...$f.....1..l.|.P\..kG_...L2=N..X...z.-x.<S$....^.C.......PK.a..w.d4w...R..WWI.....l....&.{.d..L9.P1..J.q.P.b..-.....V..6..2m....L.O..j.........N....ij...o.z.D...&.<..._L#..aI;...4..T.g.....A[.....D......0.[..-1.g.,9-...X9].B..q.V...{...b].|..q............QHK.a..m...Y.8...f.d......TP..c....F....D.$..1.......8.....w{$....|+!_>...K..00.G;.S.S..Q..G.0._LC..u...Ja..#.6.E{...'>.=..O....^..V. .x0./.....6...9m...t!.#..G.~....G....&.....u.W.....).e..$V.o.l...A...PF~........A....8.r4.<.....!Q.b.,...;O....X1.s.h&...+.=.fN_o..[n{..t.=.......%.t.

                    C:\ReadMe.txt

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):31
                    Entropy (8bit):4.309035020064295
                    Encrypted:false
                    SSDEEP:
                    MD5:AF5C0A0FD6FA8BC8E59F6221A1705EE6
                    SHA1:2DB1C8D26AECFDB8A827A67A5CBF16C4F9977F0D
                    SHA-256:6E55ACC025EA4888FDF070A1707B6E04A509B24772E81D64595EA6B2848DD71F
                    SHA-512:83FC1952BF5A1AA3FC4109B667655DFAD4FD7A72C45EF66D5119A281F24AFE939412577D8C3DC0D3BA0CE494BF32EBE11525749BA4181E4314973E6F3A36786D
                    Malicious:false
                    Preview:PLAY..teilightomemaucd@gmx.com.

                    C:\Recovery\WindowsRE\ReAgent.xml

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2184
                    Entropy (8bit):7.906470796265052
                    Encrypted:false
                    SSDEEP:
                    MD5:741D12AE241E67CD5CFCF80CF82194CC
                    SHA1:032B992FF60974AA1605DA669BD1E4CA195A7A61
                    SHA-256:985CE51EDF72ECC79B81F19F90BB57EB9C07D5CAF668FE8FAC3F93877C6681ED
                    SHA-512:6F14C7BA8BED32C7BBC226022279A874478C88B2F8B0FE6D6D253789840DBB5A72491E0EFBDFF77E8B447290CFB3B16701696B8230E310DE369DC8B212AE92E5
                    Malicious:false
                    Preview:.....L5l....A.m....B.VMR..1........s*...l62...V7;.g........w.u.S.o."........z....Q[.~...=....D;i...../~....I..(....V.k.....%..99b.e...}a.....e6........t..zy[..k.=A~.../U=..eA.cc.N6.%$..!.......;s"....=".K..J.n..Y|.n.....G.<..L....5C5(.`+*....5...K:C&....%..H..x<0..d..vZ..........;.L.r..\.ya.^MlV.............n...=X.........p4..5....kY9X\+~....................>...K..|E.i..-e5.*....Z9..Q.....A..~.H.Lf#....d]..c[...h.|d.P...!RJAB!.V....(.\..f..B....5.....*....]0.h|.bX.X.F#H.d.....r.(...U....=..G.......D..+..e.D..w...$%......)'W1w....6...F.....m....r....-..'.Qv`..zXA}......Ex.d.....,b.0............~I..&04..\...I...../J.w...~......c!.......x<aQ'..}..k..r_x....LF...a.t..=*#l..0d#...i@..!....pf..b..Y)...L......%.&..f...C......I.R9.c.......6...9.....N.h....y...0.p.}. *.!.I..S7.....W{..>V..M.....FA....9..|.F.|.+.A$.Nt.P...?............".f....4....k....&....)..S...{t...|.&-"q....a.....D/.I.N....~lZ.s........"...hR.DsP...YA|".9{..d.`r\]`_

                    C:\Recovery\WindowsRE\Winre.wim

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):367240424
                    Entropy (8bit):7.999786786329474
                    Encrypted:true
                    SSDEEP:
                    MD5:29F0EAC263A562DA1BBEB7876047A1A3
                    SHA1:28C82E1BDE9B566612C58637CF7DAEAAC67E687C
                    SHA-256:81F7B29FA2366DA17C057F554073956A5D414DE10009A46A3749BFBBFAB48FFD
                    SHA-512:21A9E9D22CD1EC36031ED681F5C97F7A2A8289008B1B8E523CA7E0E7EC9F856CD96C17DA61309CE695BD0DC8070279B7CF86E1559E97822098398B35FFC482EB
                    Malicious:true
                    Preview:..zh..H.".;.$...r]>..{m.S..vGe8..."..:.vC....Ve.`h.....(s.;Un.=.d.@..._;.)P.Y0.i..p...6.V....A..4...a.|.n.)...fZ..L.......PK.m.......Q. ..kb7AO...0...C.....`.+....*.l....mM....s...TCwyN?3..p.....oG!.#...J_b.O.>jG......{.V..{h....j..mn?'[.i.Y&I. :..)N...e]:.}.Wr'...k.u..hv.7.|.z....S.$U..+?.6r=..Y'z.G!.K....j....4..2....VBvS..Q..5..q.....F.f.}YZ+..uY.}.4% &.g....T'._^.p59...j...wu..q...b.....H.........'....1..b<.5.......o./`......._d.....yr...........{....((.L..d.z.B...Z?..up.]..........F.#.....-U...... ...T.{.-4....]..........S..t../.4..x.....0\\...V.g..>..Qh-.........a<..=..1..@!.K|..w......t.<...:.\5.S........)....sP*.w.4....$#].D8T.~....He$b...t...#98....`.I...?.AZ...SwB..8Y9P...B..E...IP.._S.bs$..P~..w...Rig....C.(.N..v....y..X6..xYC*|uv.....|i]......%.i.....$D8J.s.#.....Q"..|a.}...... .w..=..K.&......."iv...-..I...X..$.F.........&&w.......Q.&.vL...d.Oe`6.:.x(...l.2...m8..v...g.tW.z..(...VI.m.L.....\.eB..6.....{;*......N... -.`.L

                    C:\Recovery\WindowsRE\boot.sdi

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3171384
                    Entropy (8bit):7.999950519113721
                    Encrypted:true
                    SSDEEP:
                    MD5:20451479213D03C3D1DC78DCDA52D5EF
                    SHA1:6D821786CC2038B86F0E3724CB88B87E1D263E89
                    SHA-256:FBAAE9EAEF1E4CC8613A837B233A17FB4EBA4C403AD508B5FA5B045D00C395CF
                    SHA-512:75062D72C8EE65F6B772AADF29EA2A370190C3918CE3AA898F99E587AB5D548AB028F1964F4A4CB4D50BC0E0354647D00F5DC1515ADC62EC0E98FF20B11C60E2
                    Malicious:true
                    Preview:.p.C.?.M]....g......,.e...i.1m.&..3.#.j..5N..k5'....U~.%d....<G.A.,qlkK.....&RC1.^.U.j[>.I.r!...>...{....n.......-./k...M.u..y.<.x.@...1.s....z.U.&.v[l..]y@.zD.C.........#...}L..IJ.8...0B....n...B~..$.j.P{mjPiJ....GN"KrH.L<..E.W~k....dp..a.....Fk6.l.8....$..x......1.,..".....77.ME%[,....f/.V@&..*......h..;........."9.7o.`..Y.P...!W..<...1.1.:.......Z.D27.o.b...<...NU.....Y.To.5..G.7.4.:..I...k.....^......_..v\...+.......:.6..GS..........t,[.7.`.....Yu.a....J)....q......5.s5...1y..L.gJ.W...A.w.^..Ay.8B#h..x....+.......(...8....*.E...ey......k.Rs.:...0.....Z..T%.!q......w.....c7.."........g.8.&Z......n.._.....n-.._\.Ec.YA..Ie.....f..W.c.s'......I....H.G.t.y|.v.....2Zwi..D....{..5 ..h.b#.?..$..KNI..v..M..?.mT)k......7Y+H......M..f..F..V......9..I..N.K..NV2E.f.q.......&.P...X.w.+..r.r.W..'S..U.......`.Rv.6e.1.....Zi...Kl.[.Z@8o./vJ.a...M...D&?zkh.......I!b..t..h}... ......_..)b....T|..)A......JWR<.T}Q...+...c0.\P../.I.....|.k.%.[.A.2....

                    C:\Users\Public\Desktop\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:PGP\011Secret Key -
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):7.831652314945752
                    Encrypted:false
                    SSDEEP:
                    MD5:0AB09B0CCC8BF8E3674CD26CAE0DF331
                    SHA1:05DE230145D4EDDCDD3A6C246A5F927AFBAB7C06
                    SHA-256:21856B62B2CD2FF8EE96420336F619FE2CBEB543661A18B53977A656C945BE07
                    SHA-512:F23A2D20B862BA05E465B2D7D76B2DBA1C4AF1F1918533818CE58B90AC798C3CC8E79D4D47BE8C24F38764567201227ECAA488CA78B1748895B5F1F335A93291
                    Malicious:false
                    Preview:.....Dz!.}....V.T..n.. F.........W.....Fz.?r#G@..'...ZC....e#7BZ..........0......{..fm....=.vs........i.....@./.......;.......|...Q....bP{8.+e.A.g6.. q.x.'..7.6.L.X.Y....T..U.|.!.I>..........................l2...@..Z...... ..#...T.[.{...FB.....q..(".C..UZ..u.....H*....'3*.).W..q..;~.p.L.N..'<.a.3.q.=.o.[..*....".+..;..<u...As..+..T.[.>.../.F.yr.0.(i."...h.9'N.G.]Pi.o.k-V..Z.N...\...Q........!P.........sZ..z......."V..'0P|.C.P...^...zz...0`..s.a6.1h...Q.#...o..h.. ...OL.x`...+b..7.R.nh[=e.U..4....}....#,..dC.. z..5.CN.s.....$*Y.........pdm:..).s....TIt....mXe..F.8....[...D60.q.e.g.Z.]W...:..Z=iC|...}y..?..d"....q.....E..O.Fa..*...*U.h......$a.<..V+I/.o.d.P..5&.i_w...q.'$.sh_6..../.4[.rQ.^:.....L..v.L.!9Y.q...g....l.?3......g.Nm.....n@......F..r..]wh).Q>.....OWC...{..$8.\..0....C-O.i..Ya..."...*..o..J.g8>D.P..!6O. .Q..i.~....JP&...$,%4....$....<P...D.O-..T?z..D/..6../...<....2.......i.....7..l.......]<..,.r.h...{...o.|....~.0.j...8.D.....;..

                    C:\Users\Public\Documents\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1352
                    Entropy (8bit):7.8356061108275625
                    Encrypted:false
                    SSDEEP:
                    MD5:80357C6D9334BE92CF57FE9B7A26E588
                    SHA1:1166683BC94585AE73A0F5B4A0E8F7FF320580E1
                    SHA-256:77A579FF63880361645B9497AB857736CD510759836ECAFD27137A1154A34E7E
                    SHA-512:123EDB166495EEEDC07DD135A3A281A42B4383AFDB1C0ACDF91F0B5B7B9DFC2D5E58EAEDD72001153D3DBF5A65F8A68137D5C90F8CCB77EDE97AD78B101ECD02
                    Malicious:false
                    Preview:...... ..2 {.]|<.K..M..n..<..A...O.Tt........{HOL.PA..~.{ .g...(e[....r.../.t)..%._:.Zu8..m.O.,.tq......]........>..T....pI'...6.~..KR>....w..LNm0....m&.J.........y.1..V....4..*../.\.j....?............y.+.}.0....AE".!C"&........Fi3..&....xz*..........y.%.4..B;.i..(...T..U.|.!.I>..........................R.........Z..G[..H....[)ta.N.,....|..[..:...lY.}z......x..C4......p....=A.Q.@.._.<s.... 049....3VBF.dILkZH..v..b....,"C..t.l......?....N..l{......'09<.=z_.f...'.g....xU.E.j..{.u....?g.2.m*..Y..-.z..,....P|..8|.*...K..H...\.s........6..D./...'r..q.......[hST....8.D.c+...U..E.....9C.Tv.@?I.oe{.`.-.F.<(.).B.[.S....0M...&.....$..e...gI.F....*......< ).....G.pj.....3.%..A..n9...<...y..ch1b....,.Ba.s_.>..U..PB.-%...x.-.u1.b=.F..~.o..U|!..{.xt......k...,..3...w<.b....t..."g{..TO..2.s.......~F.vD..4.F..8}....t...oB>........A.......y..../...O....<..-....Ku...j...b.@..#..h/.Oj.W^i*M5[U..Y..|...h...O....h!..1..I.s(....F...my...$....u..*2e..c9..g.(

                    C:\Users\Public\Music\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.836668957429715
                    Encrypted:false
                    SSDEEP:
                    MD5:5FCD3EE63C2EAF46BBB8AA4AD8510AC6
                    SHA1:1C80649824C1D3F9369D6F4D3BA4B80C3DE4F5EF
                    SHA-256:C68AB3DF66524854D2F9DE6394BF4F3EB7D245E1ABDE79099B3355200441A60E
                    SHA-512:B07BE58C1EAEEEB5291CECE43CBE98F576DE510BCEC606F87BE926D0AFE394E49499A45E62CC5516BC08B4403B16249F96326A3A99745952F14E28C370BE5A48
                    Malicious:false
                    Preview:_@ .T."...p1X.U......d..l....]..t..u..]%.......(o...=CZ.f..1...V..|)...K?|.;g..O...t..."UF.^.....5...o1+z....]..:=4...Q.ls..?.I........rv...[..-..a.`..@.?...gR.....Q.........?8.i......QY.....4L..y..../....'.SaY.|.p....o.x...7..+....`.F .....X34u....SY....'.K?"...R2..p.\6..|_.0.q-f....."..'W3..=f..<Z.......H..d).C..8R...S.<-..2X...z#w..I..k..T..'..S..kRO.)c.....T..U.|.!.I>..........................v:.......w....H.F1......X.n...v.)E...|\.!..Z.Z...*.a....#.@jP.crwt.|.Aj.E.Y.U........t.]U)..?..-._.xNP.Rn..X.~aJ..{i..}.h.]..=..FS$`...fL..Tj.\...$......!(....24.t.c.........y..=<&.[.w~.V.t0..Q........8.R....|R.. .Gns2.....?...z..t.lz.l#..!Y...o.H....v.v*....\.G..w.0.H...Y..C.,....|U..t..O..#K]...E.s ..~...4m7.t....c..$..Dd.{...fVh&^3y...5].....[ :.Kv.SPq.w....3|.........BN.......!..u..M6.O2....:.2.s....]...<.].F..r..Xb.J....%k.~.B...X...l.....k....P.m...`%B..C.'..F.....!.d.....m|^..hD.g....7...5.>t.......S..Vs....|...Y......-O......BG3..(wd..M..

                    C:\Users\Public\Pictures\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1448
                    Entropy (8bit):7.836593418182793
                    Encrypted:false
                    SSDEEP:
                    MD5:F12AC20B4535E5F845969BFF50C0635B
                    SHA1:FFE1C12DD9ACCB97DCBECD106902C3F4A5FC6793
                    SHA-256:B9A31578D28269A128E076771D70CECFFF5167C237E22FFC46CD7979933B1442
                    SHA-512:463AF8E839DE2310A459348F2BBFFC8274246FE9C1C78A42244132A0EFEE57B7F43167956F41666C6BE713B24698E7C8FEDD591FE56E5714C7ED473B450A3635
                    Malicious:false
                    Preview:...c.R..._.6...uv6`c.l.wHh...F..Q..8.F......7.9....0.#..5...7........!;...Wp.tE.A./.........q..HG.....M"......._W....+]SK.'....9.(..D..I..q).J.r.j.j...e[.%]....K...>.c.F.B.a1?..G.}..Q..........X...D..3$..X.56../=..O.i.n.5.'.(.t..m....F].f.#....U.n......B....T..3.Z.....^[Y..E.....1....IG\.p3;.s...;....:o..g.... ......x..Q...`..Z....^.`.VO..~..p....A..,.....T..U.|.!.I>..............................M-U#......3 .j.:..|Z..,.&.4Q."...{.qk.....#.e.|.X..w..(lP....sC..T..d..Y'...2..:..i;....[b.-..._......8..R..=...iv..6..!.5..;....9.>.i.`..E....bK.U.o..N.F....h...].C....\..(.f....5Zj.....i...e.R.......Xz.p..Uu..........>3Q..t;R.......F8.np......\..P...v....g.4...l8T...#..{.4_./.e..xh......:2..N...,Z.t...4..].2.6..;B...f.{.i......T...V..2...u...pX~5..U..i.2.0...)..9.b.t....n7.S...c.mv.f....Wn...61..5.hQ.$n..WH.z..X...\..fI...P0..e?+..9..!.. ..u....]....Z0..7:j.@.......<sJ....?N7..1...>...9f.-...+.E.*.h...Y.p..... j..?h...`.O..w.GMn.k.|..S^t....

                    C:\Users\Public\Videos\desktop.ini

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:modified
                    Size (bytes):1448
                    Entropy (8bit):7.84268453480531
                    Encrypted:false
                    SSDEEP:
                    MD5:4B7DD9C0BCFBD437D4BB1E402FD7B55C
                    SHA1:E6D72510C9D5303DB57DECF833E29B005D2ED40E
                    SHA-256:C35331180FE321CDD2254F34898BF7007F61536183CC1C81971788D15ECDE82B
                    SHA-512:47C8FBDE11CDE30831214E0A8D9C4E4648636AD2CE8303032657006A3C70684D67B6188F0B3B1191DEB65C56103B62802F89AD1CC853CD05F7A5FCC2D25DC66F
                    Malicious:false
                    Preview:.L....l.W.q...>p..UR(H.s...[F..W.B..o-.h..r.e...q..Y+..54%.A:._v.8}.!.\<u!..0......A...G..O.g...+.LcO!.....1a.....b..E.&U...&.C.Y.P.AC..d...L.*%].d.M....+....uc..7.<v.h)..cS.R..@`:+..H.vy.|=..>.EU..~.yF....$.|...5...x....s^.f.4...$m=...zB...`.P..,./..9..k.....6..t....4.4....g.Y{.P............",(...p...b..........O~.:,"..v.....s(..p.>.T..W<....M& ..[M.f..-`F.....8....T..U.|.!.I>................................6;.I.S........ ...-.....n..rH.f7.7....G@O..v!.;He)S..,.I..=...X.EHl......,..G........L.<..e...t.}.A......u......W..{.....Ru[J4.........G%.x0fR.VGE.O.v).Q.P!T....6c..?..KT'.....p..4..U1.Q..=.kVr......'...V....d.t...j.s.........e..5....L}4..FA.....(.>+./..~..m.p......?=C.."..\.!.|.`.l.8.7{'5}..TB'..[w...~..r.w..<.{......;H.g.i<,.-a.T).|.R@.c.V..G....F1......(f8\.1R...v.-Y.HA+...u.H.B..4./..~*s..i1....l...H*.M.........(./..p.z...8.j...6..Ue.TL..;..7.>dy...;.e.Rfh.S...."..k.wL...b%..O...n..d#....]..Z...T{...(.t.=}Zu...}P.:..#.8

                    C:\bootTel.dat

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1160
                    Entropy (8bit):7.79338870917704
                    Encrypted:false
                    SSDEEP:
                    MD5:3B5D73BD59213F395CF1777A0992E685
                    SHA1:A4BBBB681BFB67A4A398F28E9FAF2ECF92C62F3B
                    SHA-256:3D7E5A85131F815093576186DE0A5961289B15B13850F653DB71BA1A71D2DD09
                    SHA-512:4E771407F46243658A6A27DC21E9202BF19494809174E4DF7AFE7A2F51A86114DB5646995A590350D0A2F0338928D51F5FA9E943E38A0086077E9B1DA4F8A27A
                    Malicious:false
                    Preview:..p.TM.'..>..MJ..\....,8...*.....hq..B^..]^.`....s....1.P.o.x...5*b~.E.Q.aU..wg.-3|..*.%|.8...T..U.|.!.I>..........................A...p.J.<.Q.gZq...Be..AY.f.&...wjc.x4...\....^..S....OVb.D..T.....).2rh..h.9...:Wr.?3d..;.I....-...... .....x..B3.q..3!..L...C.N....e9...4.o.!*.'.D....].W.G.-75.....E...T.r% .._Z.o...7..|.D.2....3.BW0.}a..... i..}..5.TY..H..6.....p.0..K..X.tJ..q.5!..ve..{..4'. ..}?.m.n...B...fS.et.H..W.....h..d.0?.=1,........c]o.-.`hT..B.}.t....p...$..z..Z....W.$.q.\.I...-..T..<nN_..&..?...mk..|.9Rf..i.f?..c.O.~...4..0......q.M......0.....Et4.a..pY..N.............C.,..L....[.>...QD...ab8...K`..,..D.q..A.......S.E.....A...y..g.....d...RU..W.[n......>...e...XKu[Nbt#..W.}D.c.5.z._.L..2.....qo ...$zc.....0......<...Y-k.....cb...|....H..lqp..`\......(h.......xi.-*G].'+[.....p.8s5..a$..EI..5....S....w.|-.]..K.M.&5.-7...t.Z.o[.?.....J....h..&-..p.l....x-S.T-I..3..A.T.<....V.T...3."V.%;.M....I....1C..e.....A..^.(....@B(X.c{.*....r%Q..

                    C:\bootTel.dat.PLAY (copy)

                    Download File
                    Process:C:\Users\user\Desktop\PLAY.mal_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1160
                    Entropy (8bit):7.79338870917704
                    Encrypted:false
                    SSDEEP:
                    MD5:3B5D73BD59213F395CF1777A0992E685
                    SHA1:A4BBBB681BFB67A4A398F28E9FAF2ECF92C62F3B
                    SHA-256:3D7E5A85131F815093576186DE0A5961289B15B13850F653DB71BA1A71D2DD09
                    SHA-512:4E771407F46243658A6A27DC21E9202BF19494809174E4DF7AFE7A2F51A86114DB5646995A590350D0A2F0338928D51F5FA9E943E38A0086077E9B1DA4F8A27A
                    Malicious:false
                    Preview:..p.TM.'..>..MJ..\....,8...*.....hq..B^..]^.`....s....1.P.o.x...5*b~.E.Q.aU..wg.-3|..*.%|.8...T..U.|.!.I>..........................A...p.J.<.Q.gZq...Be..AY.f.&...wjc.x4...\....^..S....OVb.D..T.....).2rh..h.9...:Wr.?3d..;.I....-...... .....x..B3.q..3!..L...C.N....e9...4.o.!*.'.D....].W.G.-75.....E...T.r% .._Z.o...7..|.D.2....3.BW0.}a..... i..}..5.TY..H..6.....p.0..K..X.tJ..q.5!..ve..{..4'. ..}?.m.n...B...fS.et.H..W.....h..d.0?.=1,........c]o.-.`hT..B.}.t....p...$..z..Z....W.$.q.\.I...-..T..<nN_..&..?...mk..|.9Rf..i.f?..c.O.~...4..0......q.M......0.....Et4.a..pY..N.............C.,..L....[.>...QD...ab8...K`..,..D.q..A.......S.E.....A...y..g.....d...RU..W.[n......>...e...XKu[Nbt#..W.}D.c.5.z._.L..2.....qo ...$zc.....0......<...Y-k.....cb...|....H..lqp..`\......(h.......xi.-*G].'+[.....p.8s5..a$..EI..5....S....w.|-.]..K.M.&5.-7...t.Z.o[.?.....J....h..&-..p.l....x-S.T-I..3..A.T.<....V.T...3."V.%;.M....I....1C..e.....A..^.(....@B(X.c{.*....r%Q..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.681707525912978
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:PLAY.mal_.exe
                    File size:182784
                    MD5:223eff1610b432a1f1aa06c60bd7b9a6
                    SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
                    SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
                    SHA512:cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36
                    SSDEEP:3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17
                    TLSH:F2047D16A7B1D075E4B6847026E98EF1CE693B320F01C8EF6781176959325E2E135F3B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.X.$...$...$...L...$...L..3$...L...$...L...$...L...$...L...$...L...$...$...$...M...$...M...$..Rich.$.........................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x417ea3
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x62F05D12 [Mon Aug 8 00:47:14 2022 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:bfaffd974eb97f13ae5b4b98aa20c81e

                    Entrypoint Preview

                    Instruction
                    call 00007F1498B5D251h
                    jmp 00007F1498B5CDDFh
                    push ebp
                    mov ebp, esp
                    mov eax, dword ptr [0042B004h]
                    and eax, 1Fh
                    push 00000020h
                    pop ecx
                    sub ecx, eax
                    mov eax, dword ptr [ebp+08h]
                    ror eax, cl
                    xor eax, dword ptr [0042B004h]
                    pop ebp
                    ret
                    push ebp
                    mov ebp, esp
                    mov eax, dword ptr [ebp+08h]
                    push esi
                    mov ecx, dword ptr [eax+3Ch]
                    add ecx, eax
                    movzx eax, word ptr [ecx+14h]
                    lea edx, dword ptr [ecx+18h]
                    add edx, eax
                    movzx eax, word ptr [ecx+06h]
                    imul esi, eax, 28h
                    add esi, edx
                    cmp edx, esi
                    je 00007F1498B5CF7Bh
                    mov ecx, dword ptr [ebp+0Ch]
                    cmp ecx, dword ptr [edx+0Ch]
                    jc 00007F1498B5CF6Ch
                    mov eax, dword ptr [edx+08h]
                    add eax, dword ptr [edx+0Ch]
                    cmp ecx, eax
                    jc 00007F1498B5CF6Eh
                    add edx, 28h
                    cmp edx, esi
                    jne 00007F1498B5CF4Ch
                    xor eax, eax
                    pop esi
                    pop ebp
                    ret
                    mov eax, edx
                    jmp 00007F1498B5CF5Bh
                    push esi
                    call 00007F1498B5D6E3h
                    test eax, eax
                    je 00007F1498B5CF82h
                    mov eax, dword ptr fs:[00000018h]
                    mov esi, 0042CDB0h
                    mov edx, dword ptr [eax+04h]
                    jmp 00007F1498B5CF66h
                    cmp edx, eax
                    je 00007F1498B5CF72h
                    xor eax, eax
                    mov ecx, edx
                    lock cmpxchg dword ptr [esi], ecx
                    test eax, eax
                    jne 00007F1498B5CF52h
                    xor al, al
                    pop esi
                    ret
                    mov al, 01h
                    pop esi
                    ret
                    push ebp
                    mov ebp, esp
                    cmp dword ptr [ebp+08h], 00000000h
                    jne 00007F1498B5CF69h
                    mov byte ptr [0042CDB4h], 00000001h
                    call 00007F1498B5D50Bh
                    call 00007F1498B5DB72h
                    test al, al
                    jne 00007F1498B5CF66h
                    xor al, al
                    pop ebp
                    ret
                    call 00007F1498B6078Ch
                    test al, al
                    jne 00007F1498B5CF6Ch

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2a8c40x28.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000x1638.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2a1d00x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a2080x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x240000x104.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x221450x22200False0.613846440018315data6.744506431104587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x240000x6e8e0x7000False0.47984095982142855data4.945197895884443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x2b0000x27500x1c00False0.25948660714285715data4.439440123336567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x2e0000x16380x1800False0.7708333333333334data6.423094865560977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    KERNEL32.dllGetLastError, GetProcAddress, Sleep, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

                    Network Behavior

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 1, 2022 23:08:53.838438988 CEST50507274192.168.2.6192.168.2.1
                    Sep 1, 2022 23:08:53.855319023 CEST50507274192.168.2.6192.168.2.1
                    Sep 1, 2022 23:09:01.899801970 CEST50507274192.168.2.6192.168.2.1
                    Sep 1, 2022 23:09:02.011899948 CEST50507274192.168.2.6192.168.2.1

                    ICMP Packets

                    TimestampSource IPDest IPChecksumCodeType
                    Sep 1, 2022 23:08:40.416812897 CEST192.168.2.6192.168.2.1cef1Echo
                    Sep 1, 2022 23:08:40.416856050 CEST192.168.2.1192.168.2.6d6f1Echo Reply
                    Sep 1, 2022 23:08:53.838491917 CEST192.168.2.1192.168.2.6830d(Port unreachable)Destination Unreachable
                    Sep 1, 2022 23:08:53.855380058 CEST192.168.2.1192.168.2.6830d(Port unreachable)Destination Unreachable
                    Sep 1, 2022 23:08:54.498430967 CEST192.168.2.6192.168.2.1ce00Echo
                    Sep 1, 2022 23:08:54.498478889 CEST192.168.2.1192.168.2.6d600Echo Reply
                    Sep 1, 2022 23:09:01.899852991 CEST192.168.2.1192.168.2.6830d(Port unreachable)Destination Unreachable
                    Sep 1, 2022 23:09:02.011946917 CEST192.168.2.1192.168.2.6830d(Port unreachable)Destination Unreachable
                    Sep 1, 2022 23:09:02.752224922 CEST192.168.2.6192.168.2.1cd02Echo
                    Sep 1, 2022 23:09:02.752289057 CEST192.168.2.1192.168.2.6d502Echo Reply

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:1
                    Start time:23:07:48
                    Start date:01/09/2022
                    Path:C:\Users\user\Desktop\PLAY.mal_.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\PLAY.mal_.exe"
                    Imagebase:0x3b0000
                    File size:182784 bytes
                    MD5 hash:223EFF1610B432A1F1AA06C60BD7B9A6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low

                    General

                    Target ID:14
                    Start time:23:09:05
                    Start date:01/09/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
                    Imagebase:0x1030000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:19
                    Start time:23:09:40
                    Start date:01/09/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
                    Imagebase:0x1030000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:20
                    Start time:23:09:40
                    Start date:01/09/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2796
                    Imagebase:0x1030000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    No disassembly