Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PLAY.mal_.exe

Overview

General Information

Sample Name:PLAY.mal_.exe
Analysis ID:695797
MD5:223eff1610b432a1f1aa06c60bd7b9a6
SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags:exePLAYransomware
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Keylogger Generic
Checks for available system drives (often done to infect USB drives)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to query network adapater information
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • PLAY.mal_.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\PLAY.mal_.exe" MD5: 223EFF1610B432A1F1AA06C60BD7B9A6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: PLAY.mal_.exe PID: 6884JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.PLAY.mal_.exe.3100000.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: PLAY.mal_.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%Perma Link
        Source: PLAY.mal_.exeMetadefender: Detection: 45%Perma Link
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000000.00000003.392615104.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: z:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: x:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: v:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: t:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: r:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: p:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: n:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: l:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: j:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: h:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: f:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: b:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: y:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: w:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: u:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: s:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: q:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: o:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: m:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: k:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: i:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: g:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: e:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: a:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: [:
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB625 FindFirstFileW,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFC6C9 FindFirstFileExW,
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
        Source: Yara matchFile source: 0.3.PLAY.mal_.exe.3100000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PLAY.mal_.exe PID: 6884, type: MEMORYSTR

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Writes many files with high entropy
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99370881577
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT entropy: 7.99938002977
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies entropy: 7.99055398413
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf entropy: 7.99747182705
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT.LOG1 entropy: 7.9969397682
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms entropy: 7.99960447813
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms entropy: 7.99967785702
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.99994281938
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99978673587
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.9987204886
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat entropy: 7.99927592854
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js entropy: 7.99755154683
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.99692318117
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs entropy: 7.99994189562
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx entropy: 7.999942459
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99730845969
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs entropy: 7.99993639407
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma entropy: 7.99983376886
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database entropy: 7.99410406039
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62FC0DB0-1450.pma entropy: 7.99996109326
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99819227613
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99978805821
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99988789096
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996778285
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99840138716
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99854582847
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99982593479
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\17f7cd50011af964_0 entropy: 7.99724336878
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99981866052
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99978332161
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996026328
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99988212784
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1ba843d01a7fd21b_0 entropy: 7.99766796554
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2fc35d15f2eabeff_0 entropy: 7.99740770967
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996505694
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl entropy: 7.99332668999
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.004.etl entropy: 7.99231889317
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.002.etl entropy: 7.99436517777
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4d1a34821fab0830_0 entropy: 7.99882313552
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl entropy: 7.99064060505
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl entropy: 7.99535932735
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5e3d1997942e96db_0 entropy: 7.99887352838
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5d86ce9f97b83b7a_0 entropy: 7.99783382452
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6634d30d3dcbf0b9_0 entropy: 7.99918174312
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\92ed7279d3e98be7_0 entropy: 7.99803431143
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9aac68df8d0c7a90_0 entropy: 7.9966570813
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js entropy: 7.99966238658
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json entropy: 7.99088819373
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js entropy: 7.99934838305
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif entropy: 7.99723232037
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.005.etl entropy: 7.99115870016
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fc9785cdcbaea0b7_0 entropy: 7.99854856742
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\Recovery\WindowsRE\boot.sdi.PLAY (copy) entropy: 7.99994281938Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx_Temp.1.etl.PLAY (copy) entropy: 7.99535932735Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.PLAY (copy) entropy: 7.99332668999Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.PLAY (copy) entropy: 7.99231889317Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.PLAY (copy) entropy: 7.99064060505Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.PLAY (copy) entropy: 7.99436517777Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.PLAY (copy) entropy: 7.99115870016Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99988789096Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99978805821Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy) entropy: 7.99988212784Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy) entropy: 7.99981866052Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy) entropy: 7.99982593479Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996026328Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996505694Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy) entropy: 7.99996778285Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99854582847Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99840138716Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy) entropy: 7.99819227613Jump to dropped file
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies.PLAY (copy) entropy: 7.99055398413
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js.PLAY (copy) entropy: 7.99755154683
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\_metadata\verified_contents.json.PLAY (copy) entropy: 7.99088819373
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.PLAY (copy) entropy: 7.99966238658
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.PLAY (copy) entropy: 7.99934838305
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.PLAY (copy) entropy: 7.99723232037
        Source: PLAY.mal_.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: PLAY.mal_.exe, 00000000.00000003.392933278.00000000031B2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETUTILS.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380261953.0000000003216000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHLWAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcrypt.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilterLib.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesechost.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSRVCLI.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel.appcore.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
        Source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs PLAY.mal_.exe
        Source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecryptbase.dllj% vs PLAY.mal_.exe
        Source: C:\Users\user\Desktop\PLAY.mal_.exeSection loaded: ext-ms-win-gdi-desktop-l1-1-0.dll
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF51D0
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE4A81
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1CAC
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE5409
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE5D3E
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEC7B0
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE2F76
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE705A
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00B0223D
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF580
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEC7D9
        Source: C:\Users\user\Desktop\PLAY.mal_.exeProcess Stats: CPU usage > 98%
        Source: PLAY.mal_.exeReversingLabs: Detection: 80%
        Source: PLAY.mal_.exeVirustotal: Detection: 71%
        Source: PLAY.mal_.exeMetadefender: Detection: 45%
        Source: PLAY.mal_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PLAY.mal_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile written: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: classification engineClassification label: mal64.rans.spyw.winEXE@1/514@0/100
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA224 GetDiskFreeSpaceExW,
        Source: PLAY.mal_.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: PLAY.mal_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000000.00000003.392615104.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381337074.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398338084.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000000.00000003.402134952.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.381518459.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381007395.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000000.00000003.381294989.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402719687.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.402653498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000000.00000003.398793778.000000000317B000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402907884.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000000.00000003.381918022.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380084663.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000000.00000003.402395094.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380378382.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.381665426.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000000.00000003.402226498.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000000.00000003.380946454.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.399573219.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.397854199.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000000.00000003.381549375.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000000.00000003.381571826.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000000.00000003.392986515.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000000.00000003.393364039.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
        Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.402283247.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000000.00000003.380856909.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000000.00000003.382187348.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000000.00000003.380967509.0000000003100000.00000004.00001000.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE98A4 push edi; retf F1E9h
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEE160 push cs; iretd
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA472 push edi; retf F1E9h
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF18CF pushfd ; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE98CB push edi; retf F1E9h
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF839 push edi; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1033 push eax; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE218F push ebp; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEA9C6 push edi; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE1121 pushad ; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF2AD push ss; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AE933B push ds; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF037E pushad ; retf
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF84E6 push ecx; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB441 push ecx; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF1600 push ebx; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEF7E0 push edi; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEDF16 push edi; ret
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: A:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: B:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile created: C:\ReadMe.txtJump to behavior
        Source: C:\Users\user\Desktop\PLAY.mal_.exe TID: 5764Thread sleep time: -90000s >= -30000s
        Source: C:\Users\user\Desktop\PLAY.mal_.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: GetAdaptersInfo,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: GetAdaptersInfo,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AEB625 FindFirstFileW,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFC6C9 FindFirstFileExW,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile Volume queried: C:\ FullSizeInformation
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
        Source: PLAY.mal_.exe, 00000000.00000003.630100550.0000000001431000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: PLAY.mal_.exe, 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
        Source: PLAY.mal_.exe, 00000000.00000003.464667289.0000000001430000.00000004.00000020.00020000.00000000.sdmp, PLAY.mal_.exe, 00000000.00000003.461841007.0000000001430000.00000004.00000020.00020000.00000000.sdmp, PLAY.mal_.exe, 00000000.00000003.467581499.0000000001436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFA283 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFB0AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFD3FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFE483 GetProcessHeap,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF83F1 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AFA283 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF825E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF7B41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
        Source: PLAY.mal_.exe, 00000000.00000003.394554162.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
        Source: PLAY.mal_.exe, 00000000.00000003.382779971.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
        Source: PLAY.mal_.exe, 00000000.00000003.393091382.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
        Source: PLAY.mal_.exe, 00000000.00000003.400002647.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
        Source: PLAY.mal_.exe, 00000000.00000003.398164138.0000000003100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF84FB cpuid
        Source: C:\Users\user\Desktop\PLAY.mal_.exeCode function: 0_2_00AF8147 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

        Stealing of Sensitive Information

        barindex
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\83a1e5e2-01ac-4719-ae04-f0093721c455.tmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_3
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_2
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_1
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\data_0
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\TransportSecurity
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Preferences
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Session_13305159346941976
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000008
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Favicons
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Network Persistent State
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\index
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Session_13305159336740646
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\History
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\PreferredApps
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\d6cad3df-fce0-43ed-bb96-ffad9e6c76e6.tmp
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Reporting and NEL
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Media History
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Tabs_13305159347206338
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\previews_opt_out.db
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Secure Preferences
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Google Profile.ico
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Rules\000003.log
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network Action Predictor
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Scripts\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\DownloadMetadata
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Sessions\Tabs_13305159337222731
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Session Storage\CURRENT
        Source: C:\Users\user\Desktop\PLAY.mal_.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Replication Through Removable Media        		Windows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		1
        Virtualization/Sandbox Evasion        		1
        OS Credential Dumping        		1
        System Time Discovery        		1
        Replication Through Removable Media        		21
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Process Injection        		21
        Input Capture        		21
        Security Software Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Data from Local System        		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        DLL Side-Loading        		NTDS1
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets11
        Peripheral Device Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync3
        File and Directory Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
        System Information Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PLAY.mal_.exe81%ReversingLabsWin32.Ransomware.PlayCrypt
        PLAY.mal_.exe72%VirustotalBrowse
        PLAY.mal_.exe45%MetadefenderBrowse
        PLAY.mal_.exe100%AviraTR/FileCoder.zcerj

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious

        Private

        IP
        192.168.2.148
        192.168.2.149
        192.168.2.146
        192.168.2.147
        192.168.2.140
        192.168.2.141
        192.168.2.144
        192.168.2.145
        192.168.2.142
        192.168.2.143
        192.168.2.159
        192.168.2.157
        192.168.2.158
        192.168.2.151
        192.168.2.152
        192.168.2.150
        192.168.2.155
        192.168.2.156
        192.168.2.153
        192.168.2.154
        192.168.2.126
        192.168.2.247
        192.168.2.127
        192.168.2.248
        192.168.2.124
        192.168.2.245
        192.168.2.125
        192.168.2.246
        192.168.2.128
        192.168.2.249
        192.168.2.129
        192.168.2.240
        192.168.2.122
        192.168.2.243
        192.168.2.123
        192.168.2.244
        192.168.2.120
        192.168.2.241
        192.168.2.121
        192.168.2.242
        192.168.2.97
        192.168.2.137
        192.168.2.96
        192.168.2.138
        192.168.2.99
        192.168.2.135
        192.168.2.98
        192.168.2.136
        192.168.2.139
        192.168.2.250
        192.168.2.130
        192.168.2.251
        192.168.2.91
        192.168.2.90
        192.168.2.93
        192.168.2.133
        192.168.2.254
        192.168.2.92
        192.168.2.134
        192.168.2.95
        192.168.2.131
        192.168.2.252
        192.168.2.94
        192.168.2.132
        192.168.2.253
        192.168.2.104
        192.168.2.225
        192.168.2.105
        192.168.2.226
        192.168.2.102
        192.168.2.223
        192.168.2.103
        192.168.2.224
        192.168.2.108
        192.168.2.229
        192.168.2.109
        192.168.2.106
        192.168.2.227
        192.168.2.107
        192.168.2.228
        192.168.2.100
        192.168.2.221
        192.168.2.101
        192.168.2.222
        192.168.2.220
        192.168.2.115
        192.168.2.236
        192.168.2.116
        192.168.2.237
        192.168.2.113
        192.168.2.234
        192.168.2.114
        192.168.2.235
        192.168.2.119
        192.168.2.117
        192.168.2.238
        192.168.2.118
        192.168.2.239
        192.168.2.111
        192.168.2.232

        General Information

        Joe Sandbox Version:35.0.0 Citrine
        Analysis ID:695797
        Start date and time:2022-09-01 23:17:24 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 11m 5s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:PLAY.mal_.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal64.rans.spyw.winEXE@1/514@0/100
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 99.1% (good quality ratio 79.4%)
        • Quality average: 65.4%
        • Quality standard deviation: 39.1%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Adjust boot time
        • Enable AMSI
        • Sleeps bigger than 300000ms are automatically reduced to 1000ms

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
        • Created / dropped Files have been reduced to 100
        • Excluded IPs from analysis (whitelisted): 23.211.6.115
        • Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtReadFile calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Report size getting too big, too many NtWriteFile calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        A:\Recovery\WindowsRE\ReAgent.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2184
        Entropy (8bit):7.901481767430074
        Encrypted:false
        SSDEEP:48:XlU/ucqRTZu0Dd74roScaWn7BR3Olcir034HYxwpKxBSQTxWqYVFbT3i:Xu/ur7u0DN4rohB7BR+Wio3KpKxBS61V
        MD5:9F4D6DDBCC64127D42A165E53513E34C
        SHA1:626A3F2349A8A42BFCC739E24E93EEDE3D7E83A3
        SHA-256:DC9724F746D805F7D836B92939634D2AE81F26D0176E0B3AD8319D8F9067D98D
        SHA-512:8FD5508BD3AF7992F298DEB563ADFDBA1F790A2324CF60F23257B3205C103C616512E10851AE3849B78980BE3E34A1F14FAF82CD9B230F0F9AC8A7A8AABBA391
        Malicious:false
        Reputation:low
        Preview:1L.?...KjJ...5...q...2..y.V!.../..o..`.=^....q.jq.0FS.g..ln5.x.!.8%..n'."..8.n...-......#>d....d.x..o..3..%.......y.....K.%.MD_....>.. .7..m.6$......g.Dz.;../.|...@..x.}b|....E..)K....a..8...K.0|.5...W/..CQ...9...(N.J..d...d_.i.-.._...>..3(..e.8.c...M).D..y..7}B.q.P.4M........9..*].3.........................f.ko....W..~d.}b.......+^Q...4.3(A.Nm....}.{4..{#.Y.u[....... .i?'F.x...~..Jm1[..j|./...8. .S.C...K...w.nP.p`Q.`....o........{...:c7mo.s.X.......V.\D.C.E.....u=?...I.... .fC..{. ......$..$.d@.i.P.Y.~l..G.'.....h....Gdk...WP..e......9E.c..-.m....'....=.C..e._.u5...3U.......Sf....N4....Yd_1.CJ.+...V.K.:e.=...".6.P..]....@..(..S@.._X....;.............*.b...'.j?.. ^.....v.r0{.![.e.C3.y.....y.m6.t..i....@C....q...^ .9..(..mqP.....ie.o....v}..1....C.->g.j.?P.....X,......'..P{...5c.g..@Y.4P..K..Q..W&.f.....ng."%W.w%....b..aG.2O3....|.<#..}..J.%.%....z.#/.{.Ig.5.%c.....+..Xz.W.C....\O.......*".vv.2.Y.....(..O+.H...go...9....X.....rH.ee..~.D.#N

        A:\Recovery\WindowsRE\boot.sdi.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3171384
        Entropy (8bit):7.999942819379644
        Encrypted:true
        SSDEEP:98304:BEPpO6hDzvTzAFn29gcVNJswiwOgvjyu2jCgX:BEhO0DzvTcFCgarjOgvjyl+0
        MD5:4520F44B0C1BAE13EC8018DA94C25C60
        SHA1:9FDE0E46B442DD8BCB32AD7061A61364B71A8613
        SHA-256:5FD32D4EE26BF0F9CC89771E464CD422DF36671DF350C415DA74855E815AFFFA
        SHA-512:9EDB8C36ADE8CFB2B2CBC852337594480F46A57E1FF7AF365CACF4701312D1200EE477F3F1F73E4EF8E42B46AC935AC1DDE0E14278549DE4E17FB7CE0F2E928E
        Malicious:true
        Reputation:low
        Preview:..s{.,j....n].b.~..l(C.rO......n.h.....!.o.~. .....e.`.w.=..E...j.....K.f...>...-...D..[m[.~.>h|..C..R.+nH.A|.hJ.-...}/....a.nn.b..ZxL....Vq8....a..].!/.....N...._..r.S3../so......m4....&yV.Y....!sZ......~W.2*.f........%FVm...KN....E..t...Q.FKm.....$R..z.......D..ja..{.3Sf.D....i..t.I..e.\.U..B..c..^M**S=*d@...o.Z......Q.d7.~Tc.i.......n.4M..z:J...........K.K.....&.*.*............ .v...KG...b...1....| ;b.:.X68..._V..Pq.Z^..e.h......|\..Nb.!.7G...@..S.......*W. ...@..xU......8c.....HR$.,..D.5Y.n..W`.>F|..jO.JeFK.p..m.&..z.....h...G.Zc...9...i..\........u.YT.f.d...u..EH;....k.Q....l$.mW&.R......)^.Q.....C.N.e...z...7I}...[...|....3..1V{/sOus.\......."...t...g....V.5.j..?.C$.....b..c'._.v~.^..@4.V......D....0.5.2,...n._.-~.... g.....HQD..l...2;...,..........?~.<..K`..4lD.....D.y.L...n.3....$gT.....Z.zN..K.fL..T.u..XX@.3.j...\...Sd8.2......%M.`...AG...}?.^!".`..y..U%.L.n...r..IOL.j....;..%.u..3.|...y..|#...8..^....sr..a......#zy.i.)...<6

        C:\$Recycle.Bin\S-1-5-18\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.837980272830663
        Encrypted:false
        SSDEEP:24:ytvFL8vlRCQsoHKOy+9UjTYF6Z2gunlojV/q8R2V5J+biE:yFF+lRlD5WYPgul6/q8ib+biE
        MD5:84631327BF326193F59D5FBE4805151C
        SHA1:5533A6A3C291C38F6ABECB97DB8D0666673C6863
        SHA-256:2A6E444C7B9ED7F1AFF2732A71B7DAE64C1232C80EFC793AB5B1B5C6682F8B2B
        SHA-512:5BBA6D741C9B11904B79F43BDED9CE9EED77210586AAF9FF16B4F073439BD3DDCB4409CE0405C72324246AB870EC1969B55BF842C893B92A2F2E64AE8C256EAE
        Malicious:false
        Reputation:low
        Preview:...8.....g ......MP.|S..z.0...7.?...q.sK>..v..+B.!@d.y..en.8..|Lo...n..F.w... v.bP....~...*.}C@..+....#..%A{5.s=...8B:.,>B6.T..+wn^j\).4.....T..U.|.!.I>.......................... rkG.......A.{.c.4.A5.].\.}({A..D...!1..2..9u....#SO#....7..n(l..u.....d....V(v.......s..}>.....W.cU.2.#,I.."L^.7Q....@.....J.CX.......F.....(..{.L...+.H.6E.5u[...+q.8.....A.4/&...1....?n.^4.a.w~.}Z......2.....U..)....H.E(...m.3.wC...:..e(..#.w..?..2....KEFa.WR..7...&.....1.vG......[_.w.'9o....%.._..O..(....i..^...:U.a.2.......$.\aH..+.1.6.|6o#7q....?m..j..v,...&...w.fF.K...K.=..=`.?...aQ...!..8$.8..4#.z...H.GfAT5.e...l.}....~Z.....%..\......xs<.,.:....z...q.g.O..........N.7.....I.x..v......e..)kI6.`.d......M'$.w.......2.:c"3.}p....].I..L<..J..0]..0.w.e.{.Y._............l.1.?..<q..Qq.-...Y....W.6.V.a.T.\8b..+.>.....n./.i.3f~..%.....C(......2...b.)I(9...x.,..v1.t........'q.......uT\..@.Rg...i.th...X..vP..a...V..B.[~....^..+...mK..... ._.Q...{.?..(.W.....(.t....w^j.{.

        C:\$Recycle.Bin\S-1-5-18\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.837980272830663
        Encrypted:false
        SSDEEP:24:ytvFL8vlRCQsoHKOy+9UjTYF6Z2gunlojV/q8R2V5J+biE:yFF+lRlD5WYPgul6/q8ib+biE
        MD5:84631327BF326193F59D5FBE4805151C
        SHA1:5533A6A3C291C38F6ABECB97DB8D0666673C6863
        SHA-256:2A6E444C7B9ED7F1AFF2732A71B7DAE64C1232C80EFC793AB5B1B5C6682F8B2B
        SHA-512:5BBA6D741C9B11904B79F43BDED9CE9EED77210586AAF9FF16B4F073439BD3DDCB4409CE0405C72324246AB870EC1969B55BF842C893B92A2F2E64AE8C256EAE
        Malicious:false
        Reputation:low
        Preview:...8.....g ......MP.|S..z.0...7.?...q.sK>..v..+B.!@d.y..en.8..|Lo...n..F.w... v.bP....~...*.}C@..+....#..%A{5.s=...8B:.,>B6.T..+wn^j\).4.....T..U.|.!.I>.......................... rkG.......A.{.c.4.A5.].\.}({A..D...!1..2..9u....#SO#....7..n(l..u.....d....V(v.......s..}>.....W.cU.2.#,I.."L^.7Q....@.....J.CX.......F.....(..{.L...+.H.6E.5u[...+q.8.....A.4/&...1....?n.^4.a.w~.}Z......2.....U..)....H.E(...m.3.wC...:..e(..#.w..?..2....KEFa.WR..7...&.....1.vG......[_.w.'9o....%.._..O..(....i..^...:U.a.2.......$.\aH..+.1.6.|6o#7q....?m..j..v,...&...w.fF.K...K.=..=`.?...aQ...!..8$.8..4#.z...H.GfAT5.e...l.}....~Z.....%..\......xs<.,.:....z...q.g.O..........N.7.....I.x..v......e..)kI6.`.d......M'$.w.......2.:c"3.}p....].I..L<..J..0]..0.w.e.{.Y._............l.1.?..<q..Qq.-...Y....W.6.V.a.T.\8b..+.>.....n./.i.3f~..%.....C(......2...b.)I(9...x.,..v1.t........'q.......uT\..@.Rg...i.th...X..vP..a...V..B.[~....^..+...mK..... ._.Q...{.?..(.W.....(.t....w^j.{.

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.809666047769951
        Encrypted:false
        SSDEEP:24:hZ59RlecgX3O4TTyO2OpdWxMrNQVHrBcZf4Gy8EKHB0rUZdhM6QC2:X59RlecW3Oqz4L9UK8t0rUZdhRQC2
        MD5:8EB657F0A4AB5F1983B7784363495549
        SHA1:8B4E9B3409BC6CB70AE9A17EC15068C375189088
        SHA-256:91885A6DE4E56089630D8B39124AD08FD918B43CC7653156620B2A3BD28DF3A9
        SHA-512:4D48D9FE83CB94741C4D08454BA3498E1B14AC5147CFB1527137BDDB390409BA5BDC4410DF2B212AEC64C6016E0F4A30F7A35791731C146E0356CC3DACB2CE93
        Malicious:false
        Reputation:low
        Preview:S~..-Y..L...K..'..M..t... .".m.Z..`.wHIj...7..hJ....s...GQ.3N...G.2V/5...[......m....B.t.~.:.......T....n....uU,......x.^^..|j...6....D...T..U.|.!.I>...........................L!K.....%d...?"....Ub.~A..:.<2....)a..,.j+M@.....Jq......o...E^aR./S1..w@;.(...4.m...H...Q...M.$.]..Tx..mb b.......G...V.G....$.:....,MEb\..[..4Q.`..{k).[.U..!.TMaW..B5].A..t..]r....$....9GJr~...Mu.HK.............. ..iq..."..P.Yh.W`NTB.>.w...#$..h....~..3...J.....i)dL..&I.F....8.......k9....bG..i.L...:I..Y+..4.~zP..*.(l...,`%.....{..3p@.L.]i[.M...b...zg...............e.-.......Y....An.tTPT.Rd.b.5...1.7......p.....[.1.=.s......\]>[_..E...W..}.Xp......./...|.L.[.L...pV..D..M.:..G9..Yl.9Q&.......5.A.d.qI+...c....:.b.{.......PO.D..cQPU'.rv....G.....w..UU\..Y.ZBz..u.E<~.OH..\[2.._U.x.W2........Jm.]..G.]..o..C.G..:Q....L.]..T.(..?.RH...E....c...U9..... 2......*P...1.n9...i.....@.....px.......i.j...GA. [..../....;.(..L.(.EB....Sk..i2..dC..e....DN...sv...p...X..FA..wq

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.809666047769951
        Encrypted:false
        SSDEEP:24:hZ59RlecgX3O4TTyO2OpdWxMrNQVHrBcZf4Gy8EKHB0rUZdhM6QC2:X59RlecW3Oqz4L9UK8t0rUZdhRQC2
        MD5:8EB657F0A4AB5F1983B7784363495549
        SHA1:8B4E9B3409BC6CB70AE9A17EC15068C375189088
        SHA-256:91885A6DE4E56089630D8B39124AD08FD918B43CC7653156620B2A3BD28DF3A9
        SHA-512:4D48D9FE83CB94741C4D08454BA3498E1B14AC5147CFB1527137BDDB390409BA5BDC4410DF2B212AEC64C6016E0F4A30F7A35791731C146E0356CC3DACB2CE93
        Malicious:false
        Reputation:low
        Preview:S~..-Y..L...K..'..M..t... .".m.Z..`.wHIj...7..hJ....s...GQ.3N...G.2V/5...[......m....B.t.~.:.......T....n....uU,......x.^^..|j...6....D...T..U.|.!.I>...........................L!K.....%d...?"....Ub.~A..:.<2....)a..,.j+M@.....Jq......o...E^aR./S1..w@;.(...4.m...H...Q...M.$.]..Tx..mb b.......G...V.G....$.:....,MEb\..[..4Q.`..{k).[.U..!.TMaW..B5].A..t..]r....$....9GJr~...Mu.HK.............. ..iq..."..P.Yh.W`NTB.>.w...#$..h....~..3...J.....i)dL..&I.F....8.......k9....bG..i.L...:I..Y+..4.~zP..*.(l...,`%.....{..3p@.L.]i[.M...b...zg...............e.-.......Y....An.tTPT.Rd.b.5...1.7......p.....[.1.=.s......\]>[_..E...W..}.Xp......./...|.L.[.L...pV..D..M.:..G9..Yl.9Q&.......5.A.d.qI+...c....:.b.{.......PO.D..cQPU'.rv....G.....w..UU\..Y.ZBz..u.E<~.OH..\[2.._U.x.W2........Jm.]..G.]..o..C.G..:Q....L.]..T.(..?.RH...E....c...U9..... 2......*P...1.n9...i.....@.....px.......i.j...GA. [..../....;.(..L.(.EB....Sk..i2..dC..e....DN...sv...p...X..FA..wq

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\$I2EW2MR.pdf

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.841449223394751
        Encrypted:false
        SSDEEP:24:Z+AaJV+2eXHtfsYqYELCB20brDA437oHCSOxfYx61jdgz:52emVYELo2QzsHCb5jdgz
        MD5:A6214B797D3A974B785BBA52911016CE
        SHA1:8B23D12AD599F12DB74145BE714A228960048808
        SHA-256:CA28EAE4A190E70D92246798E66DE34330915AB18E69E7301170D39A791A34F4
        SHA-512:C0493840189AB13B42144641F39675968E98A7EDBC113EF731B2E1C0ADD91B42CC7145FAE9B63B34446E7ABC58A54844CF1C947329F80CBA935542D926AACE76
        Malicious:false
        Reputation:low
        Preview:.*..p...f.\..jd|..}`d.|U..P..%Mwz#.<.L......px.9...IZ...!2h........._.^Z.*.....fxK.G.D&$.....T..U.|.!.I>..............................Z..Be....S.&...#............Y>.*...uT.k....W.>y.........v.8A./..Y....C...TD....cZ..C1.KY]...PN.<..fk...D.2W.0...7[...8K..a...9l..........;...+.......1G[\Y.m9.j..C.#.j......)..5:.g...a...ZW&.}s..,.\..SPV..d..K.'.#(....k....kR..mw...d..C.7..k.S.F.......F.nea}..s....3.b...pvY.p$.....u..8i.wh.P~ME..q.Z2..E...K[....I%..*.f.F.^._h..$.]B......l...jH.9.3...[.:@}.#..g....HH../..4.a..w.Fanm.`..#..{}..pE.g.U#......I..d.r./.D.B.zz.T.\N...:GEX..!..y.....G:.qoEa.'. ...........%:...}ZP.b....?~.3...NBM..HM.!....x.*......6;o...'KM..AP...vkidk....]~)....-...Z....V.g..`.z}s...........M..+.Y.......T...V..Z....h..i...x...*a2. 4OgY2..r1....;F.'A..?......J.....l.]$..JI....%hF8.w..9w..#(........7".W9.Q...n...c..P....n..[+U#g{@$..~|...:....c...zF..=.....7....o."Xi.vy...X.QZRZW..z..@..........-]BFO[. ....mx..\.,.z..].UT......Vp..:..z..'

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\$I2EW2MR.pdf.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.841449223394751
        Encrypted:false
        SSDEEP:24:Z+AaJV+2eXHtfsYqYELCB20brDA437oHCSOxfYx61jdgz:52emVYELo2QzsHCb5jdgz
        MD5:A6214B797D3A974B785BBA52911016CE
        SHA1:8B23D12AD599F12DB74145BE714A228960048808
        SHA-256:CA28EAE4A190E70D92246798E66DE34330915AB18E69E7301170D39A791A34F4
        SHA-512:C0493840189AB13B42144641F39675968E98A7EDBC113EF731B2E1C0ADD91B42CC7145FAE9B63B34446E7ABC58A54844CF1C947329F80CBA935542D926AACE76
        Malicious:false
        Reputation:low
        Preview:.*..p...f.\..jd|..}`d.|U..P..%Mwz#.<.L......px.9...IZ...!2h........._.^Z.*.....fxK.G.D&$.....T..U.|.!.I>..............................Z..Be....S.&...#............Y>.*...uT.k....W.>y.........v.8A./..Y....C...TD....cZ..C1.KY]...PN.<..fk...D.2W.0...7[...8K..a...9l..........;...+.......1G[\Y.m9.j..C.#.j......)..5:.g...a...ZW&.}s..,.\..SPV..d..K.'.#(....k....kR..mw...d..C.7..k.S.F.......F.nea}..s....3.b...pvY.p$.....u..8i.wh.P~ME..q.Z2..E...K[....I%..*.f.F.^._h..$.]B......l...jH.9.3...[.:@}.#..g....HH../..4.a..w.Fanm.`..#..{}..pE.g.U#......I..d.r./.D.B.zz.T.\N...:GEX..!..y.....G:.qoEa.'. ...........%:...}ZP.b....?~.3...NBM..HM.!....x.*......6;o...'KM..AP...vkidk....]~)....-...Z....V.g..`.z}s...........M..+.Y.......T...V..Z....h..i...x...*a2. 4OgY2..r1....;F.'A..?......J.....l.]$..JI....%hF8.w..9w..#(........7".W9.Q...n...c..P....n..[+U#g{@$..~|...:....c...zF..=.....7....o."Xi.vy...X.QZRZW..z..@..........-]BFO[. ....mx..\.,.z..].UT......Vp..:..z..'

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.823085810910608
        Encrypted:false
        SSDEEP:24:qvxV2R/M5qfPr9f8LRE395jO2N3/85JeH2B6URoCn4f2szAXiQnAUJC6pn6xiYGK:qv/2RrfPr9f8LSj0rC2FRoM7szAXisAL
        MD5:B7EAB634DC60AFCDCCDBE79322E03A4A
        SHA1:722A6868E3237D7F90A68EAA005992A1D64281D1
        SHA-256:B1B8D5A4604442EB93C3072EF237C811EBB70DDA896807214F45D818C1BCF63E
        SHA-512:F0E0914F6FBC8D8FD60A1AC11B0070FDCA102F52EDF72C2B7E97A2D609664A71348524E4C4B0273EF111BA343FB19476BE891711C80BFF238BE3A03B92070F1E
        Malicious:false
        Reputation:low
        Preview:A..Mk|Y<.b.*.,..A../....q.....,..gJ............~i...SI.r.....b.\.K((.:..C....UV.X..z.,.Lr...6..*..g......I..,.v...|......98..~....}ey).......T..U.|.!.I>...........................Y..y5.tH...\.4Y...W9...i.z..[*.#;..../S....&P.M.5,."ZJAU..9u.G`.d^.i..-..6...>.@...|r..1@...N9..T.N.N.?.y.P..D..O.y..H.`c.....J.yi....._..-.......5..4.Fu...84...u.Z.I)...1....F.."dZ.>fc.[.t......:n........Kk'.ZI2.c......b....r...x.1. J....JSP*.../+..e......-.3N.U._......N.-h...c\..|l.}....uDy.gZ..#Ah.`...*..B..>.*..WSQG...:.Ou....:L.-i.........^l.......(K.6....... ....4...5M.0...'.p.(a[...6{....\...{>%hl|.\....r.....rk..xJ0..Dcg.,B{.....*...j....Y2s.7w.9>4D.(3H.m.;M..Q..P."j..g.i.TF....z.3I!...X.....y..K.....7-FO.;..5.M..q.~.......v.\..V.../0nI.*,../.C.........B~.'...9Jz....o.z..*.........)~.....+.{q}.....:.^.x..i.w...H.K.rV....O.1D.X..8......{DS`_.A...2....C&`..s.}>...~.......v..x.s............*.....\]>.r.....Y.V....a...."....1r.[.y0.u..&..........

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.823085810910608
        Encrypted:false
        SSDEEP:24:qvxV2R/M5qfPr9f8LRE395jO2N3/85JeH2B6URoCn4f2szAXiQnAUJC6pn6xiYGK:qv/2RrfPr9f8LSj0rC2FRoM7szAXisAL
        MD5:B7EAB634DC60AFCDCCDBE79322E03A4A
        SHA1:722A6868E3237D7F90A68EAA005992A1D64281D1
        SHA-256:B1B8D5A4604442EB93C3072EF237C811EBB70DDA896807214F45D818C1BCF63E
        SHA-512:F0E0914F6FBC8D8FD60A1AC11B0070FDCA102F52EDF72C2B7E97A2D609664A71348524E4C4B0273EF111BA343FB19476BE891711C80BFF238BE3A03B92070F1E
        Malicious:false
        Reputation:low
        Preview:A..Mk|Y<.b.*.,..A../....q.....,..gJ............~i...SI.r.....b.\.K((.:..C....UV.X..z.,.Lr...6..*..g......I..,.v...|......98..~....}ey).......T..U.|.!.I>...........................Y..y5.tH...\.4Y...W9...i.z..[*.#;..../S....&P.M.5,."ZJAU..9u.G`.d^.i..-..6...>.@...|r..1@...N9..T.N.N.?.y.P..D..O.y..H.`c.....J.yi....._..-.......5..4.Fu...84...u.Z.I)...1....F.."dZ.>fc.[.t......:n........Kk'.ZI2.c......b....r...x.1. J....JSP*.../+..e......-.3N.U._......N.-h...c\..|l.}....uDy.gZ..#Ah.`...*..B..>.*..WSQG...:.Ou....:L.-i.........^l.......(K.6....... ....4...5M.0...'.p.(a[...6{....\...{>%hl|.\....r.....rk..xJ0..Dcg.,B{.....*...j....Y2s.7w.9>4D.(3H.m.;M..Q..P."j..g.i.TF....z.3I!...X.....y..K.....7-FO.;..5.M..q.~.......v.\..V.../0nI.*,../.C.........B~.'...9Jz....o.z..*.........)~.....+.{q}.....:.^.x..i.w...H.K.rV....O.1D.X..8......{DS`_.A...2....C&`..s.}>...~.......v..x.s............*.....\]>.r.....Y.V....a...."....1r.[.y0.u..&..........

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.8273588178012785
        Encrypted:false
        SSDEEP:24:2itGME2sduGq2zKFTB6rMf6+eTPZegp0LOtd9N3+bkd5PR:mMgFwTB6rMf6+eTgQltdv3ckzPR
        MD5:72BA844E1B3C9CF8D157742715BD8FEB
        SHA1:9BA5BA3CA83AA583B7CAE1882C04014C0CC37190
        SHA-256:5C9934247BB3386B6C87AD2B062E4230E69794AE9505AF15ADC581ED0E3A4C76
        SHA-512:FEBB5B1A8EA89E14D90D9FFCFDB3C57F05C941BBF9ECAB5A4CC7AC61F99B0E189294ECEC3F2BE362986F82AFB23DFC780CA7358141881C6E73DF645BC64AA381
        Malicious:false
        Reputation:low
        Preview:.7..|0R30u=\...,T......<_^.:-.......*'....T.L..._...-.E0...?.$d.....T..2.@.w..9I[.....q..,X.....$b..gp......3...L..&...f7......e<..4e:...H...T..U.|.!.I>..........................0...J......&...$6..?..v..L.....M..Z..K.V.."^+.u...........L4......V.....O+ec:.........G;+H..P.....`.."/..T.p9....2.^I...F.wHxL.L.."D.6.k..!u...K.%<....:s.&.....T@.....7*D.Q...O)o8.jj.M.fzh..Q..ci.IZx.@.. ...hQ...J.Z"P....... ..Q...qw..U@C.kK..M...Y.....W....$.....V....x..u.6O.,..5...uA.S...!.Vrck... .;.Z.....!K<.`...m...J'.f.......q.?..H.....OA......Bg....q'm..T\.Px.jz..l..R....B.g..lc.j.<.} .._2+..^.. (E}.]r..@.......7..,+JA.l.VH.4w...K.........9^.....Te../e.h.+.........!A.......se.5".E5..+_.r.'m[Y..f.......I.y.[..F.=F...5..uv.Jn..F.h...).0/../.L.....:.fi..L<......"....)......._,q..&......)Qq...S}.../Q.......c.h..{.I3.d.B;.^....s{.n".'.|..d.R.`.M.F....tR..W.p....r...........F`..J.........q.J...X..L7Kx.`^Y..........h......'>L*....O.!.n..&.~.j~[...D.n....t.....a.F......YZ..*G..

        C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1208
        Entropy (8bit):7.8273588178012785
        Encrypted:false
        SSDEEP:24:2itGME2sduGq2zKFTB6rMf6+eTPZegp0LOtd9N3+bkd5PR:mMgFwTB6rMf6+eTgQltdv3ckzPR
        MD5:72BA844E1B3C9CF8D157742715BD8FEB
        SHA1:9BA5BA3CA83AA583B7CAE1882C04014C0CC37190
        SHA-256:5C9934247BB3386B6C87AD2B062E4230E69794AE9505AF15ADC581ED0E3A4C76
        SHA-512:FEBB5B1A8EA89E14D90D9FFCFDB3C57F05C941BBF9ECAB5A4CC7AC61F99B0E189294ECEC3F2BE362986F82AFB23DFC780CA7358141881C6E73DF645BC64AA381
        Malicious:false
        Reputation:low
        Preview:.7..|0R30u=\...,T......<_^.:-.......*'....T.L..._...-.E0...?.$d.....T..2.@.w..9I[.....q..,X.....$b..gp......3...L..&...f7......e<..4e:...H...T..U.|.!.I>..........................0...J......&...$6..?..v..L.....M..Z..K.V.."^+.u...........L4......V.....O+ec:.........G;+H..P.....`.."/..T.p9....2.^I...F.wHxL.L.."D.6.k..!u...K.%<....:s.&.....T@.....7*D.Q...O)o8.jj.M.fzh..Q..ci.IZx.@.. ...hQ...J.Z"P....... ..Q...qw..U@C.kK..M...Y.....W....$.....V....x..u.6O.,..5...uA.S...!.Vrck... .;.Z.....!K<.`...m...J'.f.......q.?..H.....OA......Bg....q'm..T\.Px.jz..l..R....B.g..lc.j.<.} .._2+..^.. (E}.]r..@.......7..,+JA.l.VH.4w...K.........9^.....Te../e.h.+.........!A.......se.5".E5..+_.r.'m[Y..f.......I.y.[..F.=F...5..uv.Jn..F.h...).0/../.L.....:.fi..L<......"....)......._,q..&......)Qq...S}.../Q.......c.h..{.I3.d.B;.^....s{.n".'.|..d.R.`.M.F....tR..W.p....r...........F`..J.........q.J...X..L7Kx.`^Y..........h......'>L*....O.!.n..&.~.j~[...D.n....t.....a.F......YZ..*G..

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):244417608
        Entropy (8bit):6.925652381378844
        Encrypted:false
        SSDEEP:6291456:FWCpELQzJo3S/buKi8FpgpeNcOf77ntTVU5EAb2XO9R:FWCpELQzWKi8FpgpeNcOf77ntTVU5EAL
        MD5:076F673285A4A8285093979F3C81C3AA
        SHA1:860B78F1ACAC5D8B3749AA059346D6ED21456B74
        SHA-256:2C49C4F446D0641459666711FA45C72E6DF9F4CF609D37455665EDFE3ECF696C
        SHA-512:8C4EB3276F9632AC269B7EFCCD60FEC1A4667284377DF07CDB0CDA1A43B97C3337490A8A1965D1FD6E52C38B3105EB412BE8667C556E3AE5AE8915AF68DE4BC7
        Malicious:false
        Preview:..J....:.DWB.(,.s.\...0.<......VJ..&N..qS...<..)...tR.>]..Z...x..=/.b..R..V.H...I.l[Ey.b.....e.2.B.|.Ui...Pj...|..J.}.f....}c.........=....O....+[..n..2..k.*.h.2....g..=}.`.[...i.c.-....>....@e.5.....j.c..K....b.U..MF..v...c.d.....o.|...J\..!.g....W...lr.J..#.l...% .U.L.Gu..S....6.q...!P.oas.f...s>.}\S.'d...b.6.B.e..H^..=.Y...n.....W'..@.l.{....C..F..O)(.`..q.*...G..7....IT.Lk.U..cR.|..T^6=R.ho%.......J...!..;|):...'..}83.H.c..R.Cx=...=.yW....Q`.K..I....Ldn.M<.[.s.j..D..LOe.a....@...........$.z.9.ZixyZ3G4lf!...'Cui...hCQ....`N.k...{..w..&.T.Aj2k.*e.[....4.\..W.H..?.}...i..?.X..M..y.;..c...&..xW.7..%r..Z.b.......7..+......p...U.$.>>.".t..$...[.b..B ..TM.]...CT.tkp......^i..)..Y.%...Y.G..,8...{\...D0..Z..v.......t.8...........I..kn..J...G..R...V&,.......k.v.Z[.`..x........N..x...p..k..w.;.y%z.z..p....S....._..S..#.T..u.'.o.5W.Z..{..82.9..//_ehG.\.:.J..@.u...{.>.o^&.t.......2...w..oB..!.-........w9..r..d..+6......o.`z..2(.......#..3!

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):175115128
        Entropy (8bit):6.857424497239928
        Encrypted:false
        SSDEEP:3145728:iIFJHdDdl9HCH6eRwZ+zU5IZ+zix/5bg5hS:hdXXHCHJeZ+zU5IZ+zix/G5hS
        MD5:A9EF01DE624FE631C70FF3207019C0D9
        SHA1:4C9882315D7A51190BE925658212E5FB86979FE9
        SHA-256:595B49F4E3853052987A117CD99C94F985EEBAACB8510346BE5FEFA2CCCD3F7A
        SHA-512:84DDB92FBFEEC786D5EF31E4A68B41E9F179D663EC92AD9AE13791212B2044733216151988A5F5BD184427D61B0C2A6AD71E5E21BA1F99DF7ABF55FE8E0E3F6F
        Malicious:false
        Preview:*.+V.vV`.1lx..]..,].;...,...........+.5\...........T.....+.~9:.~.D.. .C.M%.14t.w....u...'AWj..t9.%v..S..\......;.}.Ed....I.d|G...=.oD a.[........8.....s.K..J.O..H.&o^.x.*..'.^o.I..B.....V..(.G..............c......(.cq..q.]4di..S#.A...i.R...?d.]te......N..F..5.5..>.KO.{...sUA...=`@..B...n..m.4.K.B2.ZUMCi.....\.d.%9G....}..........QO$..U.P...d|.Nx.xq.H.....bX.c.j..H.....>...q...R\j.cJ..N.gE..MW...&qa...v5....[.Zl7....a..@../..G..#'...j....%..1<...n.....B.....e..V.+]%.`cu...C..~..#x...0.|.N.2...C*....)...)..w..LF.>EF.|.|.~k..V|.;....G........P.x.`b.......WBQ.....G.KC..'..a.d..q...N.G.Q'..M....M...+...."...A.....".}...T?...)*...G..*n..{'.fz..."....[/.eT.7.h.^..K...a&...]|..LA...(.9Jb..j..%.(j....9........N..(......0.eII.)..3|&..r.nq...y2$T.^...S...{...m^....<^.;#.Y.?v......j.+Z.......*....MIy..?.2...~...5.u.5.....SSj.b...g....6.|...............+]2U.x...!..9.X.9f..,.(..H..\.V..U+.K<j.Y(.....t.....+-.h..f.l..UD.l.hff....9D.>...r..../...K....b...

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1688
        Entropy (8bit):7.874048756998993
        Encrypted:false
        SSDEEP:
        MD5:915654CD8D47EEE09B7D231EF16291D7
        SHA1:742A72E54596829216E770F101F53596270A4614
        SHA-256:BEE6EF660A83C088F845B881753F5FB56EE1311422E9D3F1B69B993FC6B7D9A4
        SHA-512:894ABAB7EDB098F30C66FC5062A8B6D147646051AFB04FE53B900417F788270A17C4D1F7FB5278AD639FE2D73097FD364FD00A6A7D4E99DA0690ECE77D5F5630
        Malicious:false
        Preview:LS;'..B!@.........-wv........@ M.D....*1....`}..JI.D....!......Q.T....=%.x.j..."...(s.X....1.......`..rk.....m)..?...|>y..w..L.E..}...........m.k.e....5..J^6c...2.......C..sH.'O.0...)..T...`Y..F.....%n.L.5h..q8(.zN...x.........$..+....xX.>.dU...l...bL..m`'~.....pg..q..D....N.......{.....L....'.6.j......x.. ..X._..... .......t.r...B..O...c.zf.y....A.$~Q.P.......%!..U.~.N.......7....KS~....k.......`n.H.5HC....."....]. _..i.]W4.N..F.v.;..f_...rO..#{:M7...b....d..z....fh%.t.{.e.).X.t........Y........!.9..f.."W....k..U5.K1.....8...."/......8..\.5.sL...lX..=._.....*..0....$..=..N.qX|....T..U.|.!.I>...........................[.M........@.O+........S.&'...k..6l..v.#g",..A..?+..3......{ls.........%[...@+......7.....g......0.Et%.!..w-...k"...u....w=........ ...>~.i..i;........k.:\.. sb.x{.OF.mr/..[.P.K6..].y?.._..u.WB...J=... .....y..z...a.cq....$z.9{x.DBQ!v..E.|{.!8.(..N3..@.. /...(,P@.u.X."@@..p%..0.#...~@;..7yf......>.}J...........r....e.&..

        C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1288
        Entropy (8bit):7.838401423848566
        Encrypted:false
        SSDEEP:
        MD5:253E08C25096908364CB69770D526524
        SHA1:E58E0096A69ED717A35AA436F27BD6D4FE8FD0B8
        SHA-256:904F63C08479B2F3C52379666B8B5C5507B48CEA2FC4B9646F3C2F8D40BFBDDF
        SHA-512:8B8C0B9C68A9B871C685097F843C5EA8FE7B02C3ED8EEC12542C88F9A459468FE6992B805C128FDDD1F60EB2B20DDA046D2794D184A68C9C4FE320AE41C1E8CB
        Malicious:false
        Preview:G.eYs,`5.YNK..9.....6\zZ.N.C)......T10..$`_..N..F..9.....z,..|.../..T.s{....Qu6.6ik:..... u..#...>r.X..%.#.Qq.. ..B.]} ....$..Kt...1t*...JH{....i.....c.$...3+.).nf...!n........e.?'...p..g..9.^db.a.Cr...Z...I.......T..U.|.!.I>.............................~T..K..=pA...XSR.....$....l`y.#....}..."e...P#;T4.Ay3B..*n0:..Ms4j...e...l.s.1@......F.t.......?.3.D|.J.+2Na.h.7...q.f...3.%.....!..l..x..i.S0..'.'.BZVt.K$.|W..'.L.|.vl.z.... N..F'.1.t..d./.m..=n..}.........}.yE.$.V.?..h.3....s6|V>..q}.HKc.B^.UN.r.rP.}.{.Z.$.....0q..1..@..1..@].H.EU.C'...+\.N.E.=..z.P.t.Rd.a...{...4dXI.b..X=....)0....c.N....A.J...Q...A.BrSM....?.I[.....H.......0....js)...:.......@`..N.....%....l...5Q..(.^........j..<}U.ie.x!....pH._..>.)?.).@B....N...B.$V.!...Oq...&..W {h"..........a.s.9][c.Zd...r8}j...e.. .m~.r....6..y1...y46..~D....-Q;....\.c...Q..)...3UE.2..."..z.....6./P1xW/.r..T8p.;..8H...O'.....V(1.C}lo......@...t.}[..?f,FN......[..R.(..<X....D....`X...z.6.......".h`.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1496
        Entropy (8bit):7.86804391972879
        Encrypted:false
        SSDEEP:
        MD5:70E6DD27549154712E6E85B324484324
        SHA1:F436FB0617F7213C0D563EAF9A32D45E09C8B67E
        SHA-256:1DE9E05156C7F45DCB2D00C4DBCCEFF19A5C26441BFFDED332C77116184E35D3
        SHA-512:36AEBCD0FBA9F6B79A29EB2242871698CE6F6BEF1A4131725356919BAFACF039C5C835A610C8D42419FD25FA5083DD600BEB5BD3399224595C4AA7470E094259
        Malicious:false
        Preview:.SM......n#.d..j.k}..^..(....RV...K7......%.....<.~.bStj.4U.1.$.9..p.y..8......I..S1I.p....0..M rWC..Q#.{N.0...@.....F.......q.7...U...3.vp..c4.Bv.K.-.n..,......R..uY.D.fO6..H}#..)Eu.D(.1a.4.*....F..D[)...R{.:E...........H.v.r(S_....;.....`.t.?NMC?....%.o.....i.|Q/...E..|.....|g.y.....*..%.<9..8.:.....;..`.:..M..8 ...Q.......|...........:.^z....;......z0...W.|.Z..9.Z.8.>..).es...f..q+>..p}r$c....h...t...VL.W.3...T..U.|.!.I>..........................q.(H.(Y..(...I..B...s..Fpi....kW...").....;.../...t.q..p......{..P..f.. .....8.k!.%I...L]X....q........&.....k&...a)l(...!.&.).........T..........Z...{..9.k....$...un.U)..D.......nu...E.rZ(u.:!....Obi-.^...6..@|........|..T..^.h.I....<0{....V...j*...G[n..6.bc..=.......$.c.Q..................F$H.|.......[F7..A9..XX?......}.=.......1..=b..l.m.."?.2..H?....]87.(.e0...)..4..o(."..i..n.U.......M5.-t.>.Jp.f.#..SpDn..6H!`...<....s.r*Z@.s.S..x.w.pQ.:|.q..r.g.<..h./.e.`.....Y. ]J.....U..w.K.a.|S:b~.).

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.EXCEL.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8565102046837
        Encrypted:false
        SSDEEP:
        MD5:E21585C8037F3880A3F717C837CC8C95
        SHA1:F1243A6FCBA7D10FE7A4DD0534BC8276BF06E8CC
        SHA-256:2CC0DBD13DDB30C2DC6B3615C6B3339D3D24E253DADF95DC852D042E8D71C404
        SHA-512:7F26BAC26484F758BF0B3F82DE54D94917F16CE2CECB4C6D2C116A9D28BC6E417459EB20BF87CD02A66C88ABEB7A708DD9040375808B1CD8BC5A3F4FE7FABD9F
        Malicious:false
        Preview:=....p.g..)].."(.V..[q...!F P.bp....V.._s_.......).k..,\..E:~....b..........<.R.l.......h.Y.~x.!.S_1..$a......6.*.i.....8(./..iB....o!....7X.pR......z...e.8.{15...;.YB..<v.f.Nt.7@..a.T..qW...k.....5iYs..#. 8i...i&\:.i....t...~..E.@B...a.h-8...@_V.:.....(..._....M.v.p...../9.$..n..c .....y.`.e..........}..uu.2U....!.H....;..H^...`a......T..U.|.!.I>............................C&2.>...^..E.8.'.*....x.,.....x{.Ak."@......v..f....b....7`..h.?^.>...[....1l..5.L.3.p....!v*4...........).c....n....T.....L....&.PS..K..]<E>,-..<...U!q+.9..B..s.&!.:.:_..\...........!.B..(.|f..n......o.z....d..R..J..@..7..p.v.........!.3.q.0...}..V%.....8.".;.......'....p.zZ...........o....|C.3...*..,j......fm.5.M.....`.....*...l<-.x~.......jt.0.k.........j.sVp...r.V...2.~.}...O(..R.#..;...r.=.5.,-..fq.u....m..K3,cM.H.x...|#m6.o1...j...K7A*.5.....$...n./......mYW...|...~......$.z.QGs.Eg;B.]!.>.6t.o..b.D..........-.EI..].^.F]..d.-..x.J..[.p..n....Dn..Ba...v....F..V.&z

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GRAPH.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.841130070235249
        Encrypted:false
        SSDEEP:
        MD5:E219A576C0A9C0C1D669F8718EFBB7B7
        SHA1:A0D6C5CEEB5CFEC95C48A2B7A025540A7FB96E48
        SHA-256:B9110A1BBE1D7B50AD4D1486F95B74153AF70EAF69988E60E8DFB31F1CFCF030
        SHA-512:A46B3DD6AA3606FB48440EA54F2620380E644BB9FE6F61831E6EBD59E77FF433B6E5E01806E5BE6886E5A89FBCED898A273E6C7B89706DC85470879CC3DBF567
        Malicious:false
        Preview:#}l>("d.]..ns6T..a..'.$.A.4_...P,.i_....n....U..g..}.A..!c.....O....{.............h..N..P;..#..Di]b.........2........Li...zD..%Z..6......?.....i.W.l.....b..5.%J.!..r..^..,R....s......67{.^...@L.....UY.t..E...V.....p~G.a...MC...&.C..c.Sj..(.|t./j.A_.....r........@@IN....a$......j-_}.NW.w.f..._S].m....nv.9....Y./...P.7.,x.LW..Q$...n.\Q..d...T..U.|.!.I>..........................n\...T...@......7j...`.~e.7....l&.G....r....+.......9....:.......`[..{......~.....lg....4..U....B..$r....U....Y.].t..@.~....(X......>..ThT6...2.........jB.=.AO.wY....'.W..`u"c.p..p|O.X...S`T..C.t`...8....[....*i.r3.t...y..i....@.I....0..Ff.@*~..S..t.d.X+...(H../1.eR.t...#24..m....6.'.~n.'C...M..Lb...\..E.>O_P..\i5.`...h......B.;.Mq..Z.....H~d.V..3.^.q....g............_..h..t..@.."..A.<.0<R.f:Z.........w.v.-...8........!.Z7czy.Nn..t....-#..2.S..._...../..3.....2T.4.s"{.{.=:.P%.lt.n......;Y.M..j..@...G.....).M3.i.L.....j.NbFwA..t..F.G....^^....x....~M.$Q..w#...=......

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.GROOVE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.866838944759726
        Encrypted:false
        SSDEEP:
        MD5:BAB86621F32E0DB18BE8020F03D6E246
        SHA1:D8AAE3995AD2120DA9B61F63025B6E8D2F1C4A5C
        SHA-256:67865B78B95916A00A0BAB57938A07E9B47C297434C9A54624F3685EE73F5A7B
        SHA-512:729D03D2E6139CD16A95BF0C89E2F5860B9788F6D632674D40C9230B1D9F815BEAD17AB45AE51098C93D64575BC277F67ABFFE3063E3D325229904AED5B5C900
        Malicious:false
        Preview:R.gN............4:}?[g.Ru.2.....O..C..C.....l..|..=Z.0....+Tp).66.~..Oh....t]...)..^+(k.%.o....6....~.6..z._.......D.s..3..t^WX 4oX..p'....8..X....'.%S..1+.:..SP4.......x..N....c..9..@Im.e...u.t1...<..[9z...*3..._L...7{.M.fh+..q.@..u.r.X..~..i....L.WrNtFI.............-.....^..........X...dS...$Mt.W.O.[#lg..8wA....p6."R....xb......|...."....-L6.Y...T..U.|.!.I>..........................2~0......L.2.....`.a..r....1.@..o.>.?..,...Z.U..;|h..bD._.+.GK.h..^).../3.qj_..6B.a.=..@.....`E.`B..^.B<.bfx%..[...........Z....>1i4.}x.....F....[/..............x...c.lG.Q.5U."'..lu.-J.k.J.l.t..E....U-.>.v..../u...o.`?.!.. ._F.:.........W=....oq_.=..[A(.e..x.....~T...W..4..Ww<...;.:c....f.Kv_.L..3....i.@......&,..T..8../.-. .R. .......g..O....;.J/.a.*w....dZp...^.c.L..x.m..7z.u..?..S.-c......kc._...e..|..+.V.D........+....S"...6C.e.N1.......#A..... .!7...8m.Ks..=.4.....6.f....kA.*.<.......JT..O..g.........DN...BN.....N.Sty.~..P..t...,.d....5...u{....o

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.84915129563854
        Encrypted:false
        SSDEEP:
        MD5:673C90DD58D23B33652BBB84B599B388
        SHA1:4C92C2DA91679FE74A384694C687E261D76B514B
        SHA-256:88432D16F8EF2A7BBDEBD949D85527745575CE124AE9F9790DECF8265EFEF167
        SHA-512:409C35B29AD37FAA5A12BF39EA168A8015D6B788D835CBE873530D2E3CE95AD9A978E23B0B8DFBC9D8023A668F42C5FA6C9A54EECB5345C3FA1E45A4A25BA0DD
        Malicious:false
        Preview:..gB..s.g....Z...".Ji..;fY!I.J.55E..'..Gaj..C....2..p6.../K..H<~j..I.N..jP&-.`S1.Kh@.%.??.....q.[k..U. q......k.3Q..mA..V.[B....[.i........FpE...H..`.m..q.Tj...P04.e...lCb<........D]h.5.-..z)..J.5,.T.......;.....@Q.......S...r:..F.B......w.Tz...G.#.`&d....*.;.ju..I.....$....G.. .>.".......?.D`7...^E....xc.7.Q.K.!P)..z..J.}6O..:....T..U.|.!.I>...........................>.N...D.uI....t.fz....)#..C].9.7:zq.p7.`!e.%#v.?I= ..F.U..8.l.@.u....>^.......f.L..J.n...[.....e.<.B.J.l.5..C..m......i....?|i..a@...g...j.9..4..W,..G........2.P./.....Bi.....$M.X..n....[k.d1N._C...+gVI.H....J.|.a....BT%....J.1.M!....d.....[.3...@.6.pn...O....}.E..`...<..,.Set.....vyL.x.#.2..1'...g..flA....F.$Pa{KJ....%..]r.3..A8.....A.....a....\.P..)..|....}^...4.G.!.....\.]d.....x.=...|.4...9>a.0...._...|......$!d.h_..U.@.buK>65......7.[.@mo`7z..2I'Z...R/u.a.d"M.:-{.F'.E.......$.9.E..^`..x...7.J.P...w.i.|.+.......}y.Q.B..T..g....as.N.o....9..*;..g....]i.........<.5.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.84535243496695
        Encrypted:false
        SSDEEP:
        MD5:B5DC987F47270CBF940AFDD4E7677330
        SHA1:35AEBEB316E9DF3D888965B004C79DB6004195EB
        SHA-256:4BD3E8E6763E2549ED561617E9C7A87468270FC60759AC969BA28F47DE0AF280
        SHA-512:4777AB0003CD565F095F5ECCAC7C9ACFA5C2FBB8DFDA0375560DB30BF38A663C3CBAD39D6C5C0B06DF92C09AF6156EDE06E5426A2828B0FF53EA90E0922FE6CC
        Malicious:false
        Preview:.a.w..e']N.....B.FMt.y<....'$.F.>.....z..f.K.c'....\X%.....Ad.J.........M...t...N.|.>...S.........1.".zj...y.!/ZF..*......>....4.5...:...g..,5.S.tG...D.$...aF..........!.{..8!<.E..U....~X..7....F .....O/.j.B.....<.>.V.....5F}a..9N...Gi.3....WQ.+..L..&..<1.....T.+...^o.U40..Sk.h..7.!.f...x..vs@..,#..e...q ..".......P.@....wZ.T...*.......o....xU[c.S..im..i.~.yjg#0JAn...T..U.|.!.I>............................W}e..&y..}.G..H...m...H+E%:..e..Sg....K.=.....6..t..P.R.....w.HA.'S...).7.R..6]h..WIr..[$.E..L?e..L`CO]..KE.W....NF.b[.B..B..O......9.o."x...r. ..BM..M..:.Z.....g.f.T...4.lnwr....A.{..\.85w.U<..[....=.M9..{4Ey......j.&..5{..?w3~.../j...A....O2.....3.}..g[.c."y.1.gt.U.$V8.....>..KWvx...M...L^..]%@...........9.i...|P.~.v.$..lz..*9g.....OI....z..F..;..(.;......:E!t.~.T| ...V.b....H.8B(8L...HhZFl...<..'..q..%..)........39P...E.hX..b..3Vf...v1...djQ.c. q.9...YV..8.]~........;8C..Q..G..?C..u..2.r.w..9...'..v}.X.@O..$I...].A.....\.o..%,.A~<.M...t

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.865413327899979
        Encrypted:false
        SSDEEP:
        MD5:37FA42AB4AA141958271002A9AC7BA51
        SHA1:7001DF19C4E85AC44A5F30B322511D1845AE02D8
        SHA-256:EE7E124AA1DAEF18D3F60E55EFACE027B907409B6603F4EC1F00F8C250D12548
        SHA-512:931F08872AF8F6D38529B4A8A1DC39A365C4081157CEA77C63341E4E8158EA7E28EABA393F73B1203C2513BE47AE22E99E31F818CCFDB9349E9CD4B38336CD07
        Malicious:false
        Preview:...-..7..o.2...Q?.O...z.&Y.......%."i.e.j}. .."Qo..<C....h..k..B.<....g1Fi9.m..-.y..P......^..K5...y.s.U..dG.......>C.o.. .v..S.k.......8......Qx~Y._NbF...H..z>.......A/.M.. ..~..2>.e.,............zX:G.W....O8.V.<..Y.!..>........#..y.=.B.)i)5=.<....."(&...mt.S..._........w...2._gt...P.._..F.o..oe.~.l..........w5y.>.....n......c.....coQAQ/..e.&.x...K.1..\f..M3[..$.U9<..=Y.,.v.W.....T..U.|.!.I>..........................9...a&.fH>.zc.-V%=.4......;..H.....Q.H...N0.u.....\..Dh..4.N..).r..R.:'CGV..z%...i6{......l...%.......*...By..L...T.,j.Jn]"ULi.H.........i.a+V.:.\...CE.&......H...p|...O..E{..$....|...E..!S.v...-..>.*.(..F..n.e....X.h2.7...f.J(....).z..a.O#...........x....p.f......U......nS.o.bC._..dp.....rg......YM.[h..q....k.5...kV?..4...MT.J..Pl..+<f....5.....6X....z....g.......BL..Z...I.a.Hq....p.B+....Z.....d_J)...[...^...L.@A..F.m09.C.....I....4 .:._..S.~..l5.\}.I....rL.."......L....QS"d....-.....h..T....]....,..HY......]....]..E..r.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSACCESS.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.8519896024483025
        Encrypted:false
        SSDEEP:
        MD5:13D892EDD653D472EF976F9240AB5257
        SHA1:FC099D08CA2D61738A0714B4AF7F16456A0307D8
        SHA-256:3019D8BE6857263AC8F3439D87A24C6CC8490A4474BA86633B3EE4757A0D4763
        SHA-512:6084D7D0F7AF9B12AFF6F22D1A693B6CEE0D653D9A1844E621B8773EDA507B6CE847AA303B092C3D76631F2DEB28BBBA02C3B0C5AC89CA3774226AE9C5AEB808
        Malicious:false
        Preview:...Z.O.r>U)...lL......).L...)`..'.S..RCIkU......6.).G....T=..*}..............<&./b..e....'..).D......W..y.....].p-...Ta..a....&...>....ZIw......&......p..K..b.8]...A.m1.....v.o.........i.14....)..S.....k$.X..P..Sg..........N.J....>L..t....l.X.C.......k...w..$.d..G.*..D\...@.h....aG...."X......UF...a.DP.8`|.....jf.u..W1v..4t..CZ...S.w.O.....>./....Yct...QVU....<.v...T..U.|.!.I>..........................ii..E..E|.e}.%.>/...V.O;.$..<...m.%.Nh.L...&.;X.].^.T..-...X\.E..x2U.>.....g.m.Y...[S:..*&..................+..._.o6......osMJ.u..J~........O...]w2..9..0.W.\.W~..'z-........B.\...v..{.....`....m.G..e...9.....C...X.v......Tr....{.V.Y......V...)...t...~$.......JjTq,b.....@<......y..b..)..6.=...;..h.25......(".6.JQ...E.m..X.,C.m....../...O~.z..pD....07.`NJ.......0#V.q.GbX.X.K...$?.A]...|7.....Z.~h.c.H........../[...ZqD.Sy......9WdP.EP..jjw.HH.DgF...:nS....FHq.....k....q....~..Mt.....gw....>27......<.. J..bp9R....QQv..7@..1&......DTb.Y..*.G..D...j

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSOUC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.844357465702022
        Encrypted:false
        SSDEEP:
        MD5:898137E80B75A3663063101ABFCCEC9D
        SHA1:E3C5FEE8C48B33FDDA9BC0DE7DE7433196D68284
        SHA-256:F326992CDDB8FEB97E6B12C69D8A096B8884DC214A235C501CD6D2CF1B788B15
        SHA-512:52305B1FB12D1004846373A227E83C65A24FD69B29AB343DD2FAA525BA174AE0473E26872FBDF529658D9649FFE65361C5850789E84A37CEAD4EE9A0B46A278B
        Malicious:false
        Preview:.Z.g....Q.9"... k.et.M.....\O..v..(H.l%qj.#9..|..Z.~....K..K..WK.i.....y.....2U.G.h..5/hj../.&.0..Pf..jR..E+@....&G....u$....".jW....3.....F.X...qh.V........2....vz.d.!.%hP.g....x........A...b..5......@......g...7...P.....cMAt..`...p. \...~..b.h...q....y..$.&..'A.....8*`.[.Z...e3..d..l..l...f.~...6...J.n.}..g..m`t3.../g.\..x...T...J. T....T..U.|.!.I>...........................6_:`.........M..w...na07.C..4.E..s..J^..sS?..:6...j..P.....9...`..W....SN-...P.P..P|&0..s.........>O.~d.6.....2VOk....&..`..._..%...Kqia.Y,....L..&/.............a."eL.M..H......%...l......Zo..t.oW.....\U.e...a(=..i%4....t.g.....t...ux..=.R...n.^kr..Y....5..XB..@....D..O....*.fV.i.F.l."h".cvvhyN.1.1.C.......N~^..<7..p.h#..$..oP.//s....9...Z..fKv;J........3b.....q.....[z.x.d.......~..#...u..-...V~...Q....."..z.r..'..5u.g...s..0O..h...#..=.C..W)...._*.k n~!W.P.".>...w...p....]...R.{..5........z..t:.X....eB..q..]....Tf.+.L.6..@..w4.o..Ei.w..1.X.Ul..........H.d..r...b.C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.MSPUB.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1416
        Entropy (8bit):7.8592683158986505
        Encrypted:false
        SSDEEP:
        MD5:2EB290C53EFB17A0BAAF369BD996E107
        SHA1:59C8DB839B743BA25397F03BFB8A21379D028688
        SHA-256:A9DEC77AB887AF3F0046FA0D0AE63682F07A3FA510BAE48C9A3B35E00596FDE9
        SHA-512:75EC1302756E9FD846C53C8FEC1005971FBC3AFF174C63AB7C6563700802B60F2CAAA8D687AF301D1412D2BD2D6501760F1FDA5A85CD9566D683E0F231B2951E
        Malicious:false
        Preview:.F9S5...{m.g......"..&...&..7@.u.....x.?DAK.....}F......h.....[|3.h...3.x.wR....oD9..M.]..\....zQ.m.f..6\.J.B.'..m1...*0.....}..G.f.ib.^m.6.q.%>.O.....K..!:..b....q..G.9z...S7....a..."..9.GXt..Re...39.5.{-.i....a.$oc<....T.^7[.M9..*.B.IG...uWB........~...mm.,ik.xe.{..A..m...R....S..`W..xOo;Qi.$......A.P. ......^8D l..).B..3.k..3...T..U.|.!.I>..........................O.....w......@......0.0...9].l...U6.X.q$.8_..Q.....^O..R..}............|...[j.X...v}..,....`d........a.q"...x....l.~Od.E...w..C.]9D.6....D..%e|`|3....n.t...`.........(.4?.V....Y(.....#=.1.G....z.N..?RP.D9.Q...e......f.=.B....b.!2..R]...]..r....n.p$H..:......._....ap*......v.....Soi...{.RW.....o...oZD..(...F....T..C.)>..11.....H..G..EZ.H...>Rc1...f.7Zb.'._..X... n.e.Y..+..A.w.E.vacHI...U;.'..b...|tp...y........:..E.....S6zh.H.{...";.@%4..."..)...q.7!.kh......0.>e.D..d.z...'.'.Ag.....s.z...r-......Dph....M.O.x$.w.....:...f.2%Y...T..C.m>J~.&#....Pn...'...w..._.$f....T.ik

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.ONENOTE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.814722829396364
        Encrypted:false
        SSDEEP:
        MD5:947AD8EE0630C35CEA67A3646807E22A
        SHA1:4C2ABC1257E52AB7984783C4F666E375F63E1BAB
        SHA-256:EEE0C02EEB4BB6CDD3A227E40D6D5AA46D7F9BFAB42B919C915E8B4F75BA8637
        SHA-512:8BB41539078D9BF81538E129ADEEDC5A31974E0487530F0F06C8458472E4A457AA4E51BB22576871B4B1EB72B8D96AAEB939DB85A854F613851AFCA286D00BD3
        Malicious:false
        Preview: t..V...]TX...U.@...L..t.-j..............f../.....b....6"H..........64h.1;6....&.f*1...O..]7...+..,~..?Fy...S.r.`.......@....W.G.1Pm.o.%^B...J....M.....C4..VlO..@..".....$...T.W.p.#..S._.J.tE.n...}..l@.~..B...c.......7.b._..s...+.xv.?R~u'...j.._.4...(;...Ut..s.x...Mh.[`........%......f.....+1S.@......P.T\K........z..1...2Mf.7.4..Nj;'.)c......A`.D...T..U.|.!.I>..........................r......G..Njk............_'...#b...G%.2..wNg..j1.A......9.(8W.....(..EP.w....%.X.X.K~..q+S.D...._.|@.>.%Y7...".0X.....$]KWJ...o7.!....ov.gg......Ju...I..}+?...|...+...2..%._i.Cz.......ez.YR{./""....j....=...Zg....m.....z..\K..E....u.&...(N....W}......s.bC....mU.k..Z.<.O......l.~^=}.*.h...+&t...q....DT..j@&..p..x].{...*..AA4j-E..E...x..g.)....@H....w..BeOI.J%.0.x^6z<......1..4..V.M6{..E{...!%..DNI D.Y....f+.Y.Sw@S...H.....-@.m.+....tp6...Hn=U...s+..M...Y.z..y.IN0#......"A~....R..%..Ym..z..^4._..)....#....n...`K.fu....v.p..A..,CL.j.l.;r.F.....A{.:.~x.:..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.OUTLOOK.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.84646828989208
        Encrypted:false
        SSDEEP:
        MD5:750842DC44EB331CB41A2BD2C6D11047
        SHA1:EA6394203DF446FA85C6D80B0F4AB8F7E301CE5C
        SHA-256:54E18A0E1D5085709D6E1D02A606E3F3936696414365799DDD5084D874160BAF
        SHA-512:D687C5346B56852E78A818C85FD7A0E36EBBAD0C9CE43FE6D24C3D4CABC1F06A8F2F1C3D0C476A70620E4446A647509410A17710B409D31C057E27DEEEDD4F39
        Malicious:false
        Preview:N.F.4.....[-...x...Q..]H7K;.2....+"8I]Z..x{~....0.Az|...3...["c@.]aT3.M.%....\.....ZS_.[.....n...$".K\....d.(.VH|^.G..*.r?qq.. [..O.Z...... ...4I;...r|..bG.x..F.qp?o.]..L.....iW<.._eK3........>....R..5+x.M.!$.8b...H.-.o...m[.j..Y..m.,...l....@$V2..}...........i..M4+..;.F..1..a.6.G\.,.wH@..gs.(d........9.IbO....w.......v....5..<..jw.Sq..T;h:x.S.....T..U.|.!.I>..........................H9.I..QI.].....?........P.A.LY...Y.3.d@.....F...^.r{.*n.=x0...d..O..3..H...$}..\...IQ...._u+.X...L..F S.Q6(m.=.K..C].Dg....!.<.R..../......K...j.........k.@..ZB.......]...........d.pq.X.-o.f.m....Z+.Mq........."}.[Y.}51'C.......;_.......93.:.6.r...ds.t...........d.G.....?....z .Tl[.......:..:\.Z`.J..../.!y.O.1...5.FVB..R>.`W......>.>.b.!...H)y.........{.....|...........K..-.....t.....mH..q..v=..E.io.z.t..M.....A.x.m7`......l3]...f .k%..}>$ G...C"......g.5U..N...........o.....n2m..M.h....lPS......jN5.....|{.......lF..$BR.x~}......f63.mX....2+.F6...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.POWERPNT.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.85870039886199
        Encrypted:false
        SSDEEP:
        MD5:B4504428EBBEFBA508C3F94F0DEED264
        SHA1:16C994460BE88B2BBC3C1A89A6A1CCCF52B39572
        SHA-256:E2D17C8BD49FA993832904B01DD3221909774D60B8353CD3747B18F2E55C88C0
        SHA-512:14AF57C074A58C07AADF1012A4018727DE74CF07FEAF0EC46A1561DC7F0E30A9221395FF310816C868D2287979B16B2CDB298261CDF009BE93F4A493FD871110
        Malicious:false
        Preview:!.vg..[..C%...<}.....e&R."(/...U...a$.."....C.N..at9Y.U..;........H...=Yh....(v1..[S}.^7J..?...O.(...,.&.q.i.b.....x../|...P....V.<.6..5.A.....{._.#..6......z...5b..U......{.E)Cgy......F@..i.r.........r..4..(..M.U.....jO...)..4...n.........L..a<....~......u#L.,..T......s..X.n";.}eu@.s.5.@...P...B..8'.....9..{.....+...Q$..H..].......v.I>}6.p.]J-..M.=....;.U....T..U.|.!.I>..........................C.*..|.~]w.H=s..-.U.bi.(.-.!.Q..D..<...g..:f....w#.....v%u.:.H.'....f.e.%..X...........J....Mf..&{.....0c{..].9.3..Y..C........P~yY.F...=..Ip.....8....B...7..U.....(.(L.B.......w.G..c>..q*.K.j....t.9.Nx5....Bf.....a.'.oa...;^A...."...,L)...<..~.l....!....G..{kr..qS....*v3z...."U+=.4..Mp .:..r..|'.8]`....j...3.H...<.Q<...%......sq0*...i ,.o..Q.....$z+kt...[..>..!........./....t._.......5...D>....?.....Tfe.....d....o<..6.|......o...t:G.V...d...>.3...j...xu.]...o.=..1.<W.)[...... {.Eo.k..p...~.u...I....`....a...C.J.r..ZuJ3....u.17......=.w

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SETLANG.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.87652127413153
        Encrypted:false
        SSDEEP:
        MD5:E8B4FF3E8EE6335D4D3FD044772DCF4F
        SHA1:31BA60430A500DBD6CFB4594A23D090728C23BC2
        SHA-256:5818BDF05F17A902734F351E7CB9CF95E7ACA6AD397CE3B6FB3CF9985CFFF9A0
        SHA-512:8A36530EE31BCEB91AF3B071E3D4D5C8F75C625588ECCB28722916F0A15D47F82CD314B0A24CC47405C7030A4A641D7BCA1972DCE6BA7DBE26A870DAD627EAD8
        Malicious:false
        Preview:eJ.LR.U.Dz#..R[......l.%1MA4..#G........Sf`{....U@'.+..L......#.P.g.N.px.Kp..7.G}N;7R@e...)D..o..X.N.....2..#..s.2..@o.t.,...:..|{.o"q...Eqp..z...H............_l../P....l..X.n.y6W=.:...N.b..zoya..O....I....h......RA.^....[.............k.\TQ.V.c.k.......iN.H.}.y.`........F.^or...N..9.d...-....G.D.3.:+?..E.....<.14....(.R..5.w.U..pA.X..W...l4....XG.. .....T..U.|.!.I>...........................m........R..J.6..k{.iI....u..m....8X....'..2.._C1..q...O.gu...Q..c_..ZJ...{X~._S.H.|.*.K....o.<,5....y7?...=,...?:.`.)9..g.\....g.....x:.:.8.^.xF... .q. 4......*If..l.....J+'.....p}v!.(.3G.....=Ag5?..=t.<.Dv..E...h)..e.]..Sv.dh$..-W..^...zM5.w....:.fnLu....T.@.K.m,}O.i<......{/]D...."...%..R....M....@.mF..r9v.h..f....i.......iF..9...C.He.7j...F........w!...1q.a}._..[.".9]I.bP.X..F}..$..$..e..~............E..J.K_k.AR...o....v1d.#}(^.s..+i.....r.I......h)..M.....K_......[.0........OO.|..?..t....8.@]7c.V.}..2y`....=...K9....a....f.D..".A....u...u-..V.[hp;..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.859536442968976
        Encrypted:false
        SSDEEP:
        MD5:6E9FDAC0A8A1FDED48604D7493ECD4A5
        SHA1:9CA6D88B2027BA3DB40908B7DEAD652E9F5A5683
        SHA-256:F6B7DB2A8A15425FBC9D8DA3C9F73399463AF66BBCD869C640F1B33746C8CF93
        SHA-512:9A4FC99A99EAC9B7B0CB00CF21DC04324243E1BFD52EC70F17CE23E0F17422C9535557D5A36ECF466385D94CA36673A0A3D7991D7C1307B6D89499E42299171A
        Malicious:false
        Preview:..*.W.G..|.........."..>eu"e....W.....<xb...'.o$j/}z...=.y.`z.[|..X:...,|...v..e.W^.W.@.9..... ..yqP.".T.T.....c........"...5..h.f.N.d...\wv.........N.N.wE\..BD.F.|F ..7'..".....`.v..&o.0..2~.............*'d..k.H.v%3Y@o@..zf..z......,.S....:6..9........05=oZ..4.l..@..H...5........J.a.Uj..|.0}q.t-$a.'7...k..tR.O.&)..2.t.....K..{Ceh.E.k..und.`..k.c~.........T..U.|.!.I>..........................5+s0x....zQ.z.......F@.?..=...fo5......M/.I...b0k6.K=..F`dl......(....B:...|..)....bt4...k.+|.....y.(.v.=..u..N.x....d.k.....YG..../...;.R+.....`/.a.N..6T..y..].-K../S.-kS..8.u.K....(.k....2.;.yx[.]P+...|R......B.<AY.....y.&.z.1{.4<.>iW.%.<.o"...!(..)...=A...).4 .u......*.Xd.C.p...1o..YmIf...!p.s.....O...b.\.B.2..$..|.....9{...$..]...d.>>.....N..N9g......\@...6..{.....k>...>.R..`5@..>..l..<.."..\.Q+.*.x...I..2y.3.........y....I..[#../.......qJd..2..i'.......1.{&3.....8E.i@..|.~F.c.a.4.xY..@.&.KM.*...t4..r..)^.O.XWZG..M'B.c~...`....{...3....E...D....t.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1464
        Entropy (8bit):7.821088873818155
        Encrypted:false
        SSDEEP:
        MD5:102D4806F41008AC77A2D0EB367FA949
        SHA1:7E4A1ABAC7AE854BA509ADEEFC25E6B71DA0756F
        SHA-256:D3D9341175C513D1E122DA7F9551C6EAB5C90E760D18AECDFE3690DFEE80405D
        SHA-512:5F5FC6D9597C35E6EF56849B8B8AC5B1BE8A25202CFB8F09735C1A11D54CA1861D169BD74960EA047F1343A2FA37E00EF0D05F54BE5CC47D99F32769F0F4CD80
        Malicious:false
        Preview:e7oxA,.S.....`..! 5..........uRBu.j.e..G....eM. (.c..?.oY.-]....=.G|....u...V.....y..O.c..h.x.....w.6.....>..j.....+V....}.....C ...^\.... Y.%.....&$...!......}.t.B.ha...OO0.K0.6...|..m.Q70..?xO...1)a.S...........!/...W=X?K..#...5\."....~=..4.>...!.o? s#....*.Lw.K...^...@W.......F..?{.....$MZ....".t?|6.L.....X...wr....Re.)..An...96..T...y%`..=.F.K.d.......s.fI....W.-..bO.y.e....T..U.|.!.I>..........................]{.......bX.+.....P.........a8...........E.8....F<.d..J...k[.V.........R.x...$.H..@P..%....dW.c.........R...#L4+.^.-..j.m.XH.... g.h.......N...P&2...p.9..p@8.[T...H...'....A.n..n..{.....}M].'(.i../...........z.?...*;.G.......k...i...?..v$...X..0..!.p.8..-~....X....r$`c.Qd.6.p.'.1+.ctnQxMKN97X..X...D.$.N..kZC.....1.{.p...[,FHd."...0Un.>..=......ur....2.s...r....yO;.....u..?. ,...#....J.r.y80.,J2...|..($..a....Z)q.P.W....K.....H# .bruyl5.U....P~R.......N...@......QNaJTNk.gG.h....V.).5.#T.g..;~&.Q...t.i...Y..W....cG....>....El.L

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:PGP\011Secret Key -
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.856510921499888
        Encrypted:false
        SSDEEP:
        MD5:C36CB1585CC8D853975BC41162F7B693
        SHA1:6C33FB86E19488C389257B5CC32E50EAC4C830A2
        SHA-256:07782C4F92680440FCE0248DF59F0CC9CA0C4178474623C5E0720F511DE0FDE6
        SHA-512:4280D0F3B10634EFE31FCC28803B95878CB455CFD36AFEB036A5AFF2ECCE61F4099AEEFA9A42F57EAF75D7BA68ABDCAF312EB76C4B56F48433061A0A9F73CA6B
        Malicious:false
        Preview:....B-..lP...`...[.SzeZ...E....M.oMJv....s....7)Q.^.Y......3.......Dvt...l.....@.,...Aq.uuD.:..L.....H,).....&.#._...M.Z.s..J..cL.l.....#y+.&.a...,.....}...5{Exk..h...B....tt9...)S.o~..q.O...}...x....r#.}...>..).g.\?....$...@..VF...*.<s.8...VZt.|?.....I.[H...W......I....M.....(`..._...(..$.;.},H.f`.....;,.M2.-h........c.d82.@.dj\.,7..d.Rd.Q..T.-......._$..3...~.?... ..[.'.=n.L-0.p.....wnh..1....T..U.|.!.I>..................................8.......4..G..H..ph..fH.N.'\...$eB..U....G...cR.......U../.^.xx......-yl.)...-};L.e....2....{..T..{....E.....yE$...-Y....$..!.K....m).p.^..Fw...3k..Q..B..-[J.....D.:^......% #...F..Gx.^.4O.$...4...S..6.:.M..y..|`(.g.4c...Q.. ..S..u"1D....S(=t.A.....I.1....Ap....m..[Ur..w04.XN. ..2...".3.d.a.%....3.&.W`J....b.....D\..u..U...I....a......:.R..r.f....Cm.....w.Dx|[.._..^t..2..D5x.d..z...u..=.C[Q.\..........o..~.p.?}.J=......._.....#\.I."..<.....+.FoPj.......w...%.D.L....c.c..4u.oNe.J._.._<p4...x..X...q.d!1I

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1480
        Entropy (8bit):7.870765720216567
        Encrypted:false
        SSDEEP:
        MD5:8F0B6BC86A929134372F07E2C86B547B
        SHA1:E1D1277457F488AEC6054D0194B9C9AB0C12C571
        SHA-256:35A2C988EEF7E8E0281AD24A6BCBD048EB8BFD6ADDD323F249DC1D481B82E57F
        SHA-512:72E18F491F9944D059880E7D67DAAEE36580901C27FDB0B797439012E4F4641F3B25C76B42EB82C5D8AE52BE5273CC873BA5C861821B0FEB1405B2F9CE4DE922
        Malicious:false
        Preview:.4d.@..........x_.>mr.M.r..aR..Z{..!...=.*...........B...H.....qAf..X...wb.t..T....d.F...b!.]U-..L.>...c.7.....3w.f..).....x@....a.yys.6...DO2.Wbl8O#.E&. .YWo,...........)...8.............|............]?@.....F#...]?'.....\....`..a...Z.4.cEl..5W"(..? (|.y..{..X8..=&.c.P).m.t..:.......@..N^_E4..>M.Jm..... .......#.....o...8..Vh.L.nt...\.3..3T.Z.X.....eD.b..4O0-.m.:...........+.....G....T..U.|.!.I>................................H..Zo`/X.?.M......W.0H6:.#.@.h.A].#l_.A.f...p.[...@/.A{...?..X&c.Y.........@..l.q..?...=".d.q]`h.f.Hs..V.g.......3..)...+.......*.[.......h=m.w..!.}...u"....oP u.....c...d...k.S......"..>7...?..<.....Hk!.htf5'.V..n......]{I.1.....rY......s.,..........j.sA.ED.e...<.F..'i..^.y.'.L......S...$#.....R...<..QR.2...mO..m.^t.6:.-.r(..A).c8]}0...z.0..H.....mb.a.M._.i*.Qa}y..O..:..pe.p.Ge.*./..b0..?...F/.l....ade..2...[.y.Z.9.q..|..A..eS`.......U..t.y_}!.;...u..2.......bs..T.Q.......I.n...a"Xf"u5~.......E..s

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1512
        Entropy (8bit):7.875448275379418
        Encrypted:false
        SSDEEP:
        MD5:4A743485F17CFC3D0CAE4ED528F4AFA7
        SHA1:D4D053912966B6E0A37B6B0DFBE2948C061ABF8A
        SHA-256:3405F040554E016AE7113C9B324595A58BBA4F4223143FC45574B8B08B457035
        SHA-512:40CC46207BC08F83AF8AC6E55956360BD08B3C394768BD8A51D8F791F573B0071B5160C155EE46041035B9F9604FB814155AF85DD2249CFDD77C9D51D04E81A2
        Malicious:false
        Preview:B......l.|.gVlV.6.l.t....<.JX.d9...>h.....s~R....h-).K<..v.x.4T.Y.X.......K.....2Y..J.Yx.T+....".UH.y.x..F.!r.u.T.P...bk) )%......X...=....ng.]<I.....6X.....`...)eU..]........>..........99#.?.S.......#.._.N.<~...c.e....P.o.+...Q.....T.#..jcAz..},d.-..........i...r.g1.BV..&rw.....>.P...j.?I....>GN.O.[U..1.OzA..2v.....+....t..0)..{!..'.+%....*z....a...._..`....g....2......z2.......A..N$d..........%@q...g...1L...........T..U.|.!.I>............................n.(.X...D...cI..'...!A......r...../.....E.r4U.@1.......nLt..E.`s.]....y.r.!..........'...[.>U.Aw..@.8..N.h,.ZF...S.0.`R.;...k.qr.5H...L.N.L..X......'(..v'C..d..M|9.....r.........7i(.....(.b}51Kp~!...4.......Zv.zF$...`......q..y.........z`..~..D..x=.6.G.5.E(W.'.^.1.Q.:...7..,.>?....U#......vf#=K.<._!.e5..O..g..w...E.........W...tl...S.o......A^4.=(9n.Q.%D3..Hj<.u@.K.T.+B......nJ3[%'6Z......D..D"l........F.........2.V..#U..|.f.$...4"...r...{*.m...Ke..y.}hX.....5.y...,ze..B.[./..KJ

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\MS.WINWORD.16.1033.hxn.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1432
        Entropy (8bit):7.858083053598704
        Encrypted:false
        SSDEEP:
        MD5:25C88F1AA76540D7965BC53DB915B051
        SHA1:2E2CF19305DA3A346EF4002F0A487189CCA5DA21
        SHA-256:1DF23F20FB094900938E9A0E3F9F80A03BA06D14E7165B6EAE6BBF5F76FC8D53
        SHA-512:B7489EE5777FF43B259B031500959F59F069B1A70D91883EB40A6F118D477A65F473D9626ACC482CB66A12A45B921C27A63D03017BC026B909875E78A90164E6
        Malicious:false
        Preview:...H.....-}....C1.,.....c.H%i{.O..K..x.%....y.......tiu&.:..:.....#...p.~.Hz..x.[..3.g..D.........*....Vo..A.....x..A..~./:.......k.~.5nC.!k....K.B.A_..+M.....@3......A-fe. g....G^.....W..kFH`p.s.........Ni..3.V.J....mq>.t\.2.`.&E#.k...3Z....Fyx*).;...(b=..G]..?.........K)NJ....;<......*Jzq...6:...@....-....b.g....?v.n.5..u...DB..D....\.`.Pj.]..T..U.|.!.I>............................x..j.%..FP.A.j..p[\..yz.......c_..!..5.......}..`s.`.A..8wgGO..isz.....c.&..b..p...j.....i.r.W...L ._B6.b...A5.n...7;D.."..1.jE~...l.Y..:'..c..F..w...c..I..yW.....?.N<#|h.^G....4.q0.d...J2|@tu...#.x(S......K.7....'..dz..q6W-.......9..........+.nE......x.....x..[|...=..8.w.NE.oE{......?....E6.??.9 ...d_....&.h....%{-.r-.S.t..y..........=...D.{.m.......*./..1.8.'SW.<O# .D.N`_R..k...h......jH.,1Z..dv...~7.""7L../u..I.w...`a~|......R.|...~..)....x....?[..P.....]@Q.....#.t...qNA..Q.t .>^.{x/..G....MO......m...[~Ha...]/....yEgP)..9Jo..Q....>7..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\nslist.hxl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):7336
        Entropy (8bit):7.975258605104679
        Encrypted:false
        SSDEEP:
        MD5:C0F2EE9176DFA80ED34A003A1181A35B
        SHA1:335FD56936DD0FBAE86B4043566370C4F9ACB38C
        SHA-256:C907184065F1710D5A1A1DB118ADAF6333689736754D3CFFF67D6A7111CF9C5F
        SHA-512:FF79082A1CAFF75C2D8E7FF4B6220E5B6007CD4B12384CDD950593E8AC35AD5DC1556130C00E2DCD6C3229D89E73DDE781E12DC927F4787160DA5784BCEA3BB4
        Malicious:false
        Preview:..}.R.7l.'g..!.....2S.L..T.cr..>.Li....KDr~..'`#....R.._$..$<X......gVV..=.T!..8.S...y..A.......m...Vop.......?.K.I..^..v.3.?p.B....cQ9.(...=.j.Q:.6.U..9.S....[+...a..}..;....J....A..2..gu.@.>..~eQG7..(.B..V...~..{.#C._.N......E.l.Rre.E....eE.....Tb[.<.3..f..*...T.....@u...T...JI.^.............v~..i./-:...,6.2|.i..Zo..{.P..c.....L........(.....)Ib.f*.......%.ON..(...<%8.u...Gb...b......Q.}_.@)_.......3..-...<.3........h.s.M.{6"Z....,./Y.-9.....t^U.L.z.b.y..w.7....M.....9..Uw....W...c8.\@..?.....$.<.....N.w....B%....e......";VJ./....T.n...$.....3(..,oR.)....Sj....=_.....)kg.A.!.4.#6@..G..........Lx6...YU..27..G.7..1.wg....].p_......m..d...B.T.14...z..r7....jdJD.I.8...Y..g...S.lPx._.............T..].....p.5.......(..c-.^.Xn.O.l[T....k+..:..lM....v`..iYS..Ik.PF...bu5fC...$......MzJ.{.ru.,..\..e..C......_.......o..;.K.EF.s}L.^RzD..20Bd...a.v.iOHA...P._....(..-...@a..........:?{W.h..z....v.}E..M...8.E.GRF....-..p...eqrU...{D..$0f....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\refcount.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1096
        Entropy (8bit):7.801465299830693
        Encrypted:false
        SSDEEP:
        MD5:03575F11A9393686A100B9C37B156C49
        SHA1:DB61812D9F3A5D337B2BC5291816721278B57210
        SHA-256:A1A5ED78546092288965D44BC58C2F948E4C45E88AAD05F68FFA3C4A32F09779
        SHA-512:62E1E8CC88B8597FB741B3AF7925A802A5272E07C42ACB8F210F203CFF67B58816E8F4C581811814DCE81EC7F6A069FA25E21A6F7A7324CFF25DFB7AC5ED1D98
        Malicious:false
        Preview:.......t..P......W..2....I.*...T..U.|.!.I>............................._+......w...N......U[.....Ed=...}.{.UH....A....."a....q7....,........#.j..........HhV.#X..w9F...?...../s.|).!........hn-df.Nc...b...B.Y.*6.Q........J&.Z4]2~.04]|r.......6.A..I...U.%:.v|E..]........@^...P$qH...C."g.7Zzu..4...-.lu^F..I.4....6CMZ.Y..(..bm..F5.vwY.8?bQl.7.....*.<..$.....=.;.....0.S..WZ......._N8{...v.GL..K+T......6.@?.F...h.hWL..;...Mh.U.Z..t:...H..c/.{..4..y.t".........,4...}.mA.....U^.p..A...jU4.\JW.y...X..p...ZKx.BsC....f.......#.!,.dI.&1...WI.......5._...[..g....T.\6o.v.;.h[u..a?..$....2....YD.r..l.D(AW7...%.-..<.y.V.`....p...Y+..^.>!...B.+M....0.S[G..|."...7.Cb..Z...q.../tu....S..*i....t.p..8.b.-g.?.1.#c.O...g[X..2....x.B3.F..L.V...4sdMa..@..E.S...7...F.h.d`.@t.h...^>..E..m...).s.v^...I3CKi...dQ.$...q.'.....(.Y..0..@&.j....Ye.4..%t.....q..[.Q.G.:%..~.=..,...........X...8...~.._.....9.YM........6\pC....>.....C..D.x.u..ZS....e..Z.<.....K2.uk..^.Q..DU.\q...>..a....B

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache\baseimagefam8.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):70998744
        Entropy (8bit):7.192133965564286
        Encrypted:false
        SSDEEP:
        MD5:99BF2E490B1356D8D5AB51C2048F51CF
        SHA1:D83FEAB02729D744F492DF1E76CB709AE796D22D
        SHA-256:199D3FBFF63C580D2D9F164BB343664E8A8FD7E4915E45F8294476B52D390AA7
        SHA-512:3B60A7DDD66F749EDFFEA6645540C1192003AF6863667091FC6BF3D23E0CF1B952A89BC6DCAA4F76522392BC1DF91B28F61CB77DB2AC10A4116CA2AE1482E9F4
        Malicious:false
        Preview:._EO.......i1...5.Er...p}..5S..jpz..r..P..#..4.....B...v?ZY[..J.#..,...e?$3...KM.E....{.L...5a.o|.h.o3g..]..)..(.sv.g......h.a.nd.....)...gV.9.....O.L.Yg2....d5c../..>..Fn..p..$..y.J.5..lW..K.........|.J+..2oT...9.V:.]..c.>O..*.$.X.H..GI.z...,.j..C.......I).a=.8".|..1:yesJ...t...V.".....:$....#"_..j...Qe.kD.l......+Ze.sc1%...@.#...S.n.7...Ic...+.....g.}.........n.....'..IF...qyctH...g ..... .s;.T..%@.5......./Z.I.....f.(..........\.X..\x..].9...AG7y"..x:8......U2....L..cE..o...........f1.2.*.6^..;.I_.B.sQy.<O.;....l Rm...1[....E........y+]..C{,.C...e.3^{...o.. ....d.d3.......p..!.?1...)....A..o.h.}..o....O.a..?......p..dc..~..:...6....[)........44#C<..Y.A..i....-m..&.u..)B....(.|..D.7.F*...i.>"{s...U.a_B..pQ.V..M...'.un.P.U{.)o\....U.0E...cSs=.{.-..*."?......96..&..-37....f.:.gf:>:..a..tg .{z.;M......./9M...!...> ..\*.L<.[.|Z6...&.?...C.h.......W...X=.o...[B..4'.(.N.O.k..#......9..4:........Y...<ZT..e.:.\......;x.d...[..k13l.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.904634776120815
        Encrypted:false
        SSDEEP:
        MD5:033D0113D58676C879743931E39E553E
        SHA1:017B11A55B935C6A83E323B2BEF903DB443BF65F
        SHA-256:4FF7E748A8B8C09C02D6789F1996E5CD0BC56A9817A733468380501586F0C31B
        SHA-512:F80EA34210EBB46F4DF6B33FB18B95F86FDDF005CB1FA6B1E897F8070AD6565715B3FAE4A3D8E0D0CAB86F7A51991C96E317F8FDB0A0E490D64429D92A277616
        Malicious:false
        Preview:V[.Eh...W[.e[...d,bWU....K"....j.6D?0D.....q...#...Q......u..>..]8-.....g|.E....S.....c 0...r....3.B....K..\T.....6kn.nHj`..../..vL.1."...\....imY*5.#.....l..>.P.RqL...?...A.E.../?A.oo.x".f..Z.vsr..1i.7G.".+y.....n%.....*CT:.....lj..;..(...fk...NTW..%....;.li...n,...c..%&.G...V,x....X..=ur .......zc.{F{...?....7....=.C...,..$H.P....C.*......QWVW..N....n..$H.......[......T..bv..@..Y..v......4..g.$.$......i.a,9%...I...9..R...`x......u>.......c....lz^F/...j.9[X.......j.J."JGU..o0...7....+...4.sC..k'...GW.>Q...A<M.i.~e.....{....yN.(.bI./.~./...5.......8....3.R.%..O.=H. .V......_.6.O>..u.w...`..pl.K..1E..J=.~.#./.<w.Z...>.V.E.T.....(T.....p..Z3..<....P..yN.v.@.(s+.........V....C.!zn.....E5..1K.srI..^Lw.)...O..N....w...c.3%...ts..'L.&{.^.W83..gNK....@..y..Tw...g; ". |.E...R.... ...].`..HP.dY...T..U.|.!.I>..........................Z..*.9.=G..(..0~..L1..I.a...Hrpm....R[."p.d./U.t...k.Ax...3......\..t..Oa...%.\+F..5.7.}H..YH....Z.>3..y.%.f.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5730392
        Entropy (8bit):7.998192276134512
        Encrypted:true
        SSDEEP:
        MD5:F93141E4711DEF0536A9525CAF2AE8A9
        SHA1:32E35043906EEC39E569EF17EF09E12A3D118E8E
        SHA-256:46BDD48359AA47CD01FEA86360B7DD65C2F23F187CA6F7DF3698092F1E828C6A
        SHA-512:58887D350B03FC4E8D51A65F629CF342A889CA1656418EEAD7E11783D0F3BF076804906C7EC117705C327DA3E188EAA10092F6F25AE37C708C136BD024F31FA3
        Malicious:true
        Preview:0s.*EQ.U'.. ..K>.r.c$....G-.V.f...".k..LF(.1..i.u...};A.=+.s...l.p<.W:...@c......uR.dO..|...$n..C.A.....4?....DG..H.P...Y...Jec.S..v.g.].3....K..^.....%.7b{..v`m...%.S.Fl.....}6".....t,a.p...7C.y.b...!,`.F.|...>\.O..")..bi.4b........X.I.......U}.;]s.i.9lk.......wX.P..'...(+.. .[SD.T..:.o.._.......t.d..k.....;6..N._.cm....<..cb.....iLUS..U.L..r..P.....l....`&.9..1F.........,_....R.c\.|.....m.k...j.q"D|..T....o.>.Um..-V.cuQ..l...<..:.....!.....Wp{.....i.@6.fQk...x......c.>t.w..`,dx....j.+.j%...d.. ^o(....w..*..O..2b.Rh`CH..i..G.)..^.ln.}|.(I.....h.Ii..U.......e..O:..1.*.fAj.....pa....,+I....\..lNa\...R.......d.4?X..6wT>W...C`.gV..m|J3..:.."qO.....2.b.q.S....#...z... ..b^......v.(...81e....K.,.v.{._..&l......q:....xw.j.uL...A] .c.cvv.....(.....\.....tz.&..@,?.'8.....M.....)\.J...u....;t3$.D.!,.......o;..,]af.B.\.......o.$.#.Xw.Q.~,U...7..(..U.$..Z..?..?"0.1h6p.J...Q.).@.. ......'..Kx.Y....$.Kk%.-X.i....!./.u..<..g.r....*!;~....Z...^J.t+O%

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):998120
        Entropy (8bit):7.99978805820675
        Encrypted:true
        SSDEEP:
        MD5:6A6E9ED2B6280CFF9B790CA7C89FAC9F
        SHA1:D110CA5A10F4C6829CA1F345CB7D11766093929D
        SHA-256:BCC54FAA1C69F0AB10E5A32E49C02BBFC31D1B71EB80B93A9AC8E25918440C70
        SHA-512:453DC440786FE6292F200F57A8BB1485DA5597894D0C70F70881E0CB2614129F354E3B9B0C2B9AC1D59B1DAA8BAFEDDA1E7581AA5BF07E0A22BB1B8E61AE0BFE
        Malicious:true
        Preview:.w.N....H.znK...+=>.....^5.k..M.6.....q.=.#...~.L..7,..%..-...'.J./.:?p....E.yh......&p.........Z..(..G. .!.....,.Dr..,.@f......2r.0Y...4R5....-...+r.$..H.w.k.,..zW.-..J.x.....G.OY...y7P.3.7[.W...i.rD.L.f.a....0.3.........r..k.iz.w6...N5CHL...g...E.....<.....c...*...."?X...I..1..q1]....:S.#..@_.9!..4..,Y.O.r..s..D.$..@[s....p....2....".....l.....=..8..`0;......{Y.+YM......|..Vp%.J+........s\k.... ....m...o..kz...'..._-.@}.......K.Z...'g....s%..Z..f.~q..._..%..~|.Q,....g.......fy).....>#.._...^........x.7:..A..*..........B|.).>e.!~...xlw..!..ib..M.Y..PH"E...-...@!Tb....,.K(g.;..ok......#?.......,.h..v..Y.u..{xB...He......A...P....cv.iu...mR...,.DF.n..#Z.[.C..~..MBR.....5....<..T^j..B."'.."pH......j+k..5^.....k$yt....^o.f.Hf.^J.i."..Z...=..N.N.C..0......}......i..bi..tW..T..(...HC..<.JZ....>Z?.7;1.fT{Bq...I`...G.AD~c.1.cw.:..Y.4y.NdH..+(P.t.Q.#..DN.}. Y.l.Fs..y.T.R0..l).gEv{.?lP........_'/..be.0d1#'..,R`....Y.d#..X.Q7...o-..l..]..j.A

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:Dyalog APL version 167.40
        Category:dropped
        Size (bytes):1375656
        Entropy (8bit):7.99988789095555
        Encrypted:true
        SSDEEP:
        MD5:BD2A015513042A906CF555EE88FF1D3C
        SHA1:E48C2BDC7B03C50E14795ACB34098204B67D5B98
        SHA-256:8B51665B139F696D9C11E1EFE234F663DF450470DE3584E6DBEEF140F27E9D36
        SHA-512:472A14F2E9459F1EBD97AA23508BA63DCC3AFE75A0B908BBDEE1F9420F25944DB24A3B16D8C0D643A82B73EFDE0015810720F0D87BA624462D4F973E96F045AF
        Malicious:true
        Preview:...(.Q.].3...i.bU~.ZvPk.0.T.~.6.../Hgd&.(..U..]..9C.I..o2.t.D(._=.a.Nc...[i7....UK.....C....{.o.....XM"......=..R...+..q.).b..J.......(.h"....'..k......e.sn6...g......:a?6.w?&..).OE...(Z.m..m~.vE7...nL..iF ....$.A.n..&s.(.]zcFQ...Kzq..G...U.9..A...@+.%.......l."t.......71.W./[lQ....Si..y$........>.9#.&j.#.k.I.wnx......P.:.*...kK@!..|.m.<....P(...e.&..S ..m..D./(...f..y.<.Z..L...t..L....4s..s..j.O.. Y.C-....^C\....U...63..+....!..'..x..]......EdB?$..T.....i..1.c8..e[4.p>#r..G..OQ.....2...e....0.RL._t.?...*00...6....P.x.<7.I..I.c..(.xU..r.O.......zh..//f...$..R...O&...Q...{...nA..(.s.O.Zf...%.[.yu.....>..!../.u00N....a.......7!...gjB.O504P.D,.....%...#.J^vU...UP...z..%..j._%..8...M...8.|..Z....v....[...l...r@.....tzeZ.j....l)m..m..>,?o..Z/._..R..D.....U.m.e.E.UA...3...LM..&E.H.'F......XK. v.......1..$.2.!.*N]D.......x$.R.iZi...h>.tj/.Do...`.....-s....?._..P[2,*...ul[k...s/2.3.K.....X.P..x..^.j....j....5..,.\...~..T.YS.)-A...{.<...... ..C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5207768
        Entropy (8bit):7.9999677828535285
        Encrypted:true
        SSDEEP:
        MD5:2D154531D08C6534F1FCCC64F74AFCBD
        SHA1:2829B6ACB6F212C1E491EE841CDB457F97E48047
        SHA-256:FC0EC919BDA88BFAB71E28912522BA96C8EB94494B0EBD3BA42294E11A88C3A7
        SHA-512:BD0E9B647B1268F7D587482EFFE68A7BC0A25EBCAF6C6ECDC3A6DC9A5D2B91FA0EADC787B1B2ED933BC7D21D11F7C5377992AEA7F7AEADC79F555D706C6ECB08
        Malicious:true
        Preview:.....uY.3..y..i).`|...)[...Pz[p9?gp.t....7...-95.K..$..u..|S.D...C.x;...#..T....[.b.f.:t...T...9....._...vX..xE)V^.c.....U\N..);..Nl;....-..S.....JCP.....k...{~t6.wX.r...X.."6..N."...........8....H#.....i.M..i.\...B..nF4..i].J-.{.r.{........v.N.({a..s,...q.#...S;..>{#.(..Id.;m.......'.{..{....%.V....I.]...../^.....l..vr...O......,<..v...>....^.`...p,-..H.s.....X.Da..c?R.u...y0K..W....p..oU.2c>..t9.f@^...s.m..Q.J"z!...y'N..s60x..0+.&x.'.x.T2.<.......262..!T...{....gdr..n.0...7.}St...\.p......P...j..L.2r...o..4..y..=O..{d.......:.;.Kd.j. .....p.C..y...d{..! :.........Y....n....jrpS...*.S......F.<]....-..n._..O.t..D......L*k.{.g...>.2..K......W..M..3....arn.g...B.6.5+Z...D.....z.B>.%%.g......k.q.>k.5..e.~3.$..9.c.? ..{b..cyH.Bud..e{N...*.-.... .."....5.Ae...0.<o......y.../~.....*..*j.g...........I.S.y)j....-......B1.c.. _..J.+J..t..v.8..Z.pM..q..IS._lU..R|...~.s...R.d.&i.L|......;_$.e.>...x.hB4'^.0...2.....B.o...!..=.R...)..5.T.....o.]TI...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.888880841660045
        Encrypted:false
        SSDEEP:
        MD5:B096DBD7865CC7A779DA795826181521
        SHA1:AB0545E501519B13A6E45F1BDAEDB2B48F0527B2
        SHA-256:38C0FA3958DE71ACF24ACF39753EC4DEEED765C9872639045D12DF2BEDB284A8
        SHA-512:3B73A2C5320B8E9A07A98CA02FCE367ABCBD82D22378EF4E5F402E58171257552549026FAC3DB1341BA3FE9D3BD2D309189DC12F1DDEA6DDCAF86B1282B13C50
        Malicious:false
        Preview:.K.t.*..CX*...].*.B.......@.y.. G....pP.C.%0.q$....1.....b.."h..1#ve...3s.<.....(.@.......%q.V.......<....1..}/._5.>....W.M..H...\(...%..'4.7l.d.9eD. He.Gg...'...w.M......RfW".+....CB.H.*...ez..'..l7.u..;.Dn...%Z.....8=#..KA..E2.#;.%N..............y..}.9_.7R....kCj<....!!g.P..n...O...{$.uL.....=.Q..(...K.'.q..Q+8h...^.....|.^..y..}.nx.XV....]......X..w.....e.......a.0...._.o.`jR"..#.3....'l...$!.c.sj...&J..7.>.....2K...H.B\.o...V..]Y.9T....Y...F.K.3c..O~.a.t..<cYo.$............%F....vBF..;.BH..,S.......c..,3..5. .....i0+_..8..Yp....(.m7.s.d.L".s.'4../...GY|V3.F..\..3..7.VN'...]..].^...8.. ...7..N..!...co..c. ....q>.Ez.&&.8\..qm5..*...'"...I..G..Ow.W..[P,...=....:.x4.=../F&Z.]...Z...m....e....j.a.Rx.F.K...^..# /..Hh..#N..a!%..j..X...O....w.....9........E...<....Z...rj.OY...T..U.|.!.I>...........................NV.e..YP.a..X..B..a.."..\..*XO.diP......@.#.D'..}...H9Y8..v.m.9....ft.D...|.....r.2..v..9.n./.B..kLG.>..`....u.. ...^.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5801320
        Entropy (8bit):7.9984013871632325
        Encrypted:true
        SSDEEP:
        MD5:C2DAD1017BA52C0A6922BAD338B2ED97
        SHA1:718F72501713CD7E8B0157E1FC697258566AEF37
        SHA-256:D3623C96D298FC87FA617009467E365D71B66A9DF62046F2E5D5DAD0D6EC7AF8
        SHA-512:32F088BFDF2C8755A557675EEF5D79847620D3386C44150C91449C5159B929684C3E870B20CD3BC3C3F521592970A84C99BEE42A4BA669272CEA1376F91CA3A1
        Malicious:true
        Preview:@.W.@[...h.............EX...).&\..9~E.o%.4..7W.+{l..........w.J.X...|I.p...L.*..z....Y........M.Ug..2.S.a.......^./....W]..t.D..t..o..-:...sRI..ll.x.%1..V.......S.].Vxn.gb....m~.TH.s9..5.$b5......'.........L%.0..lH..Z,L&>.vv..O..e|qr....w.3?P@.t...^...MB...i.xO9..........r.R.f"_..W..l2.....4.[.|.s/......A...*.~...w...)..9..9...}F..W...n.*N..Q..X<.E)...r..s1..FD9.P...\.2...f.1+(j...I..J...=....?.S..yh.d.$.%F-=...........53o3=Tmk..iH2Gdk..=.J1j.....rq.*.......G...Q.\e....'..>.u.xB.av..P..._......w....xe...e......[...c...so...p\.$....S{.K...]/..~....\5>a..w.,..0.y|.3...Y.I.cl..Ky....w.-`..@i..I.3. ...j..~&4....}L..n(A...:.h.....S#BTp..0.K....X....<X.......Z28....b....6.l.p...0.....y.....7J....rJ.0..f.....W&..........*.C.......<EgV..Q..... .......x.k.b..\....u....&..x.z$......,.......!..h./..'............4i...M....@.g-,....e.1....!.=....{t.=.f.I..-I......a...^P..i.k..l.Q.....(.C]..9...E....Z.6@....^{Jd}H9............zYZ....+:..T......"..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.92239326399871
        Encrypted:false
        SSDEEP:
        MD5:2EFE7957C04780D2A4D2D4D91B76EF5A
        SHA1:BE032296047C32F5816C698CBD893062C85934FC
        SHA-256:5A7B6864E9F045B9CE4C2D270483B3F49D2F33BE2F4C3D167D528E7F0852E592
        SHA-512:398BEC5B61C630E7E49E6C95CDB01CFA6C65A6F64F7EB29EDC10304ABD6AB76EB2F4DA8ACC37DFD24B436577FB1767EA10BD873A36909805B6ACF01185549669
        Malicious:false
        Preview:G<.....a5|"....V._T.....9..xq...2..t..\..p$....../..-.x.d...xZ......+E....C..=.i.p...^...W....X..W8.P'...<.+........~...r].......+./........Ro..-B...Z.9.2...*.3."e....{.....$.....F...!.*c0.v.h....N.i.!{D...:Q...r.`.P..f..u..X].k.P.|.r..~.v2@...K....w..{.Q...|F....z..='.l.\.8..V...dp.0s.9.K...7L..Z...*...].x..Q...{G.|....=...:..F..K[..4.q.-..N.0@.(..Q>o8.R.;7V.X~..QU6..6...h.Y....vqv.......P......WAM....W........o...b[..}UnU.J.?!#Zl."......v.Uk1.5..$.<v.<NI.7i.H...{......j*D....?.%.]..;C._...[Hd......Y../..e.3...c.k5'.(.b...C'.H.......kE@.<.?..[.6...R......j....d>.......y..-.#k...m)....e.z..5..=q...mj..S.N{Jn.U'..WA?...|........n..0..........w|....hv...S..P.A.^.*.{..M.E.R.....S{..0..).<.vo}...........T.L.h...V...H...L..[f.<......I.~=./......"%..d.._.....@...7..:.8.....+.po.....u...[. ....d+cN|N0..S..@....R.Q5s$..I.....f.....t.[/;.G'c....v..n8..:Kd......v<.&....ks.....e.W.j.........X.QL.?.?....i./$.)..d.K..0.*.+~.....v.F<..\..^..G.2....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5589352
        Entropy (8bit):7.998545828465086
        Encrypted:true
        SSDEEP:
        MD5:282500AB4DB2CF6CDA452D3312413E29
        SHA1:A15795EBC345D72425F094B54A2499CE0739F621
        SHA-256:532578D5F77CADC99AF60E8D7B55158E32FFD900888C8AA6CC690D5F77DFEFFC
        SHA-512:FD7F1E9A7BD6622043F894C8BB9801705925447DD9DA847F66DC153B59920E37A3DEAD9C9EF589EA1B51B3EC9734AD82BAC40F4A6285A231AA18AED41C2D6CF1
        Malicious:true
        Preview:.kZ....0@......Sg.cl...4..r@.c]fQ.e......?4.o.E.,..!...lx...P.m.%KC..Z.^.2..".(w..p.l7#..M...,9.~a...Z..[..xi..w..*.....Uy....Ul...c.r5.%6GE......u.2..0...Za...d.@.@.....V....o>...:.T.|J..5..~...c..#b....%.gnl.Q.d...9't=g..o4..k$>A.U..F......N..N..9....,...$E.Z..i...-[..I;..B..}m...|.@..._...:+J....c'..M.X..$.\'.....^..`t..r*....{..}....v.\.gh..^.O..t.h+..6L....7...{...1.v..^..rSU.s.d&D../.J@K...:.:?.F..R..uS.M..Q..R'....*.|&..|.]E8.;..7=E.-.....^R.M.Q..R.y.".s...|.D..tl*....D..6^..;t%...G.'8...G.'............#X..?.]2..F....e...5.%...6fFL..4.].....C..&.?d.JS."?.].d.Bu...p.....U.Q..H(.Y.%).z........i..:P..J6.e....O.}...t.4.Fj.....%.8Pr..y_./c.N...-/.B\nP..@.h...$I.`7.m{..H....C.8 $..Z...cI.jy..\...^.u...N.f...C....+....G..s.>[R......5...,5"...6.Q.}. u...Z...Q..?...`s...?..+O....@....Z'.3~n.m...Y..El.^..N......f.Ttt.5=<F....ls.`.\`..+...Q+...G.........SF&i..8C...Q.<..j.R.Q[.G.....B...........s...2.(...\%....bZ.._=.....2..Mf.l.....7......m.*a

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1035576
        Entropy (8bit):7.999825934794254
        Encrypted:true
        SSDEEP:
        MD5:F04DF6CF62D556BD6794FAF39305A895
        SHA1:FE7984E43633B09E435BC90393D503213EE5DEA8
        SHA-256:6B020E5DA5E519C2ED10FD1DDD087857E457BB8AE69E53EFA8FC234D38D98D27
        SHA-512:35DFA9BA04B761CB2E23D3AEED4A815AB303B86D409D9B791547BC5BE9F0AA0D4246B356FE03370DFA7F8D87A9B52531F55090F7B56B254A840E1113DA4ECFF9
        Malicious:true
        Preview:m.t..F8.i?.p..)g2.....' .e.jj~.}.z...}..,.A.{..t*1...M.Y..=5^y}.".zt3...&.f.,g[..?Jx...$......[......9~....:JM....n..?-...]....<^..6..&rI9.$..83Oy...q.x'b.v.~,.:yL.$...ZO........0B[.....x...3u.r...D..p..$.P.....:.o..~.)..rc.L.7o..G..$....O....b...6B...J).:s.._b.....c8....`/.~y.OS...3|.4/..:.0.6......p$.r.9.Mx..`....T......<.....5..;87......I.a..#;.....R7......{..8..f..5..z....Ln=..:/..{M...Q.V...5=:P6+dA..<..E.....<.Q.-E.....R..)........t....J..u9q..:h.....#Zdk....Z.c.....G..g..X3aV..B.._M)......tEu.h....n"..a.F.......7H..X.i.o.:Yr.Vlw"jY"..5..H.:x..EE K..f]Acu.0'.......'.H.+..9..C..c5..Gs...z...hWM.b.`...5.'..._..B....d.>B..[|.+d...\..A...O.Y...^gC../..Y?.Q....]..5.d7..........Zs6.o?.H.hg................vDal.Z...^.v...m....=....-#=.Y.G.....,. ..aLq{p..t..7.z..Z..T.......MAvy./..D...7..:.....-.....N[~.b.<..B.r+/.fN%..Y...g..d..^_s..>FN....4.W...pG..1.o....sq.._v)C..h.e.M..>(.......y.2....o.<.^N...5:....[.6Yri.^.I..|

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5154888
        Entropy (8bit):7.999960263280578
        Encrypted:true
        SSDEEP:
        MD5:5DE9BB4B9A1842360A5967727E6EB056
        SHA1:CD913C346D384F9B42487DEFF28338616351AFA9
        SHA-256:ADC6BBE62F96AD18D2F06BC85E61D76DC9C81A955C77FC165E34C78688868D68
        SHA-512:45CC961C42BB06EF6AA7506A658C275AA346E4746DE3B0D5A27FD294D9AE758AE26C81AB6D544B07D85F5FF4BEA51094860562E79CEC941D205254EC3AABC18D
        Malicious:true
        Preview:..i.(..&..UK.....%.3.pf..k....bf.... .q(.3<'..-..Zt....|.?....k..6,~.....R.../S...e0Sy3;.e.....y..c.>..*....[..=q0Y....j.....[....=.....X..x..d....F..]...n+....T...........C.G.(..`..y.Cd<6..L..P..x.^.D.Y.&.B.>y=f....,.0..1.@.h.UU.n..y..... ........eAA..<.j.....h.(s..s=.........]......BLT.P.n.M......,.c.Q[O._...o....W..|s.t.^....=.(.=*Of......E..SK....DGb.a.G.......k..y.Fs...!....E...r..j3v....]..L....+a`]..i.2N..4w.......[........>.l...E.y.."..nR.J..K.o..'..y0J...B....r......]gI.7...V........[.........;..%..*<.*.yo...n1.u...fk.1........!...~fy...4.L...f..nV.c.. ..WO.f..I.....D.]z...]....B..c1......./t.f.+f.J..'.Y.5@....U.7v2S!..e.=....b]..o..SX..!gG......E...F.B.5..9 .+;W.eOO.......~.r4.....*W.5.....}..<LU...`....bS.........[.dI&Q.g.<.F.6...D$'...g..@.....^...wEM...G.C...q...$/.;..s....j..U..M.kQh..1....].0....1.....A@~..C.+....T....F..B.....Y...:.m.....P.'.W..zP9...E.. bY....I.I.mU.......V:e..!L.-w...!Y..}.c*#.J.]h.-.......vh0..J..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):822760
        Entropy (8bit):7.9998186605183745
        Encrypted:true
        SSDEEP:
        MD5:31079187545A7A3EEAFD0B0F4610F4FB
        SHA1:16F4EE2A5164FDE356F3B4981E3BB6BC4BA726D7
        SHA-256:D9E556A775D5777E938AAFEF9CDFC4C8E7AF22D19E75F45BBD71C89B3AA3C0E7
        SHA-512:86DD17BDB6B1D1A5759346A924DA2F7FF6BB8E033A89B93AD1381BAE57B3AA40DE9786B13757282D94FB6787BEA6A5E0BD6AB36D4BF6B80BBB11C3F954B05607
        Malicious:true
        Preview:...B..@..5.&...M...t..._.f...k../..PB......V..F...2.!eN1...X.<F.......cV...........[*.#-.Fx....p5....H.9..V..../..ru...BRx...g]o].*m..9.....].hST.E.'.:...EU.<...I....k...'.=mt.?..K_..)4{.~!..:.XW.......U....)4...<.T.l./...+../..R$.:'.>..}1n.......,.!..2~P ........Rc...6|........r.gp....=.>.]...=....lZbfy;..,......at...,.9........*c.....F...}O.#^-..~...^.X.R+.5....=.../.*..f.'I.....h........R.?>.g..(.x..>q....:..[M....f..rZ.]...#:..1w?.QJ^...[..4.~.=4..m..37f..FO2E.M.......D....i.6..C....|..S.m...SA..h?X..u."....{.a.)...N..^....M..F.U.6y.....n.t.p..G3...6.muJMT|..T..v.F....?.4..N.w...7.&~...G.Vpt.K.......2...>.J.%.%...:...b...Q...|U.y..\ .}L..tO68.]...+..Ytr..=...a..*B?.....=.*:..qx.$....c...{...W...,.}.|.k....<..Zh.vE3.:...`..%/..l..JK.a..4 ...X.fw...&k....P.TSJ..7..*....s..7..Jx7PM.y,..D..D.n.@.&f...a4a...eyO'R.Z.-t.......G....Zh..3M...T.NT..L.*.?`..G...........3....O-.............B1.?........v.3.>B<2.V....Ne..h.rX..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2472
        Entropy (8bit):7.918397205752872
        Encrypted:false
        SSDEEP:
        MD5:52450C7D58698BC47EA5AD032D9487C0
        SHA1:BFD16D9F0C1AB91FA920072CE10EBB344740B63D
        SHA-256:98FCB9DBD48059CC38989EE3E9F4D3D45474B77BDBAB0DE77C4E50FD68DCA902
        SHA-512:70ECEBAC5020609F04B222B78FBC41C084C976BFC52C1E84AE37E70C361434F30EC45CF0236DF6AFC49BD257CE299509C23C4ACD7283312BC351F8A205EE22F0
        Malicious:false
        Preview:....i...'&v...........T.!S...).M.VM.o....\B.I.x..j....2.....e.b~.>G......O*~.I.............m.^.......v.:...KvA...X.5;X...^++.'z5.......r)'uT.n.....[.\.dGt']..0.z.Ay....H.......l..P......i9...=.^.(U.#...E...z*...:..nU.!....PX....V.Y....b..BV.`[.Y.T.R...L_.&...Q.P.B.g.\.R.u..jR.v^..5...U3n_.-.K.#yP.....Wp..9..W..W...*l.rY.....[Cm.<.\.Q.~..'...7:...4{...=.D............I.......S...~.c..+.Z".......U.\..v.........6.."......D.B..#$..........g.. ...{..x*M....X.4.e...)E&.|\..wD./.G,.y"x..:..ge...5[..J.l.i.j.......^.*j{.Jg.,....Cu....>G.t..P6SY....egl.)g7..\.j...9.@........O..M..A.. .....y.#b.)...C..h.....X.......}.6...\.N..V.........~P...c..,W%.*.@_6..He...W.I......(@..;.C..d..>nW}..l6...d...y.....-~.J....W?.,.W..=..d].z\i...a...XAO.U.........Ox~p,fX....R.{....(-.o]O2...v.*#..s.....2.9kx............x.K.4..-.. ...^..S...+..1v.iy7%_..<<..J!.m6Sl.]e..Fh6............@..n.......}.7.8I....6(.z.1..D..-.+...?.8..*RMp.......G....H.@.G.C..K..(..Y%v....B>..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1547736
        Entropy (8bit):7.999882127843735
        Encrypted:true
        SSDEEP:
        MD5:AC7BA4508E688E76B331547B98C385AF
        SHA1:B40CF4EBBBAD9D1E3FC950A387AEA612F666989A
        SHA-256:35983FBD0BC965E374D6BD1F147B5521DADD7B962E2A7FC16703EE871B5791F1
        SHA-512:235D6B1E0A7CAB5D7C34DE15952ABB285D592A1D3CA7910D81E7CD38DEED3B4524AAF89CBE357B61CFAE9BC69B7D7140D04E687B9BA37C460D90CBCA31433B29
        Malicious:true
        Preview:C..j.d.....j{.9...s.Z.:A...%._k....=.....(:3u.....R.^s..I-...gp...}y<x(..).....,q>.A. ....A..pju6....#.....].uG%.x.K7..my.B...qer..U............"...=U..H....S..H.;..J _-2^I.`....R.V#.f.s.R..K.......?..dZ.h..,.N...o....cV....M.T.2.".;....Lm...l<.V.N....Y...G.;....Lp..R...M.y.w..L..<v...`.#.........J...%...|..r....-...P..Q.$.hR..BY.\..)[.~..g`K.s...4 ....K<..c...H..<.,.....&M.PF..RW..?/...Q.}...WW..P.7..?.|2..y..I[...w....N..%....$..7..`m..Q.$|]......|g'E,6...U.....y..........y`.V.......^...V..l~Qe.2#a...)'.e(@..(r0.Idj:.lB(ZnB......VrC>....XI..8...n.pa8.O...lS.+......GNH'..X..thT..gsH..<......n...H...-5.... .s"._.....$....C.d..7..s.5.{J.....&P..M.z2.&%.)/+...M.3...c.6....Ds.k.mfF.a..[r.P..WEd\..x9.D5,..A.H.G...b......7R..U|.J}....3.;l.K9..0M../.E....<..d.@..I....TJ....Q.E..^!T.]....Ku.U.zc...7.|..c.NF?./.O..-....E..Ja.Ne..x..!..D....8...f:.....8g..cjm.wZ...f.u..vs...X..S..d.x.\.u...........o..E'f"..Ip...t..u..6".u.D.x5..%Q3..Y.l..WQB.O

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):4933976
        Entropy (8bit):7.999965056944057
        Encrypted:true
        SSDEEP:
        MD5:4F349E86E466361963F7CEC319570262
        SHA1:EA5EE8C64DC7D35D6EA92E03C4C7A9E8CFD6C234
        SHA-256:9BDCECFCB0613BDB324093C70C4E6234AD02B7E5A4735C4B3332F44F332BE65F
        SHA-512:ECD7E66C9A15419F6B3B3F6B03EA0F5276EDE7B8C368216BD6F4303E20D8C621421C68A4DD2CB6EF1BB168934A0CAA7C41FAE0C970406A6A28335901CAEF1683
        Malicious:true
        Preview:...;.c.......[.8.z/.g....?...S.#..T.X..0/.Xt.L.Q....!..^...k.3.-...r..K(Ak..A..<'....L..!...#4.qs.C...`N.!R}....O$8..j.m..R>RO..w....).P........<.g.D.k)...\:..9\.........o~J....M..?(.#;.4T.u.yX^.....K...JA<../....]..L.[...!...9.F...R(.:...n....KY.........k..h...AG.`[..#).5.IH..Z.1.L^k.P......d...l.y.T.."G..4....l.....'.z.....*...-Lx.5.p;.w.......o.WS,.\XS.. ...."%z[g..p.7.u....J..._......'....0./....Jl...^....T..6d.l.*.c....3...x\.... ..L@)d........A. Nb..v.....x.q..$..=.....a ..@..K*.}(.p.#...>.........c.&.'..o..X...4..LPjp9F.7*\....?g/....).O.....^l...T...mZ.R...%[....-Y........N....uJ..1R.}o......\.$#....(. 7w.S.{T/dp..K.nrU.y[......a...%.Y.6ue.^...j..@._"x....4_...S...ca.yq...\y.L..t......-.o....S.G...2~.V%..Wm..4..[T...E*.;..3.C.df...;#..%.uN.i..P....?...&.....xE..73c.vT........-;7i..q..V.......QE_....H...&..#..<6...V...d2v.Jf...jK..gd.!~r...G....l....-...i._I......a..b:...hF.J8..09./..H.fa.dN@8...B8.6..$1.&.....wR<..../..v.Hqo..-=.U.Y..Q..d.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1896
        Entropy (8bit):7.887847781943311
        Encrypted:false
        SSDEEP:
        MD5:146428A951777E2AD38D58B126B52129
        SHA1:04BF78E77E40CF4709F1B7B9AF7031B2406829B2
        SHA-256:CC42FB00680E70EF3A04F9EAF1071E512F165BC24B023C012CBC692DEF470857
        SHA-512:309646B8A8B251EFD2FD159C24D24CAA09715CA938D0E4DC29394592874FD89350FD6897B14393D3E424A61AC9DE0D19F24598CF6CE53F1644679D76C12775C7
        Malicious:false
        Preview:.k9#.v}...`.Y...dd?.X.Mmt.y^q._.4.T....@.&.<.=L+.!...l;....T..kA^,..!.UO..V.7..A..5Q..&Gc.J$>...#...Ua.0.IF..P.,..*..._|..6.Ao.ZJ.oWg...ZQ($sI...mcm........&c/S55.q...........<...n..l[IY.2.H.`s9.gb.#UUJ.!..o.ZM..g#)....g.....~~$$..D^.]-.W..7.7.w%....4.]K...l.M|J;.a/..f..@..8...5..4......e.C0.r..E.v.*.k...?....bL@.a..\.....;...^.6.....I.='>N<...G..r....Bc.)D.i9ZK9'*3.....g.H....^...no...y.nk7?....0>..Zr.z...;.......=.s.M@.De.k9..j...u.."...7....h.....e..T..S...P......IL.L.....s.*...~.@.D..L._..B......o..*....h....0:t.wK.i*.l.? ^Ckk.dT..wuR.....CC.@...q..../.....D..9.f.C...L.2....~.0h.....V...}[.f...m.........k_.q.8r..-.T....d._...?SU.....\j.?.B8_.....lQ.....5...r^2.....(tYf..q.}...a..fC.%o....cz6.3..%..d..Pz#h'.?.*.>!.r..0.5-...i...."k.|..1..5:..(...7..!1(.f.Q..5G.k.!'..G.........8e.........T..U.|.!.I>............................>..G..u.....7.Ak...8.........".Z.V~....I..d...c.....n7...F......NeN.u.Csr........UNw........)....n"E.$."t.p........L>..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2248
        Entropy (8bit):7.900285384342696
        Encrypted:false
        SSDEEP:
        MD5:76B5B76651EB293CEFCC82B457D7EB46
        SHA1:DFC3EE286A4104F601DAFDD722F96445D649E5BF
        SHA-256:8E24B6FC4C0804B2FD300047C43E1BCFFE1008C8A045B1FE4536083B73C297CF
        SHA-512:90027E6BD35BD260D293E67242AF9756EEA6BA84209C2D91140CEA4053C45B03B3FB46289664EE3A433AD47821729459F342D2BCA921782EA89C1BCAC2E9418F
        Malicious:false
        Preview:..t.8.,=.+...kSC.2.l.<SMl..QP..f....../..?...b.....).#!O...Y...M..|.&...r.....0....+-..s..../.D.J..%&.`...c......f......W}&..:.A..V........(.UP.R...Z([w.Ne.,|^.#...@..J.Z..C!|!@7..T....;".eB.i..-ht.,0.M_6u._W..pBW.05....2.Y>..B..z..j.....8..K{.O.V ......E.U...7..$.'....$!ZU.......<9......Tq,L."{..qp.'.s..~.......d...S-....r..xt...4Z7w.....=...J....[..44..[....@r....W.I..N....`...`.O.d.D.o....tc*...P....%...m...gV..;..,y.3.."....WbC.......86..R......V...p\w...yI...fF..??/.....E..Q.........u..N.}r..It..H.H..R\.`.[.....x..`.YK...b..H.d..q..Do....W;t....T).3..B([...%......".*..%x.s.I..a...'.;@".....j..Iyx...........N.vr.....tiq.r..Hf......q;.+..C..E.I...\.Bn.6.vO5w..$.aB.....&.v.&.9a..iz.V....y.(v.{.|...Rn}..V......T.RP.].<...AH...c..|M&...M.....}...PI.f.J...=}U...=.*&X.r.#..t.)....[.8E.1.y.@.j..u"(.....*..l8~.JM...9....J...C~.HK..o-z.j~...6.;..q.@..].L......@..6..Y2J.^..@>.....B...z...,..iD_q.s......0...yv1..>}.7.....,..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1912
        Entropy (8bit):7.900022421214923
        Encrypted:false
        SSDEEP:
        MD5:BB8A84CEA92AC2ED098874464BEFA2E1
        SHA1:0359F179708669E7012EC4E63197B829E72D87CB
        SHA-256:A226D5B7738FAD15758F267D6E5679660D67C81D4A5E75429B4AB39801CC87B3
        SHA-512:A76730D899D93F285A4174E5C03C8EE3775060FA0EEFB354DCF79F07B88E38B669AC1EA7BA837198C49A9D13A2B8694B4D6DD9158D2D4D160E1693B98DA57608
        Malicious:false
        Preview:1y.ts.!..;....;@..hP.$b..m...`.i.!1.@&...r9..r....~c...M..@..E2~$....nPI. .*.g6.P^k..a`4.SF...7...A...A.4C.9L......8`..g.W.......yl..H..FQ...A..5"-@.gx..[..\..<..U.V..t.o.n68b.J4........t..`s..6...oh....jB..6..5&b....'".....P.,..`.W...`......N......`jA.>......4aq,C......a\..=......O.y}E.HP.".\4.....o.R.....k_..x...z.W..M..........&..HQ)Sp1T...d.9...~g.%.f..a.........KX.w.*s..qZ..??T......\....k.Gy..C.L.q...._.a$..d.3.R.An..mr...J.+.!....4..i..;.>....B4.F...m.l9..I.N.HV6..L...Q.7..?#Br-...YT>...m..Uq2..bF...y....2....22ip..].2.}k.Z:...#........Y..c.+.;...4o.k.E.cGR..'.-;...9..G)c.X.......h.NW{...~..%Y...C..1.!Ev+.2.F.\...K.W.DO)}...sg4..H........*.Y.-..HM$.v.9......#......-..%......~u...5.qi.|4.\....[e..Jb3.....gD$jh.Dr.p..h...)\.=t..(........@.@G_.4(L.....e..,`....\...m......3.i..C..../DdQ.?Mn ...T..U.|.!.I>.........................._..Zq.L...Sz.d.zC.z..J=c.uH..%..R.z....g.Y. I.^...:U.-#..B;.8....1..-..5.."..r.. ..`I[.N.X..F..5>...b..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore4df22196-a1f2-426c-aa27-062a9f86aba6.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3688
        Entropy (8bit):7.946328396412271
        Encrypted:false
        SSDEEP:
        MD5:A3053EA397B077DA899CBCA6879C7626
        SHA1:7E33884202BA04508A750C8CA86BD8469CA73481
        SHA-256:2971834C72792189441456CB7B658BBF0C62D938F27D16F112E8DDC2FDB716A5
        SHA-512:FAB91DA6183454058415044DE574A78F2095631F5BB414E2924DBD79031204AA49A30633D55257034B36D43E5A77CF30C9ED080D6C81468FE8115C30A821AF1E
        Malicious:false
        Preview:....6....z..T.].......S.G..)...e.s=n..^4..5u.l/.*.I$...A..y.w.Z.....V]U.......}.......G..u.E...9.*V...]..,..w.N..*xE@.=....g?.BX.M...I...U.I...5./Fy...y.=W.A.9.....KvL....u.......5..`U...[.8.6....U.wZ...\.H-..gV'...;P.s...%..O~T.m..3z.J..< ..Buq.9=.\.5.._S..b.N...0v[..b;.b....7.#]nF...Z.h...#..e.|G....w?..#M....V4it&L..s..Z.`..Xt."w._.ai.y\S..9\.F.v...._,.J0.....".a.@L.....ZD.Y..k.f...~.k.....a....._7..t.O...y.l..Y..F....q8.Xh......P........U..5.G.B..X..o4l.G..1.;..J..".....tkd..Z.....,..5.=.....t..6I[.2-.v.a.y..#<0...[..|......&.D..../.Qs.h....4..d...H...t.p.7..oY..r.o......2.."DS=;6N'..m........E......3.0I..aW.2..l...W...0....%v.<D.../,....!....T..0..q.........k.F@.....G..N..0.T.._"..\!0.{.....G.@pJ&..v....O..b.q.H.R..G...p.S..`...... .A.mF.j.mT....'(.[.6..[.n5.!76S..^"......e...M.O..2..b...c.d."^.....0s|...d......%..Q...AX.i.....0..../;0..M+...]....j. .i..~4j. `.u#.J#.Nw..).{u C@...I.T./Q.}./....g.2.Y..<d...._......*....f.]....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3624
        Entropy (8bit):7.938624242181407
        Encrypted:false
        SSDEEP:
        MD5:ED046267EC06A42F90C9DAABFF33FB1D
        SHA1:53674604C880E6F1255C2E7440506B0104E839BF
        SHA-256:1ADC353C944AAFC4ABF79A7849D5C39E48E62C63B7B516DFC36692E788093829
        SHA-512:E9833876ACFF92EC1A3296641832BA1E292413C5C21C4A1ABD1B7939C217E323C0D4A941169431D19007E2D5B71A668BA15CF7CAD3D0CAA3B81D9AF0429D006F
        Malicious:false
        Preview:.....8....1..k3..qsk..v.4.9.9w....z2%q..A<n.!B.l.RwTw....VV..-.7.%g..%J\....i..p.>6lSL...P'V31._.....A....3S.......s.fE..,-...A..9?...N"kq.aW....z.?...U.u{..rJo.;..$.e.V.P...5q.....B...K.........b).....-F.4."8........N..w.:?*....L.O....v.9....VW..f....@.Bu..|..}A!.&...Q-n..3f...h.Y...Ez...Q...'.........(.*...8aPr.wFf...4........}....Y.!..l7@...*.D..uz.~@.j5..P.B..........tb=.R..L....04.u...|.!N.`b.....j.0....l.1.j...D..l".n.....tlO..`.m...9@h.3(..%.vj,+f...0N../...[n....Mx.H.......:..... #!../...C..dF`.X(.f.%.+..?......r8V......e..?.\..lRQ.q.jVD...{x..m.2......%Q.....jL..^....U.w...r.&..+...p..@..2..V.x...>..&..R..g.7.8..?.......`.....x....|.q)3...Y ....SXb8..H~......9.9.;!.>..U.I^..?.Y.\..U}..w.<. Z...B.P_.7Ew)..Vyw....Fs...k...c....t.7.....3p.D.OYs-...{.'.NO...U.Z..{..%.'.a..Y.%-.>.pVw.Z....!..!.S....&.\....M.{....=...%.v...nZc...v....3\...y'..(.L.J..?...|.$H...u;M.U.dj.ec.'...4z.....~..O....z......Ss8..p.........#.)+.}....p.X

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon.001.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.980725541493399
        Encrypted:false
        SSDEEP:
        MD5:AA328C45E04A9F0B811AEDA4AB334E5C
        SHA1:E57651BF461870FA2239935A7458D6A5AED30D14
        SHA-256:8FF61DED44B07C0D3020A3D33AF6BA627E37851FD5B83685E37F8F7C985B2BB7
        SHA-512:902B119FC47333C9E827E71C8FAADBCB6E8EEAD7B8057CB9D1C75A9DC9BBD46B5B8716ABFD5B7F3B4B18558203DF5C3EDBAE86843AE18849FF2355970A658DCC
        Malicious:false
        Preview:.\..!.!.d.J./.a..'.A8'..Ujz.F....n.....>..#...V)....~...[R......\^...B..F.Y...9...!..ev.........A..].....$.Q.u........Ba.pL.h..K.h.....6.{R..#x.%txps...<....C.'4...........\..4..<C.!...p..c|.a...^s-.V..... ...h..S..F..]_.a.(.3......^`FUdm$.U0z...d.0,:.X.5.H..P...z..l...+.......`....cs......@3..q....g....1..{......S^...;..LiR[...sfG.MT|......S...J...<.(.R]&.....s.r8...`.Ew.<N.C....0.3+.3..ia....w.......I.0.i%....F..,o..<...C.3.8........X..}...TI.lW...9..2.Z...(Vg.....0.h...`.T.We.....f... ....`.....Kr..Z~h.N.../`....QUzX......0tgDo_...N..O.V/.?*._T......6..( T...h.k....;w......A#v.|......P..#Q..'PVh..\z..t...Fv...#.. -.....V....g..Ot..u......e......M.z.!..s..B....`..G..-.zz...E.)....#u......y@.ctQ.....a.......J...........U*...Igy.m..t....f..).a..s?.d..M%..>\.aX...{#&.....U.IM..9"&11m3..Pk..BrXH0...t.=W...Q....Te.WtZn....I..C...d$...<..)..;.2c.t..t.|....^.X..b.e8.e....H..nDk..k.-M.c6....=.nPb.M..6...od..udG....>A1|9Rz......N..7.6.K

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon.002.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9816423468474635
        Encrypted:false
        SSDEEP:
        MD5:539C9EC8D82572D767DBBA37DDFA8059
        SHA1:A93C565C9C5BD0796E1538295825A2D62CA43BE1
        SHA-256:674E33381D0E0CCBD947A7BF4160BAC0A541737786AB4E6DB565FF609B26BD55
        SHA-512:4A8F678C372BEDB751A586D414FA069EC5CB5A73713FCD8B8F38FE23FB84CB3C867B01150FA05EDA88E654A87A79F803D3B212965EA80EE560F1F12923354E83
        Malicious:false
        Preview:..T.....)S(V...lEw.)/;......1..p.....p...8L.k3[J.BA..0WM....l...tl.m..?].B...MG..b+6.y<..'.Wd+..7qt.q.(.U....1.s...v..3..;...?.dE..&~@...8e..Ao`.5_.G.e....3.`.m....=.5..9.........>.*......1(........1f.6}ux..PBUJc....sM..O2..'/.....Z./+$....vG.'......-....G.j...F|..I......Vl.6....Zr....j)x.!.~....4..].c.=j.H.-=\.8..+..."F.q.=.\..2.&...6.-s..^-.S........"-.E.c.TR...P.T.-...=n.....r.Y...<..j.eCyg.*9.W.8.I.<.Oj.D!.t..+}...e.h...........U...r<.4N...o$..M.(+.-7.9..oW.E..!>........... .(.G{...4&...}7r....x.ie.......:..c...c.!...:....<.,..7(dWd.t..I.tiOC.7.3X....{@$..n......&9..`.y.e..0....i..E}=O...G.d.^.Tr.#..P.....P..[^=.t..v......|a..}M..'....Z.....=......(y.0i...\W..M..@>..G.HNi..'K.V..?.cYUO.V......\./.~u.&*!..8-@{*.'d.o.}.....u7!.V.&....4....:AS.|..V.. ...h....?.....tV...f..h.:<...$\^.....J.P.jD...e..........o..-.A......x.=....g....../Gr.6., ...*$.9.<.g...'..I.C.s..YV ........fo....Z.*.F.U...Ox...mU....W)q....U. ......'....*<.....g..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotifyIcon_Temp.1.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9809322588283385
        Encrypted:false
        SSDEEP:
        MD5:874C20768D07C1259FFCF88ACAD00185
        SHA1:7EF2C0C5D60408E1E86634804363EC9A2F7EB3E2
        SHA-256:7D297C088FDB48CB6F43335FD991A9F4E4D89D2DD97146411E605CFD6F091C37
        SHA-512:0F1A6125045521FC7C148E42C149F7A785B6ABE3FCC5DD81CF7AE0717CB743EBED0548A37EA0EF60EF63099E2689BBEB7E2DB4A1561983CBDCE424E644C5B0D1
        Malicious:false
        Preview:J.^Q.3O<.*T.A.?.Zaz.n.eO[.G#.}....Q....M..f...F.sq..!h....W.....|.u.0.&.[c....wp.....3.^-J.....h...*.;kY5):.[..o...s..?...[...l..`..)H)...g......&6..o.|(o....Y....ff..W|......\...G6P..HEMj<..........%F.(.9.Y..).7.....q.......p.X.M9y.=9[.{......*n+b....[N9).~.4[.........Ib..J.=`p..e.A.<.aJ{e.z...u..s..lCx.ke9S..2Mc4Vy$..Ug...)....tK-..".. .~.f..142...[6.....yD.]..6..F:..........;W.[>..~E....4NW...+.9-..T$.L.&.........lmWN....Y./....cw0*.._..t.....Z....?Q.../..#..Q.<..k...L..J.....s\g<xyS...........!.0.9......%4.J..W......f..$.^t.1,)q^..;5..G........G......x.....f..5.=....x...~Nv0.6...s.......g...a'z...q...4i.A.0R;.(.+./.8.#.T....Tp....D.)...J...5..._...{...Jc..H.+.<v.4..c$.O..).i..U..O..x..g....Q...C...g... ...ni..P..../..X........V~.C..h..O3..~....a...vw..~.8...o....F...........9.......cy.wz.u..yHS......1..c...T..].^........l.....;..<.m.F.3.a(..S.$.y}.&...[L.rXW....'.<;`.O.....u....YFY.&....^..M.4.j.].m]%d._.....!.;K{.`.Gu}~...'s.6w]OL

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.001.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.993326689991698
        Encrypted:true
        SSDEEP:
        MD5:4C0EAF881DF7DC6FBAECA2847ECC70C6
        SHA1:67A4618C96EE61FB3B781B4E6E0CB03F222B2F3B
        SHA-256:E6B104687943C133F7B69DA46C2936A760164CD0CD4352BD523144A98E12313E
        SHA-512:BAB62ACFB746A75403C159370B07EA377F0E59E336D0ABBFD17AD4F3EAAC02A4D1B0CAB770EE8FA51ED95A413F9F7F79F5E56722332395FBA8F1E73376B6FB63
        Malicious:true
        Preview:.P:.).Rj).......i.0.ek.dkW.....%....$.k..Zs..Jo.[8z.K0.Dt.e....BR.V.......X. .S.I.<.6....t...G...7%#.e...8..[0......;h.....In..X....C..mFf.|...#.*...*PB.kl8.kl^.x. .../.\....^~X....g..uG......Mp....`.....'bxhsBx..."..x.....r...c.WC..?....^.J._....?.R....=g.`73....k.L._4.....w(CSyf~..[...2f...............>....bR.i........d..Q..g.u..z...v.TC.D..I+....wD..J.N.w.tEm...%..c.i..EF...>.K..7.\..:<(.G.{~..|..e..kM...^_o...}@6.v.q!..%.........#BKd..@b..B,....I.$....].n....8S..^...h2.XZO~5s..+.I..T.w..G....u..Jy;=....=*.;..s...0....=rgE...o.F.C..bJ*@..H..m..q......*.-\+..".....|....]....k........i.6j....w...&.P.J...3.IO..........iH...8...(.X.uyTv.U.Y..M..... ..E..vD........'.t7n........b...'M.<..TM.4...M.'...~.P...M.]....7v.6m(...n;.O.#.k.>Dpe.8....-..8.-.{.8..e<cQ.I]..E.:......'..Z.g..fWq.-U.....FN..9.../.p.n.L.../k.."..!c[.......z.._D.0vm.....l.>..o.&..ur>8.SY...I....[...-.....x......I.9{.C..5.F......'....5$b.?..6..k...Y..cU.....D..*a.QJ^l....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):29752
        Entropy (8bit):7.994365177765801
        Encrypted:true
        SSDEEP:
        MD5:EED8F29575A0047243E4F3F4C73C3CC0
        SHA1:55CB66C472CBB0B095773906923CBEF9F65D9575
        SHA-256:2AFC7C3419E457D2819D32BFA1006C43117076631F46CE07EA48B664BE694CA6
        SHA-512:C6B0AA8F76C68C7BBBE92BF7D77E56558683C91EDCD7F2BB62CA7BD70C5BA46A7D8CC67FEBA22A05D788410F30BBCA95E9D441199D3D2FDE537E2205E34232F4
        Malicious:true
        Preview:....n...H\.r...c.......=..O..oG.v...|....g.%|8.Z....(..^.|...x...\..1 ..\]^.I.....He.(..#....L.'9.M.........n4RC.^.%E..5V\L.{.FN.g.>.q9.t....pfx.>'.....J._.e.9.....@..Y.2..jo.."l...p.......$.._......."...N._r:.K.m_..z.5..)h..g.^..+...K.\......a....L.~k;e.2i..R.0.^..w.....~"fM1..W...h...N..6..".s.{.o.\..$..G4.;LF........Y...K/.9.S....i\$.!v..F.bap%5.^...k../.2.Fb(.p..U|5y.Y6.....6.*.......3..=.8[}tc.P%.4.GM.F[..r.Y.9...3.Qo.K.h.:.....Ku.'.....k<.Z..o{...$.R5. `X.,1.P[.+..Y.%.\.l...0..\.V.F7....z....Og..gfl[.E.....dn.e/f|.V...4..d..xN.>-...e q..SQ.......l.}p..}...........Z.`L...a;....j...m..9...v"..-.Gj}.! ..d..Es.T.X..e.{....zv.r|\9....RN..:9..#8.........z....O............C.].gl."...T..:L.....byz...\+..\..b)1>..B..Pb..-.^.br".j.......#O.....i.<./#....2!.9..ck..>..(...}5$3a..5....qm...O...D.m.l~.k...."....K.....~.}...Z......{... [.}.7\......-0it..V..\m>gL..[.............*t.......8.{:....#.$.n$J.G...p..z.0..n.5.........pfDi.........8..tC".....7..I!..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9610312245553585
        Encrypted:false
        SSDEEP:
        MD5:4389EC813692362AE41741C867D4DFCF
        SHA1:0178BB251F806C03BD4106BE393CC60B57A5E2F3
        SHA-256:70C6604C4DC2A774ACBE7BC0A9F31F85810088796A4C10186B06E78F9C1F9459
        SHA-512:520DAFED32171BD8B9A6973E3537BE115E3430F9E428E4FEBCF15C9960018C52E86251FD9F9433007F73C3E4A8BEB6C4EA73C1B8E99F4ADB238ED1BE5727B32A
        Malicious:false
        Preview:..0>_{.....QI..`J.....B.M.y|.JJ/.G..f...G!R.K]...x.*jq.....7.ansp.b*Fe.$^>.`.]M%....)..)..C&....%...q..sp..5..s..I....&.8..o....@.jY.e.X.qo ._.)...!*{.M...I......1....A......9...2..?=...O..\..J..n.+..D.#.....`@...R*....cc">.6.!Cp......#V..r.z. .'..Cdqr\.qox.5kVk.~N..W-{.A.. ~..._..+...u.P..a.cF.;k..OZ..`...8.3PW..'..sv.a.Y,.'.A.Sv... ]!....o..$....6..z.1l.{*..H .0\.e/.`....(.6..J..B.+2iZ.X.O...WV.../..............e|"U...I.[..I.W&B$T....T=@.q...n|..?..KI..R\{../.*.@my}.d.;(./..`.PEc.....W.~..WP..d..,.J..!.v.ma...l...n.>...U.Nv4..hj<.&.y.-..^,.....@*.0.(_m......;...g....s....cS.....f.....HDY.C....'..L..V=..oS.[b......8..z<.B..Qw....Q.N..F..)./d..n...+...W.(..,...K..!...2u6A.......h...Mw.h..A.+.`L....j...`0!..@3....4'..AH...m7(.x...X.4..+;Sf..A..Q..sw...|....v.1.r..{........@..:hS..sk.{..I.z..9..T..K..h./(...q.....$ .L...uL.....1....J?h..R."....#..m.$.`.../.Q.....iO..:,.Sz....7....{.f.h....4.Y...~.."....e..1|.r...YI..4..bZ.i.e.K....R.A^...!...y..;

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.992318893173812
        Encrypted:true
        SSDEEP:
        MD5:3A1C75D2ACE5BDDE11B70FE319DE6C3C
        SHA1:17D7BD87F13F8DE51AAE9A90F4390AEFBBC788CA
        SHA-256:CD923BA463DB592A8AA8BF8DAED499330BC6EC98C9AE0F3A59FCA78C296CE058
        SHA-512:11981AE0A80F9CF286B67413AD8446DDB944BFBA2D8EC395CD181BC773C3FB9415B79C2F0E773CAB2A1AA2D173681A1D0660BC5DB6BA88BC136AA324485193DF
        Malicious:true
        Preview:w..].~.Nwe...?....r^...m$.d;.k..c..(.[oS......dQ..h..`9s.\....=h..C...@I-#e..~.......?=1..X.S.....)K.x.er....J.f..~.VB..Q...`....r.......m...x.....c..B....9.....z..6.].X.!9...1....:..["I}...P...'......W..Y.g3/..S...|...-Y.....Gx...B.G.`j}.C ..Z.......qK.\....g.....ji%...~8HG.G...8...,. ..A..M...x1..@?.knp....-|...=(.E.........3..w.M......e...D.^..4..cC.....-..t4v.?.e.......^Bz..am.4.i.F.R~Qhv.....Q.........#{Ku..>ut..B)....Q]y...*.j.|......i'V.......|....sD..sWJR....ux.9A..s}!...;.^M.X.eeVc.....k<.c..[...E..@....A..<../..<..&'j(.....=.8y..k).\..\d..;34_[?./..{Q...&...M<.P].){.....&Lr.z..c.r.)...dC@...:....... /.".e.E...TO..o.....r....h...o7.'<U../....U....G..2.vX.*.8...;h...b........B.....Ez....g}_q.J..;.b..\.k3.!._./.t....q...S;..1.7.4 .....*...$.a.e.H...[U.Z.*:d4..7.(.5.B.u....V.$..|uuR..<|..n.......<.M.=.t....j....&.E.JX..!o..<....s..[../k..<.u@.|...]C..a...../....yM.&..`{...B.....R.<.........6.#2..x...._.^.a...z.q.Q.$z.k..#.F.:..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.991158700155983
        Encrypted:true
        SSDEEP:
        MD5:CC8CE47F39D0B085A17380BC120534DD
        SHA1:4D2FE10B930E2CD4BE119A29C9890D22D35AFD34
        SHA-256:B23FE4723CC3902B4218C323AE590643767099F30E677D4B3BB304FED2437BE8
        SHA-512:C4178097A57E46D436A8EBB32EB259A363BBF985A97DB2F94715917F2C78FEED5014EFA1A5861F4FD008B40AD7BEF9DFE0C951B6B88C206B4109AA373DA702B4
        Malicious:true
        Preview:5.....d\...\.|.c...Q=.,.9.n..9b........^M..j.>.......8..Ql..[0..C,S....%&.T6.v...;...?.`O.U.g...i.#.z5...g..w...t..i.....#..6..h..)..Lp...>./...u....,-..J..+a..Ee.....@..S..a.V.Ivf.t.W..FN.3...T4..`........5z..Z.z.!.:...a.fiL<R.....4.-A.O...C.yw....l.'x>..`..bq.._....h.........>*..Aq.*.d.~..4.C^..p1GY..X..v.9....W.E_..^.h...VII..b.r......bb8|..#*PW`...D....{.=).Q...#...'+T[...)......a.c.L..`P..V.U.K...0A.u4...J...'>HL"p...+.W.'{.X%...n~..;4.<L...L..n.b...Z./}p.c....<.o!.O2.._uhr^.........!.^20K....H.IAP..:.b......5...r,Z.7..H....vD._7.U..qx.......qL(...3.....z.A@..J..&.b...y.l.T....a.'....M....D........T#.X4;....Y......,W...e.s.V^.8..=,...7.....B...R.e.@...&hz..k.?2.....=`j.E....e.Q.#J........H.....]i ./.Q...y....W...G<@7......Z=b.,?..|FI.T...-.Oy@H.TP).....P..9.O..........&z...Kh..p$.3.td.aD.Eg..+..`l..=.!......?A[.d]pB.w...[.W.._I.q{.GJ......k..%....b.......'A.45=.l..t!;[Zu...D....o..%<...q.2.1.G].k..%.."G....uR...Z....C.*..dly....z

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.9804445165456315
        Encrypted:false
        SSDEEP:
        MD5:7FF4FBC1AA65635868D53D1753A7E891
        SHA1:78A953185602A7A2A5E3F8F25104A9826E88F3B1
        SHA-256:3B607D13A48D3603D6B09E64903F5347920811EA6C525490123A428E0AAF20CE
        SHA-512:1D4B50B325DB37FBFD40374448BBE16CE93038BE741F9A748A3104ECCA1FC9D39A4EE7AB6138CC2ACA2B07A59E88C6EEAD92ABFF409996AB72EAE70396E757BD
        Malicious:false
        Preview:p.$.@-..2...B..~<..;.Pk..sK=r.........4.)}..b/...cZ\.o...0.87. o..].k....O.&J....Ew.....9[.gY.]..Qw5....a...<?._.g..@<.]...S.<...H#F..T..(<P.T..WQ..0.`..z....f.....(.~g..0....J.,#.......&..2.z..[+.....Z...h.....@...By..iu`6./.p..97D........B.sb.4h...F.C..H....hD.......K....BS...`47.....#2....b..{.&.....G...>*:.h.Ep:.."B.t.8....$6<.<=]....F,..ne..e+.$.bc..K.\..}_{.9..I.zA._.=.f [.~.@b{.O.m0+.x.i.(.{1.^_...,..-.n.f".r.@...A.^..\bR......V1.j.#C...H..,..'w.X%..O........Q..o]"^........$..\.-.H....l.Q.....~...5.r1.}...k.2F.....w..YJ..fy..o\ze..........Z.....x))-.....U....|...%..dc....od....-...`...y...8%..<?..m[..Y.[tV....*,.9...#_^.......=..{......u...zI.\ .WxKT...........'..V3.]C/.%...B.p.T].J.....z..UO...r.!.3.....+..5...C....k.GR..:..7oV.rB.jg.q?....*:..o...VR#..E.9.r....(t.2.a....U....Qi...y....Dn.."n3.5`..8....A.)."t%1b.i...{.+{|'...(....../...C....h1...zav.~y>a.).......a.Uh..".......^.U.'S......."XaC."..c......WEvs..H...y.v$r..Y.w...i....v5

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960910436974693
        Encrypted:false
        SSDEEP:
        MD5:9E3CA34E7ADCEDF5EC9FD3E90D920848
        SHA1:F7950BC296CBAFBB784D7996FFA790B1B5E80667
        SHA-256:85109D158A6A714E4830ED71BE13EC449338D1928D56997AA799D3F3874E0156
        SHA-512:1FEBF9328DD6A361DB8B8039315C56B56469D59A67ACC8877B93B3A74B52A127E003A9981FEEA9736B0CCD38FE4ABB20B939E9E494B720AF56EAE1CA1E8CC8E5
        Malicious:false
        Preview:|y0..+...qeQ.u.3..E..]....z.@.s...Wp:.n.g.e....1.m......46}\+....-.O).....f.\.....F.[M...`...B.V-..|..6.(.'O|..y..T.Q.Y.....}.T...._Lu...B.|M..0..2.B.F2xa^o...U.q.0v...1.?..s3..?...m,k...Uk..B...s..n.1.R.....+.HWCmW/..0.......(.v{...G.?.6..+g..*Y....p...F...s......H.,X......"n.y0...jk...v^0.*qeQrQ.`.M...c3.t.c...DNq^.}..+....:.K....}.G...*.?.zSv.(<.c.9..p;.vY......5..}......8.[....&.;t.^y...5...ekDH....E.A..rVjw."7~..........".....u........y...nVF.{..WL...oU.EC..~..{....J..6.0..P.y..i....E....K.....&..:.[..O.....P..X......H4b.p.w.Z.Pu.C6......r..S ..S.y......q...j..h4.....@.......\t......6......S4...h... ?....2.J_^.}.|7.Zv......^..=..z.G........?..a....l..b0..-!._n`..T..w..`/..Q2..E..6..Ef{_y.]..R.L!.`^.0.$..R..1=tC.*."*&.dj{.. ........'PJv..i}.0....~. .......m.*At..`..<FAN..vIq..IO.GM..K..b{.L0...........5..E[R...ey..3..=D^y.w..B..~N{.}l..N......^.ab......l.y_p_,....L0....$"?.S.a=R. ......G...?>%.<.O...S.U...tYCt.........v...p....b.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964058567586822
        Encrypted:false
        SSDEEP:
        MD5:B0AC9C7E1E85C483B7307A784598E85E
        SHA1:A40B6BAD4BB21F28E2AA65066BD8E0F0517F8796
        SHA-256:59D0BBFF0020F17D46D908D50EFD0D59E2C2433A06C5877BDA9E93ED1F50E319
        SHA-512:3C571A7CAA84396E527E5DF1180E93A9A69EBEEA0D1087081084E0451302AD0EBD51FDEED284D385B9CFF06EEBD702BB4233445FA80B98402476B7BC28C431C1
        Malicious:false
        Preview:.....{..S.;..,EU...b.Q.y..g..?..,...O..9Cp.x^..Z M....'d.y..........ne..y.b.M5:.m.CZ...V.r..7..=...-.W..._@scO..En.2..4y.A..-...-.:....../.D..y>.n.0&a. ....}~S....^..iN.^%.w@.S..Z.=..7...T'.......SA..1.v..ovy=.U.Xtl...>,c..&.x.z.....1...)..$.N~....J)qFs.dj/..t4...4..x.....]p....|._.AW..._.b&E.d.g..K.*.J..m.L.W.x.|.(DAk.P/..l(.1..y,..Z..-..~....Tl_]j.....6.`.;.....6;...:).*..#?.A ..or.&B6....U..Z3@C.Ku.<.......WX....22..Y..m..U.YZ/6...L..h..r~.d.D....<....y...Z..k........3..+H..].....g#.q.B.....R.".....D........LD......S_.Q..M.N..I..SpR....S.A.y4....?..?K.[.............C.;...i..8.l...y.E.16;.t..0.~i.........t/[cU...Q(..z..\.."..-!88.*....... ...p.h. H|._.'.1m.J..mu.....I.CA&.+.....B.N..^6[esH...\.w...n.j..j8..r...$8.H.(_.;......... ....`'.C9t....V..:.Z..JW.hY...C....5.mM...]...I..........?..F.].......$.1... .:.....q.....Q v.....tx...;i:..%.....Pd..{.$.u...#.Wp.r.->.....!z...h..Kh..6'........k._d..$.2......{I.a..@Rd..K.....yXv....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):21560
        Entropy (8bit):7.990640605048819
        Encrypted:true
        SSDEEP:
        MD5:A2DF46175790D9BA012088C900B43B28
        SHA1:B449E880CBFA2E185770E20BE06B7519D5EBBF97
        SHA-256:0ADD976C766A5A13D38ABD8DA9B4387D03D6A2BECCC9F081FA14B9AD90BDC323
        SHA-512:CCBB794F84AB06D8F243ED7D9D0D132A6C3ECB152653FFCF7BA792544AEB6759BCD690ABA386E2788F21994B7488BC5692B28E8AD334AE014E4406FC04E5CC39
        Malicious:true
        Preview:..8d.....J.....<..oY....#..{.e.(.....}.3..|.,..yR..Y.;...}1..{...cce.%M[k....w.5..;H..Z.4.....j.W.T...dA.Q.J._..w..]...W..1#..{.W.".}....W.3V...'.u.]......mE..8vC....q...t..^...^...B.H-..........k.~..i..z....q,.c..0*L.=7i.b....^..a..i..$y.>..b...ss.,...b............mn...>....b.Y..h..+.,.lK...n.k.^.....G.}...4..*.....W..m.er......u..R0|Y..3..H.>..lz'.....8....w.......a.esD...n...K.a...K........`.B...HQ{.t.x.C.@.....d......B...m..R.\..K.WR.......K.s;N...^....R..X...T@......_.:OO..x...S..n...O..mf....b..LW..]+4..;Q.-.dL..d.+W...]..+.M....am\..i..........l.#4u.v.J..ZC..%V#...W.h"b7L..w....>."k.......7kR...r.".iUVM....S{...E..41...vE.`..7....Y..W& ....c?.J..r.g.B.U.c..L%{.g.I2....:_....... ....0...u.{r......:.V....c.Mw...u....{.Cv.>1.6..:...-.v...2.4..z....V{.!.%V....{......z;.../.....j.J..a....F...X1..Ys.|i.....!..6..Sw.Y..0...7d..}....(.8..1.....#........1 b....Z.....r$C.W2.X......{.........nM........]#..K%.9.T.L.K/G.".(')5......r..r

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.955063360238922
        Encrypted:false
        SSDEEP:
        MD5:F9ABED1A9753622EE996BB87816F8210
        SHA1:898E30F694F3A0473A936D17F2C9DD07D18D04DB
        SHA-256:292C0BB8DB038EEF24AD7F8C4B4596A4C4BE977A689CFB7E08EBBB33A1BF43AF
        SHA-512:37FE930EDB70E82B6DA75EDD03C9AC9E95DAC833FB046C7DB49D60A1E010B35427232C93B752CE6AA8F7110D6D8AF7A9DBE262543A8743E1B3EDA9E4FED8C832
        Malicious:false
        Preview:.).V.E)..............q./......,;..0\?...........7.V[...k.....%}F..z...|I]T........{...`.......c.4.@.p<..o.....>}...`,.$.V..%N.D'.B6_c+...D...25r..._..n|..`.g...-...N..\...d...._..j.H}.z.._..S..2..^......4L..:F.[.z......xvW.e.......l.Q..Ih.nrY.t...l`8B...]...V:.op...K.;7.}.k....}..nX{..R.e.L.8...aZ..(...ns#..nP'.'2q..Z..c.."........i....i.O......}cI......[.S.....l'~Z....k..k`...zE...h..^i...:O.).45..n...b..V.O.....j.8...e.w.6K.}s.;.Cv..%G.......7.....G&o6Bfr.c..'.).o5.-.a&(...wq..-.......7.QJ./.n.[..`.._..mL......2%P.[.f...}..(R.)N\.y.;...{.@.....~VT'D[.....`.4...K.......*2....g...Q.x.......p\a..N!.....k......jDgo..X.......w6...k..&...FL...B. .9B..5...mbF.i;3,=.i.,.....-...X6.f...L..W.._......... ..'|....55....S.Z5@..^=.......+:....0.I..DV..ck^.G....x.i.&.v... 2Z..".j....F.....z,....t,.0&......"Z..L..d...V......`K...Wl...7.w.1IL!]...V.6....8...G.5@rCI..,p.Y........8.......'..^.a.#...-.."....pP..:<...5K...&..M..1...[.......&?

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.965210024064226
        Encrypted:false
        SSDEEP:
        MD5:80BA803E9FA0ECFADFB842DA68994EE0
        SHA1:550344BD98C64C3AB9E65BE39A93580EAB5BDE76
        SHA-256:1E733F58417E0B75011A7DE0444EF4C39A55204E465A8DF529767F4C1D93FF83
        SHA-512:D9572C7810922B73FD410377226E6D898579F5002752A44662E8023B2611BFA66CF31FA3A54F01FC40031632A8DCD09066D6C1537F83A1F392C78BD3FF4AFFA8
        Malicious:false
        Preview:...F6..w.q..@.eE?95. .q1p.Tzj.].+....~..k...........|..\..;..^..><(.q[....':9......"...R,.\..^..E.p.(..s[....9y..bj...<;.Yb...9..[j...#C....;v..8jU...T.k...N.."..iZ..f@.W..:Wc..<....{8c..)I..|..CJ...K..&........h.r.(...m.9..$.62..nQ_.X..G..)..v..u._.'........'<.....%....h?..Z`......h._......\5....)/....;\*7...f......x....uBa...x.c..N...Rwc$..=./.....8..\..j.[.4......n.............k...S.Ag.N..,$.8.+.:..Z3.o.]EXI;...D55.k.....Bh..p@..........A.-..$..].I.s..v...Uy@.2.n9.......M...~d..]..!....I...k.C....uQ.E...Q....@.`(.r..$....f.q.E;...x...-h)'.j.....^.(h........u......+..K..%.w...#....0H=].9.;&..C.;.....5..d.~..+.....i..{xR...............%R..P.^...U.t....m........l....!.lXz.Y.|a..m...%*......)}.F.y!...V.`}Q.t..Y..H.r.Y.AL...h..jp.|}....$..5.?.)pJo..../.%...{.A4.......J..3H....6'..#.M...[.Y-..-%|...t.....Ah..>...x9...'...,...@Qa...lD.+.GK..sq.Ab.. .2.OV#t.-/@....y....i.=..E.t..<.>8.`.`...~:......X..(.W.WQ...................?.SX..l4...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9640414184347685
        Encrypted:false
        SSDEEP:
        MD5:2425DC8BE2FFC73B2F05D05FC88145D5
        SHA1:0E95FC81B48F4DB63A410B4EAB7ED1525371C5BD
        SHA-256:17CADCA1CB52E061B024042C00662512428377FDDECF81FDA8926AA03B5D0B7A
        SHA-512:9D149C92E677C3470FFB48D6FD7F9F0E967C20E8705CFF63C470B1FFA316822D7D8936E2642549DCB10C410E214897936FB1B9F30F9695A1A80AC43B91697BFF
        Malicious:false
        Preview:X..5..:.[uO..%....M.........i.j.....*....h.)..........v..Jxm'..~.u..17....z...7/......J...x..i....U.J.>...R.4........!.e...H..*...@...Tx..$...WHx...^U..G0...?(......v.L..t...m.$D....fK.s.#f.>?......ZR...._nb.4mSb.L.=..U...6."..4.Q..UN..qd&....Q...."..:.t....4...Cw.{.*.V....0H...H*s5E.%.pivlC....2.I.`<.....'.6.......E.......?.K.....&X0......j...K.x..|Z.X{.l... +.E+t-H..4`.$.....Z.....'........'........1.l.....].....dH.-.]....u."~.uY.'.{.....Y.~..>[.........0.N.:..Ok...A..D.1.a...&.s....*n..|..S.[x.......U(.+.}w.......|..N;.;..R...t.e?o.....[l.....H!.5..YC....v.C=.'.Ii..Q.7....n.e....X...1...y.[ .W.-.."..P..C5.n..B..}b..3....%.-..f.....#.....)..Cr.$....Yd.. .....d+.. O.9]............p..x9....g=..$Bd.M... .u..(..<.)Z...."..p5V.w.%.@......H.j......,..h.+....%......o..~"..".BH....;Y..... ".B~....Q.r..9!........[..=ghmA.Xx....}....X..77..DM..+7bx{n'...`....)u*U..US....Yx.O .....>C....z....L..v......<..l..3b.Ul!..E.?..8...../...`..:.Z.5.}F

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.9620398928975735
        Encrypted:false
        SSDEEP:
        MD5:1BFC06087045747749AD135A4819CA79
        SHA1:9826AE64CF195182FD6E9662A8A86FE6352615A5
        SHA-256:C80AE09983BED91E104EACBA274FCEA89F7E8A92A0BC3CC7476F9C5371F84301
        SHA-512:8808B8EE25DADDE49EF3F013B56DB240F3282B3985BEF433A0B1249AD880639E584ACCF6A62361A40AC5B3C9F8439989A0EE5E8649D103652AAC74EC0F72D3A1
        Malicious:false
        Preview:.h.(y.9V*;.......cp.[.....t.b.....fER.....-.3..G:b.0.7..g......m.&..XO......>}.'..E......o..>j..cL)...>...K.k..9..T.S.....K.N.E$,9F..L.5.T0.T..d.{.f.....Cx..*8.....-.r.+..t\..*......w.s.a.....-.. V5~...d..iq..A...P...r.w..,u..M..ah.\.N.....@^.,....;.=...#.nB.'..B.....:....T.J-a.......n.C......|7..A+.;..@;...S.....u...}..2F.L..;..5.....lc.D........tf. .1..$r2..`1[|8..!IZ=7H.;\...k....l..Q...RA..=%.u.....n{K.b.AO65%..........D.}G....v.4...'..#.8;....jB,...[..!#....K.../..0....R+pu.yE.LC...H..%..wj....@oy.(.?.. -..!.sR^....O......m3..I..e..2F..n.....B.......x%...h..3.lzA..q.Rv?.5.C..W.w.....>.<.-."s{2...Zb..bn...1.....?...}....x..\.|.V...}.a....(.7E.Qon..e.....i....[....!.{z...q.".X...S...nB .4.za..%g....B.x.W.t..O.^.\.%#.3...QgX3..2?..[.<....\......E.7.d...4...R...%M.r.-o....$...;~.R#D.?PT`$.(Kc..S-.l)!e.A.=*u .%M.-D&....a..+...A#&^Jg..6.a.]i.y.........Zl0w.z.G.,UO...0....Vc....6..U.."..\...?....n.ku.UM..R.!Q....Y.2....(Px...,G..?-..~...G...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.960006635129226
        Encrypted:false
        SSDEEP:
        MD5:29BFA8201275A92D297E9770F1677145
        SHA1:9302545488AE03D1C67E2DB0F5764738CA8BE9BF
        SHA-256:E634C4F88B83DDDFBE6F6BF705F567D8A809B8D2343D012672D18F3CEB285175
        SHA-512:F2CE5859E620A18CC0246B2BD1B5A675B2D156699F2C48CE44C316FBFFBADF7820DF8D462EA8CAFB895F672F73BF7776D07288A3209D419D5E3DC3241EF98E44
        Malicious:false
        Preview:.............ck...f.2.v...Eq..0#=,z..z.....!......;.U.z.#.nu>.|.$.zj...8X......@U.T.Y...i.!..*.......ifo.....n.E..jj..44.)0o.r.H>......z./......~....H..S..Y."y7$......?h.G.5*....ZI.^...k1.&.Z..V...7..{TJ@.....B0..MN.~......v.#.{Q...F...V..{...m.ab..`.?.B< ..mJ%..<.?..#....=.z.Uj_.....g...\.P.C.d.f7..E...z5..g.......1.\...!...)'$.'..R.$.........c.Z,..{.h..I/HH.v.NJ.H.....zs...>......XXT....E$.t1q.]d0u.=K...y.../X..CmS.7..Bv^...5.]V>A...$n-}.....B..*h6....q?."/mM.#5.N.0......C.....:8.D@.}/..1..;G...Tz...MQ..Hx...'.!...U.#?...3+P..-.Y.5.....N.%..`..2:...(6.Q...)t.U..S...5........O.^.).q.@2..7-,....kdA'..h.>4^.D.?J......R9.+.^.V0...'.y.O9M%6...csG.?.MN.p[..h:Dh.G>]n...c.#?.(w.D`....n...V....|.e.t,.gw...Dt!&Jlv..Q.w...i.t...-....B....G..|jC.!o.|.U...E..._..L#.O.^........@xY].cD.[.ya_I..n;....N...+h.s..m0=..P.....>..e.#.m......<..8.q.CA..<.G......B\K...i.e...l......#.5l.q..O.F.x$..W.:..n.......|....X..g.t.).~.l.....f..{GD.6.:v.r....J..C.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.964436974522857
        Encrypted:false
        SSDEEP:
        MD5:6389E8E76516D3D02AE9AFF7B43D1891
        SHA1:01A9ACC0727FA6155E1327B8552854AE98E32C0F
        SHA-256:1497AF30A87AF4787C343DAB261351CDE86B87EA7ECCEDF507803223FCC2D417
        SHA-512:B8A2709A73FE68B1E5DF1B4D9E7FF53C004A25D84B475C8B60D96D4718651BE5E2DF0D16C773E6EFF4727F221984D603C441B3C4A65590BB4EA5700ADBFC9D59
        Malicious:false
        Preview:lw.~..2o.O(8.L.r.E.I.KM....e&.Ia..i.O`D.).z5...=>Aav.........lvb..r.....$...dF^)|TA......wl...EV#/....g:K.1t%....9..hE^......xfU5k....._..EA.)....T..o....q."I|...qq.4...o...t........(+...H....~6...X..E...j.<...T..P........n..@...Fd'.L....q..i5....g6....=.,,w.dxi....@g...D..4.....5..hF.#..W.A+..U.1...v....W._l$.c.g...A.......h..^...b,..4....';..V(.R....@_..y.=yEod(...dRj.s^......t....P..../3.+........%.../...k....d.h.~Bo>2...4|m...*....S...?g...up%..sWz.?..w..:T..L.-R.e .....S.....V..#...6..i........B&.+..w@k...!)+..N.~.X..U..]+.FJ.v.`...C..~.\...m..O#.:"s.t.V.c...=,.A...#l.6..?....W.{..R.)..;..nW.C].).@Ze"f.\...7s..8f.=...V"CX...d..e.....E...2....!O*n.F..........L..........N.b..~).$..(|.,...7...9.....m|...Y..t...h..I.p............y.P.......^b:'K0#....q{....f...k.i.2g.&...cG....a.9l.... <.....;...[uH.L[.R`..1:.......(d}:.vk..%x......Q].(...n..AcTbT....?A..y.w.....*.g....K`..*......:....\...1m.@H[..-L.;..R.-.....<.j...L..y.?!7..Q..a>.;.x...f!....?..0.]

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):5176
        Entropy (8bit):7.963827418953566
        Encrypted:false
        SSDEEP:
        MD5:DACE244E5FB7240D0D05AD567B31E086
        SHA1:73948DB2211C2D1976E6CB958403675C68DEDA6B
        SHA-256:3F9D56AC208C37596DB4B31EC37FFF12CB7125FF3672E30B55EE06537B64303A
        SHA-512:625CB26E55BC179AC59E8045F583C05500EC845044AB0EAE1F3A52087B8C6DA80781932166A5B405E9D2E3852E962D088EE197390AABCC20DB4896D42A1570EA
        Malicious:false
        Preview:.....^...`..Q.....`[..8....B..H._.1U..m....>..S.(...]...$....._Z.g....q.gP...>I.R...*..z.........T.....T..J...JM.h.W...Q.no....Dr}.<._....JK..y..;.N$..*p{R..T<...4.;7*.?<x...D..K.%.P.Ac{X...#._i..x.\..[.W6.......;...Y!<~.4.A..;.../..MTZ...)....k...S.`...!5..{..Z...........s.....t..L..Y7.K<E.t"4.1d..-.........gqk.et.....x.G7............+....[T.K../.b(...... ..8..~..y...~.@.i*..3..C....Z4..L?..y...85.........I5>E..m....l#......i..A..B6....S@.L7.K.. d..Tm.n......<......7.D.f.......V$..T..X.K....BY..;..........."Glm.dW6@19.w..AB.Y...k...... .}...P.b%.S...V.J..C..}...*"`.l...C'4{#4.........%..I.....2.........D.MR#7,nz.P.h.........9...Y.<J...C]Q..i..q..E....t8.."f..../.c.l......y..Bq....nk1:.}..-.....h..........F.).`..3..... u.".9=..!Q..<r...v.J.HkW...1....!..D.........@.}....1.e]N[w....p....S....1..pmB..../i.,.L...4TT8W.2.....[3G..-..8..b../..^+.6.O.y+F....d... ._....L.Fl.F....es...$hE.T.....h.^>q._...;3...9c.O.......h:n........~...ZVq9.:$..zP.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):9272
        Entropy (8bit):7.977752249432826
        Encrypted:false
        SSDEEP:
        MD5:CA8861F2BE2222BDAE1DBF79D0A0F344
        SHA1:283D94015CB25FDE80797BF6C8CF68B567755EDD
        SHA-256:C7FE06CD2F64D0D514D103EFAF766C50EACD0892D7020E7F4298BD9321E0CA7D
        SHA-512:1E61EB15B79B4A814F9EFBC753E76DA9812E216903B1554793FE654887A17CAB38212A059B0CC4615AD4A64045479C4130B0551F35697450E5B32234A4891C3D
        Malicious:false
        Preview:o..m....i..W<...G.v)......kC .h.C.203.~..>.y.G/.Pu1.zF..V._.......@..[.F...Q.q>-.x.$.@...... ]/+.S........$+..;`A...>|.-o$'..m.8..$&.I.*...e%...K8C.1..K.o9......=Q....H.....'.O.3...^..u/y@.Y..... .}D...c.....".h.V.ML.9;..[..\H`.h....}.0Y..q6K..G......VC.h..n..!.M..u...cI48...:..D...v..K~E......f..7.P.\E.4..?...nq.~}...........>.G.t..g!...c..]...I.3&...ec00...J#j.d..o.W......)-...ke'..x....K..O.+....}(....b...P...L....~x7.~..z.:$!...PV...#uSO..U..@.eM^-..P.p.O.....{|...;..^9...........J.M..0z..a.......U....r..u..6.nV.X|..^.sV.....j.n&..bq7....M..E1....@..:.v.5...v.`...\H..T.9...Ry~.....RZ.QC+(.G.(.Y..|..wE.(*...(S...0s.|R.v...=..vW..OP.K...`..g....~q.......EW.$..*........p.#].PM.&l`...1....=\..v.Kj..w.a...eE.x.K..O@....Y>++ u....(Y.q.....#*..\.#...U...3y.?Z..$..d..V)J......T..wx.HR..6T.A.f..(.._+.2.!C.x^:......`q2n.#.o...~,...9...+Y....i....._.,..O.~.....85..<..?#P.T......k.~....Y...J.G...aK.+..C.w.....R.,..|.m.H..k._.]I$...<F(o....c.5g3.q.on:R*@

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx_Temp.1.etl.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):37944
        Entropy (8bit):7.995359327354051
        Encrypted:true
        SSDEEP:
        MD5:F953CE3AB62CF9D9CE6C493F736AB10D
        SHA1:A6BDADE3343961968214C4337DAB884DEDA250FF
        SHA-256:64B907D37CDB5C9EEAC5ABA8DF0C532824471370DF960AD0AD6A01AD05DBB1D4
        SHA-512:DE8186F74D5751941C32E16B1EE7726BDA1DC5C4AD31B7B4D9D0CFC60EC2121223DC5979D7817544D84302FC3543AF7A00119A83D86C910C0CEF3783AB69E37C
        Malicious:true
        Preview:.Q....]i.b98.~.~...5.7..v.?0c.....8]W.:..{..\..:-).[.C.|o.......Uc....\......cm..c-.20.uK.X=.,.A......j+y .....~..j:}.Js..L..\c|.[,.A...|..Q......l^. ..4Avc.QJ....N..X..r.w.C..RE..$..j.(..Z..j...y..........}.U.~S..+.......]......[...9.D@..l.U..v..0...gKt.d.C..=w...9..xH@..^.b'..s(Z....Z.........{./.....1.....<`.......Np.$t......9[.]o.9..]t......%J../...=..v...X.P...^x|...DH..d"`.... .........\.[#...<T[.....#...L.......|...F8..{.oS}.P....g..........(TGsv|y.Zp...9..0...JM.c.8K.3...D.y..u.p@.../....>.....'".xzm....,.)Y...uU.7+.,.)d..C..A4.Ng.on6....<7!(...~ .Xk.t...n.*W0..I.......P....$&....~8.s.. C.E.h....G..1D..d.\>Z..gg...Dm...O].DJ..1..'.7p.$Dx..o.9..Bxa.^.'..T.....&.f.0Dj...t'.e.Z%'..m/......,zi}.*.R....5.)&..DD/....c....`..<S.s).fD..;.mN...a<.d..*YpE)!h.j..}75...4.K.K*.8=......g.$kD.V....k+.L..SO.,...7&D G..wd.>.`nq.<V.?.::....b...6s.@/...{..P...:=9.....a.i...T$/_....Q8..rG.n.1.9.b.....[....gA.6.k.....f..Y.6T?.+S...+...c9.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2136
        Entropy (8bit):7.9060835757446455
        Encrypted:false
        SSDEEP:
        MD5:FA7F436743EBA19FE1FF34E6BDCAFE3E
        SHA1:8BC10D44C8863759F1BABD010D0E9D94FAD1A96B
        SHA-256:A1B8C0BB38FDDD20841E707060A4B30FB7A7433349D2F3BE503FB1F3310BAABC
        SHA-512:4272878257A4E3ABC250C2FCD98B74C85977817D5DC6C4CA28746E6B409644341559F86358C1846BE6DA0CBCA7BD191183501DAD8CDDEEB2E46E74861587663E
        Malicious:false
        Preview:.e.n..7..B..G.M.....NR....#...L....K.Ww._h..W.K0..x...7... .!.C............ ..=.....=.u.S..l...c).g.|G.#..##.Gm.;.....z.{.Yw.cmE`..3k.....B.........e....)&.R.9.hy.._.{.@......f.....z..2[ ........~.#..&ATJ.!.C....4.....+.M..UZ......L.......c#^P$a.M........Io?.W.o..`...m...quh.....^z.sTM...O..w....-.Y...]...>%.?../6.......?.}X.z...r.........sAH...8m.........O.:2._W.lW...*..sC...q..2.W-o"st....k.%.hh6].q...Z.s#.....*.....8..I.I.tR.....R..}.."...o..+..K.@mZ..C.h.!t..iJ.j..H.KVa.a..%.`9.Y. ..8..z..[..o.U.n0x..........]...y.F..!..B....2....v...7...g.` .y|7....y|^.%.ms:..o..p1.'..0.....#..p..0.p..vMz...+...e...]...F<.l.....B>|..Lu.o...,..kn...B...UR.t.......i...;{.._X...;......I.,...`...X..../q.......J.b.@.1;...W.$...[ .@.VSY..9'....Y.|...X,.......jh.a8....AFS..X..GD.cX.K....9...v/....=..\.n..!. .^(..[G7M(bN*z.......g..I.df..c......08y...q-p...Is..s@....@...J.,..6\*..F.#.....z.......?Y..@x.u.>.#....ZQ..IV..\...S.K.......l.O).0.K..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2072
        Entropy (8bit):7.910974524461601
        Encrypted:false
        SSDEEP:
        MD5:ED52B3BE4574FF8B05CC68F897BD3E8F
        SHA1:15CE1BD3F39893B3A5D2D30DA8A599A91E9FE303
        SHA-256:7F862D3F1ECF9625FE7C10BC4CB3485368B5243370CE3537C42B3EF20FF00F3C
        SHA-512:BB95F266C5766C81F1113BF20001AFFEB9F829B08C305A26B379DA34DAC585B04796748E2B7DEC3DC746F12981ABD1FA98961391AAB195023DFE7BBC4C3B7417
        Malicious:false
        Preview:...!...l...B..O...g.::...Z.40...N.v.U>.....1c.'.....z..... ..+..w.....`...b"..0w4Kt......1.......+.4.OVF.3:...s.....~........y......Z.$.D.a.W.?_.......2j......~'..y ...@.z.V....l....w.J.....8...T..]...h..eUK..8.f#:.f+X.|..[....4.J.=.3.5.5.[.0.....REB.O....m...Z....6.....;..9.......y.K'"...JnR.6.....h@..x+..$..K......D....o....h...Eu.....-.M.}...`.4.a.59-...`s..Y.e!.....u..R..#Vh. gd....q....d.0....._%.ig.O.T_N...T.......$..?.e...U3.A.5...GL...._$8#=5U......n.(...G]......J..7...u.....Z..u..S...(....".J..>g.fxd..^.RQ...$b..F..p.k.....O.a.z..z.R..2.rmTm.....#}..~An...os.U5....7......&...l....-....Zh.....,.#5.Y.......!. ..Wz.D...._"G..s.....&._...<...s^0Z,e..p@.&]Cw2..E........Iw..g.S..K.Z..\...|e'0.r5.z5i.....(Kw.....$8:/ .`....).....q..@u&M.....q..c..l...|m.&.B...g+v...[:........L...7.....:h...zX.f.M.y...]..........H.Q.G..e.r].i...p"....d..u.."......F...r...2.t.a.....h.a-T=7.....5=]h..pw.Pqf.U.q2.....Dl.. .=0.?-.'...D.9.....)....*^.#.....,.w..K.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.836229707938324
        Encrypted:false
        SSDEEP:
        MD5:5B0E4DE08C6577C0A4D8F573B3E355E1
        SHA1:445D7AD38FE3369AA2C48F31DEC79AF0C0A6B5AB
        SHA-256:D6AD79C951E05F015FC28CD463053F2C9CB31AF92D653D01868D2E3F075A3FF8
        SHA-512:6BF7381055343649C1092266FCB1C5CE50AE307D6CAEA7DD70BF045AD6A87DCAB03B709690BD544E9926DC800577C6C77152FD1347EB835FB822E8CDF33B0C7E
        Malicious:false
        Preview:.....H.~."..Zw.A.v.BJ*.x;.0c.g..{..@72....@G@|Zv......?=..{.30.U."j..D......aJ..W...S..}.z.$.t..n...6.k....`.3..N*@.H......]B8;:.]+R.V...$....1,.._..{.,.....R..r..HC]..U|...+...T..U.|.!.I>..........................s...F...3.'..f..V..Q."......Yn.B..1.N9.......F..>^i....U...$H.......,..F].62..I..1..qp.....2.5:AJ.s...IZq!.....~..jI.^k...!...o.G.......]....%..... .R...|h.i........3.,.rT..*j.C..7..Q..6@.(.a",..xY.........'b.u-|'~...+.....y.1.......qA......A^.d..l. ...YM~t).F.B...X._.L../O$.Tt.rw..z...A.`.~..k..).l$a.......A.Bd..?.;..T...w..L.v.hx2.v$V........l....A..~......G..i.j....0......>C..6:Ago..&....X..'....<.?~.(M.`U.l.0.....n.VD....XE.q>....uc.z.&....=....do.(s..I..f...O........0[...&NF..[.Q......+..%0.....(..)d.b;J..20...9.'......o!..<8..._.........)a.....|*rxT%o.c...Z.....]/..y..).n.L....W{.......Gm.@.Xx.>?i..%...as.2;..E.^.J8..@...6.h[Z.L8.1..C......V.).40...w............pbAx......T...T...$..'.en.......gg.;....M.-...6............h.`

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1352
        Entropy (8bit):7.849673396173478
        Encrypted:false
        SSDEEP:
        MD5:AF94DBEC8F8B87D13FA9C49A07BBD59F
        SHA1:82A44581C9F80DFECA1577E0B14810CA9387A3C0
        SHA-256:C2922C4061B15B9B3F719938F6A8D5577EEF6461D20297B69286A5B6AC277FB1
        SHA-512:A39B9287AFE68448F1922BEF353DB0CAA9C7410F0AE814EC3301CA6234E65FC7F3F92FFA0BE46ACDDED396D33EB8242E268A5CCE3E8D7E0DFF7D01A2B95B5681
        Malicious:false
        Preview:i..!........+...._.....M........6r..~.:..9qrLcT?..u*...;E.a.TI.3.,...[.w.. UB.....v..1..2.6...q.;...x...=.*.........'..Q.{+W...)7..x..j.*H.....g.0rU;..a......&5..I].U...........i......<.|.fa.C.D......^...I"......A2V...F.bl...w....[......P.4.d....L.0r.......W&...>..Q.....T..U.|.!.I>............................&.ED"....7)95..QRW.N..4/A3.m.U_...2.E.N.e'+....i....d.j.^.\..:...>j.i.Q...........wrB....[...-5..7....(.XeO .........Fv.......^......G..K%...{/.P..{.L.....Sxn.<....}.sf.T....X..V..|.|.:pm.......F.Xp$..d+#....M...j......:......vQ.O.v..H:......+.N....p...`Ar.8.:af..4;.H%.@.o...//;..j.G#.`3V.!&.N..4....zm..H...LK.Q...B.%o.E..!..q.K..'._(=.......g;y.i....u....+.mi........6.e...y$3.......P...YN..fuL.c.../.....u....}.!..'..........ye.#....6.._..I}......k.Z.'x5.UQ..1..r*o..M.'~....?B...<.}=$.J...E....dO?.UGwH....})Y...Z.L.j.7....K.....:..A.t,...M..Jny.kq...{*e..h......-)..E...b.'M...nY.5.'.fO.^...H...E.....Y...&.F?{,q....n^....C

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1528
        Entropy (8bit):7.87214955142188
        Encrypted:false
        SSDEEP:
        MD5:9AA40105840EC0D3266A6C0B474AD6EC
        SHA1:E48A4FEEF8B2DA686A05B05B9843E2EDCC481238
        SHA-256:8D2FF47CCD88C296EF4F364CF712FE2DE44F6F895731543EC0512A9F924CB796
        SHA-512:B2E8829E5E93B4727FD0B5B0213FCDE72352E6E327F9C809182EDB36BE3424289A8B1475AAF7028F0003CBCF26CA87542483E200D2904DA14590DF226CF1BE99
        Malicious:false
        Preview:..(.J$......9dP;...+0.l.|....D;..:9.@&....G.?..z}!.D..@..?.....w..%]..6.....y..,.C./uL=..,(6.$..?...a.w..N......'.;.#.c..Z...<~Wp...}0....$....n2..4B....J..(fM.Y.L........+L.ay..nZ=|..^d........ ...pFh....Q+)[}R...............l..$I...i..i;.....r.f..6o0..#.!2...)V.:..VN^.h....er.?:)v.&[.,`.0x.......F~%]....V. y 3.<h.K.p.$e. ..X.YP..23..[....$..7~Q......*.~?.Q..H57..B..X.}..[.......O..c...S...z..g.^].;.9U(.=.....8..~..&{).a..A...?..4Q`j.v=..[...T..U.|.!.I>..........................._0...89.P.B.T..^.bW..BtQ.8..^..+q`..p....S........"s..=....g.U..J..Q....=~.z.4.g.$...8,B.ds?..mG.x...[..9W.8.*c...q..K.iOV.(5..d..:{..hE.8.......3.O{.0OK..7sW.....Rx....-,...=mh...<*+..O....T.A...4....a.*Y....B......r....._7m.N.;.....R.^.2....t.qf.Q.....kB.a./.6.:...OJ..\_z..2*.0.'.^r.+.M..ghX....B......g.........L.K...y.N..J^q1..|.u.t.|...S.EIxb.z....g./..S...x.q..1. #k.S..<f..gC.W.o....cN..}.w..a".A...U'..X.....5...V_!W;%/......../]..KLxj......!.....Bev~P...

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1160
        Entropy (8bit):7.845543767503856
        Encrypted:false
        SSDEEP:
        MD5:DA6A758BC2F753E0D263C00A8AEAA497
        SHA1:431C6164F20C23FAB6E9495EDB04A42D89DF5088
        SHA-256:67622EF2D1738923B368D861B2EA5C33987BC883541B7DCAC8329D4D677B5025
        SHA-512:CB3513E43C52A70EBC82AB1843F7FE352F95715260686A8874943F9DA93BE79D0EAB7C80C82D5DFCD47DD240CEC7088533FC5B7D73FF085B8CC60FBBC89A8EEA
        Malicious:false
        Preview:^J.]?c..Fi>J.3wz.C.+....!..M.l.:...<..z...'...:......{K..+..x:b$h.W.{.~..;...$.k!G.c..tQ.)..~...T..U.|.!.I>............................|.I....\y.|.]..X.d...5..Z..L.kj9............\.Y/5.O....\..!x.#..ZT..I2d.l.m.C..ap.`.....9.$..m..z...N..6..``..74K.,%....{L.(.A.R.A......I@.....6.'Y)...YwR.pXnOh...k....ps. ..`.1../..G8...e.J..4....y...*..QQ.\..Y..T.......`.Q.cH.[\^.a.... 2..F..a...y{....t...*..(&.P..P0..E.\...2..g?z...]%.o=..B.d....!q......v.$.T]'C..i.6......H.\R))..Lu.\e...D Bcm..:.+q%9v.......<...../..j.....P...N.g.v5.d....>..... =;.....X..Ha.G.[v.#4.s...~.i.....Vy.....y.y?O~e.4.|........i.i.RnH..[....b.D..x8Z.r..-.O8r0..f..-....`..........3e.k.+5...6xA.E...hS....}C"p...F>.G.5.A;.IS...E{.qf.....Qj..I.b...*..V*=.Li.N.@.:.cS..1..p.mP...J.........o.8...6..].u3,s....^.xdXh_[..S..V.+Q.y.!..*6'..*....LR.m.F..k-...E.{.....)...K.m...q/.a.,...C....<Cc;.C$..L.9..K.,............A...8.i.......:.H...7.d_w...7&&.y;.$......ve.0.cS..X>.f....H.P..p.....!6

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2440
        Entropy (8bit):7.924204299775155
        Encrypted:false
        SSDEEP:
        MD5:9BBE0248E41922FC2277B5150A468D0C
        SHA1:C64C279566CC36961AFF341BC03C560AA42CB57E
        SHA-256:73C79C43739188C3CF8FFCE15DD196BC54460E002B6D1D24F444E66C12DCC5CF
        SHA-512:1D625EE98FD53A5C0BDBAA4A6BD7C95F1A94FE13A789F20C7BD1C2B4E2023863DF0D42DB09D27697E832DB24D22ABCF831F2864D3FF12410DD87CED1D479C5F5
        Malicious:false
        Preview:.}tb...&`a. ....y$..E..#.Y......~........m.|.@r]...cn....d.a.$...Ld.c.].....C!n*WS..#..g<...-......M)..S$o..*.%.T......h.o..r...:=../...[s}.Y.5.1.<.1..2.,H.gzN...>....q....+.....T.+..W.i.%....L.b.c.f(4u..'.....xU.....hyyf.}.l.....O....x...............{s.%...#qpa..wUh$..=P.8.'...b.G.HR..?.v....{:L2(.s.t.&.z...,O..Tg.'.....L..M.].E...F..bz..L......;.*VP2/^.V.)g.^.'...8..8Z2...L....&.P.....h..7.1.9...zJ_...<../.w..-d.`..@..-..01.....?k...d...V{....J.c.)J.....y..|.t..A.D.A!^...T^.O.Ia.5<o.r....&.0...^,@...I.2......&!/.uQ........1..76...aO.5.po. s....nb.0L....e4h..j.o....(..P.`....!...y? t..C.|d.?.....c..p`.e#.....Q65.,..&.C..83.X.B.dN.....S.)...r..L.4k..H.A...$u.{.{H...EY.s..$j...a.._W%".J.+....Z...v.&..jF.G4..2.d#1.O...(..%d.Xt..u]y.Po..1f...:..%.`.7....Y.x....+....C.!.....1#;.ez..B.R.........'P...2...{..v....M.3 ..z.......-...>.5.V.....wvG.+<Z.w.$Z.a...R)W..CR...R........f......}.y..%:.......w..g..Jlo....D(..\gxX<n?.y.l._.h.b:.....O.......x.0J..m.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):3816
        Entropy (8bit):7.955760018314402
        Encrypted:false
        SSDEEP:
        MD5:C8E9B150CC990AA2EF3F9E42679A84FA
        SHA1:6C1E21302B4A1DE11567DB41B72E9EFBA9A5E9C2
        SHA-256:E6AA5A0C8CAE4F9BDCF59B033099064B49CF9C1576DB47872FBC1C6E7765F190
        SHA-512:E006CBCA8BB8B95E1B5E6FF6DDBA32297A974DCAC732963AA8418A88F3697E29236BEB6E7658EF0F57672B8F515001CD4923BAC53B05B18E9ACC1E74A89000E1
        Malicious:false
        Preview:..S.......%...1..t..8.+.v......W.<.7:....M4_...........L#.....h...]..VV.._\.......Lc.\N....mB.<...A..f.6/..e"..V..k.0..9.N.D..+".,....X...?...Ro.y..q.|...e.j.w...(._......i,.....N8{..JY..w.p.)..Z\.)...*U...j..'.......dE........]K..q.A.v.Qq.......4MQ,..f.r.n.`U...5.....v....~...(.WR.^..L..B."7........-=.. ..E.lZ.....n..?0......#....7....w....D$f(..{K..Z.."..e+....x.he....q.u..H.j.B....?.. ....Y_B/.=..b:.Gj....1=.. @9-3.y{..}....8.YbK..:~.o%Y..Q....=.H.].X.V.q.sKR....}...[.R.{...~.f=H/.:@1.57......;!hg...K.N4..:......C&...U.......'..C:|ziX....D.^F.A1\.T....p...'SZ~.F.....[M.....t..K&Y.!%......`.......`.].=.b.7vDW..wd..s...D..d......*.APp.....+.G[I.....(.[}U?..Cz.../..<S....a...`r96..$.....ER.."H\P...6._.. '....Kv...=...6R:~.\ra..%..n7.........}..*...4+.4r..z..Xg.........K.'....R7.......I..c...q..Y..J...J%C..z..#.EH.O.`.D.Lt..D.:...sy....K..E..7k..u$.0R..k......'.@$........}..#~.9k....g/..p..-.....|.{.:.k.Odt..V..Kf}.1Mr.S..G.;....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1256
        Entropy (8bit):7.83695588511468
        Encrypted:false
        SSDEEP:
        MD5:57A89A394A7F0399161AB24A627E0CA0
        SHA1:16E5B621C3F67DB4C5A131C720F57964D1556505
        SHA-256:81A7E73C685D4DBC3E0AFD31247F74C3D0ECEC2DACC370DD2C304E290CBD2F09
        SHA-512:C75780F924560062AEF155BA660B84A3145A5D79059B50FD3FF2CCD3684DC8FE03239AE3221D4219187BDEDAE65166E13777167A35EE1206A2F702BC836B3AD8
        Malicious:false
        Preview:...h.H6%.Y^.y.,.+*.^?.I........y@uiLwn..k.@...........Z.m..d...r6....f...N_.^9...,..)8.%.F?.8&.@.......x.{.......=..w...B.XTk.`P..a.....py}...KR.<......: .....)G.....P8/..b..4J8.3...T..U.|.!.I>...............................1......X..!..BX.&4........;.9...3-.N..<D....-w.b....8...8u....~.;<...06S.(...+.U....2...P..3+$E..'...Cjw.c0y.|...i...|...v......B..xI.....K.....&...1f..cG.7)..:<.....@C.i...v..w..*..R...f.C.R.7.c...p(.#..iT{.'8.......V\.>.....R.>..F.]*.U...-..o.[P..../..........oi.7}..d!.....~t=S.y..*...._.g.u..;5.&\|...i^../....S...s.....T2Z.......H...c4.tZ......^i.L/.,~..hd.dY.......`..EG...zI..z.DBs.{.KIR..M...Jp.K..w>..\..&....wOf...0//5.c?..Q.%.=.D")..c.'ev..&.G............b..X.=E3.."... l9..Gi...=..R$......Pe..TQ......H.W.......n)....[W:.O_.,Y.o...e....|S.t..t~.[.......y.y..O....u7..x*6.].>a".0.....A[..>....../f..S)..(.MQn..4.......Z..yW.w['1.P.GZ.}:D..U....Ji.....[...}..).d...n.....-.......xG..f..j)8.m....C.|.<o

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):2280
        Entropy (8bit):7.910648446094838
        Encrypted:false
        SSDEEP:
        MD5:7D6736E1CCE485E6849B062E8855CB9E
        SHA1:70223E7215B6804707728392DBB3C9093DA631E1
        SHA-256:60DD3EBF88CDE31BDFCF1A2D52B518602D80A9A8C93AECE0F9009DEBE9E6F587
        SHA-512:316533D4F66E61D088EEC0ABE690C0D2A52E250CFB565FB17E062F451B4557593F6679201DA87B8FB40DED3F3E68615A1463EC68ABF37CC664E9D65B2907E6C5
        Malicious:false
        Preview:n.EU.Hp..TO*...e.j.b.nZ..O..cKp..).$.wC,..KG.f...........N...|P$....22...\.<.$.-....8.U6.5...k.vG...'J~.I.[...+}.{..!.[0.u)...P..OY..E.6.......H. |.....M..r.8.....]\...7.j..|........n...Nl#{....Lg...<..Z......6ppH.HIn*...%.}>..X.h....-G;T.a...X..1....wfTK.r.6.i...)sSr..oX..bH..U)...P... ?H0.y....|!tuPh......0...o...X.}.Rr..XJj....(....0...d/n.x.../&M..bLCA..:.%..hL.2.uA>DTX...I....97.P".b..-.q%.~.B..wp3..Q*..B...|.)g.....4hq.|...s....(S..H...-..v..s..|.XR..'GJ...{y...X...0.....E.j.......)..).}Z.N..l.u..w.He........S.(#..{&..:..G/V.B......].u.I.=K.XW.V[A=).dv......LB.I..}A .....C....XC.....FJe....D.1[;....4E..7......'..U.^9.bP(.$FE.lD.9mv.KA.I.8...6..h.....A(=v...T.q..*m.#dg.'`}.y~.....mx.?.J.g.....o..........D.0..l.a..$.&n/.@..s.qq......g../._`4aICT:..S.|...........:.~....y+o."n...V.....V.b.YI.S.%...Q..U.....q'........h.P2/2.881...G.!f.PR..w.....7?..C...1.71.XA.&_bU...h=...}...,..c[.:'....8...7&..D../[......9..q.w..z.`.7F..........i....Q

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.842681093540845
        Encrypted:false
        SSDEEP:
        MD5:D7E0E64A051DDE1DC9F23C23351DE907
        SHA1:15E7F96CDC08F7FC0AECBC3453E1D73100D17C4C
        SHA-256:8A8BAAA4A3C99FCE2A1A46F0BDC0157AD9A83DCD3BE994C122996A68D0FDC852
        SHA-512:C5B3C1A5A7A396FD14E11A76DA42000D33CF52839C8B1F66F55B8D5583DE80F82964D93E5D66F98854507DD62FC8AD3E5688EB8BE333A01A683ED8AE062E83FC
        Malicious:false
        Preview:N+.(a2..i..j...].J6.........Ke..j...}..m.%V.`...^A.M.v_.Y..v.........s....TQ....D.....r.l.....Fq..+.G...M...:]..O..........]F.i.I..9[`.~..z....:3.....ut&`H......7...T..U.|.!.I>............................ .R5..S..b,..i........f....S.<i...\..[.L.^^ ..?..W..?PI..2a.~...NA.8b.-Z.7.d..F......P...z.-.Ax'.....^.Y..-.q+.}......rO.......l..../).h.[.v{..A...D.-.,..QU.cg...@....?.}}.`........x...T+.`.&/+w+....0P...FX)..1-.R..E..b.33...."J.K8..a............me..!......>....^I..]1.H.k..X%..m....k.....&H..o..{..d*Gnf..g..K.?.Q[...}.dtP..i.$..NX..V..0.~@..NkGf..t..,.HG...m7..4.4.....a......+.q.z..........c...4GhA.........R1F.E .4..,.y.: U..TK.;.X...<V~....OP"Y#.h..|.0.D8...2.)t.-s)..X.H>.wr.W...8(F}'.c._...^...kj...s..2.[..eTI^.S...2..;...Um.Z+...<..XS.@.6.]..G...$.L#..p..#...}.s..$U..)..f...S(>b.u...Y....&_6m?V.S<K.W.|O..=.KGp..9.W2s..K.v....Z8..Z5U.S..1.YH..T.A$.k....|wB......u...MN.P..=.....1..MA.........;..^~...U9.."......l."W<.k9.[1>.A...n.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1560
        Entropy (8bit):7.866758026937131
        Encrypted:false
        SSDEEP:
        MD5:CCAEA2DF92EA357F568177BBACA30B57
        SHA1:0ADA776ED7FDB8EF750B82F74CDB07019C5DF49F
        SHA-256:72CC98B82ABDA23256E12B122FC6D8BC45506AA2D8A69BBD167EAC9F02430E23
        SHA-512:68C6681A6A95A11B2893591CC0C73C9A13C61531026E1D11356E94ABDFEF79BC7B2129C91B7679D444405F06D3535EA409A915BCFE037CD05E94A7EED78CCCD8
        Malicious:false
        Preview:\..B.(./s.(/.dD.U...B.s.Z.._.H..JB.b..?.F....'&.......k..1....:j..h_....80n..iD.j....u.x.-....z..s.<,.D.t...}wZO..|..bB.....V..%Pr......f .i.(..>.s.k.......Z.}.o...".'..i./o.l.9.. D....3.T....<.&.7..)..g.l...D.P\..+J.....H$....e?i.0..yT=....}.%..".g.7.^).l(.....7.X.......7.-6.|....a.......u.(.CQ.~...........67.8.E............. ?.....~.Em.....C..oy..R...xOZ.X.9....0..T..`..Y.o...SFw....&.......Ql$.M...E..C....t.D`R.o.....u7i.Cw.).]..6......l.8.D...3..1U.o.DC..,... ....T..U.|.!.I>.............................}6.7q.o.ee....r.k.w$B9.....t._.$j."N@7+d...h.h.........IOkD})...........$h!.....0.$...GL..Z.zG.=..#..fs.rJ.<....../.......I......&X.Z....CJ)SL..._.T"}.Q..).<...<...E.A..E./.{c.c...t=....b... ..f...+EZ..7L^.*..j...*...y.}X..<.....F0^...-.^.';.1....N.. .k".J ....q..a.....9"..?..x.'......s!dL....b..F...|.....F.|.2....[....l.].Z..ds..fb.H.....;.|....X4`.5.V~`GnP....Ij...gUo}o5J.... >.I.7f.:.".....n...F.=..F....i...4.oV3.J...e.6.wD..Z..A0

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.837482266234121
        Encrypted:false
        SSDEEP:
        MD5:A0A9044BE316653614895E02769DD72A
        SHA1:8D049112249A4D71115A778F9279BC41C93DEDE0
        SHA-256:033E38B30C050046A539C0E9C3919757B8CD34E1BA7D8AD7FE639D4E22F4B195
        SHA-512:69EF8ED8E2035A1B5EF5056EE034F3D77BDDACAAFFF4F014F11423DB0AFD2BA299556695D95626E6253DC542EFBA666164C58A27DFC1CD75DA2D71E76F42F48A
        Malicious:false
        Preview:..=....j6..C...SQ.....q.W..W..e.b?#T...N..9...0.b9.......2 ..b.q;....k.`1..2...(..55=].."..Q.....T..6..N.%........?..X#V^`....s.#o.TLa....l.~..].J8.0.J......#....%]...T..U.|.!.I>..........................\.k0.w...+..4....}S/n.}...?...y`..Y..d....c..n._w.....^.....t..}^B..P..A...h9(..7e...vF..=..cJq..J5.!.....U...c...M.y.m.R_X.....cvJ....]....V$|&.I..6.).2...@.........2....-o-.u.z<.....b\.^..t....#l"4.......>GQ.."...|.B..0...huB...m#...&.D...J..u...........0Ml....o........O^.f.....S....>..eZ*..qL.@..-...... ..3..9.K0.........S....fv.8........q.....P...~D.........z.{.z.*..i........g..E.y-..].r..6uF.pm.m.....T.....!b$.u...l..s......?g..........X.....t.....v.Jj.N....##.h.-?Z...;p).k.12........j:S.]..,RZR.8<......}...}z:.E...)x~2.......c.. ..j...0)mJ.....fE.......sO-z.j.........>.8..D{^P..t2b.....g.....nc.\(.#.:..&.$.....i/....9|.1.y ..b..'..V.l5..-..e%.,....<`*...2...+}.cG3............+..~..Gj...oz..2+ .*...........d...6ok...-

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.870042651813873
        Encrypted:false
        SSDEEP:
        MD5:F6ABB7A487606A3B5F02291D8AD50E09
        SHA1:EC25AD06D852A98F2BA93D57CA93B4ED8275AB55
        SHA-256:C497CAACA14422B946F10A18A8D9D33AA0F551A56D3035EA55A766DF42E400AF
        SHA-512:042A7F6A9810F46B44FD7A80661C24B0F73F3C21AABDE4FCF77C1B44350F82F86E188F0FD5E761050F3DC2D65C15DB6695930E5BE570B5214AD48A80F6D061F6
        Malicious:false
        Preview:...Vz...O.tT)SH.e...>.....R0p...g9P.M.I..y..\O.....0X...b..<......$#....`.K.d.P@Y).d.#.JJ.v.T..L....K.n3D.H..tO..........O..Y.<.6.P.....E.bi.,.f^..1..?r.3..j....+..(.}....E..{...A...K..q........'.'l...`......Mi.G...m.`....X5..-C.....p.<..-}d.h|X...!j.?/.2..........,..L=@...0..N......h(,.eW..Y.ng.P.OG.....xj.(h.."xYD.k.6.X.ypf...(....6K.;.Jl7.m..).....nT.3.h......T..U.|.!.I>..........................V4U&....r\....!..i@...<..S..".DBm.q2..<k..............r..@....9|..2......G................./.t\.g....w.i..p.s[..7./o....+.......(.b`..u.rD.x|V...N.!.)...h.....O..}.s'....G....Q.M...'F.D..8axX...M.1.d.....N/.5au2.i.^...../Q.[.#...YZ^)J.aF..........]i..]fl%.{0.P...H......)....|...9.p.R..G....|sVz.*.T .........T..s......%...Lg.+(E_..2f..C...d.G.t..\Z.w.x-Rg.DF&`z,.}u.......6..Y..../........G.1..E..<..I....]1...Jpb...<.4...e.Q....c..f/.e[4B....jg;......;..U......"Y2g..w..`RT.|...O|$2......K.)-ZU...:.....9..Q.g'..Xa.o:w~.!#...D..u.)...l.{3

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1816
        Entropy (8bit):7.879227356949742
        Encrypted:false
        SSDEEP:
        MD5:16B865E4723C467BB3C33081CCB7ADC1
        SHA1:94368C96BC09703969E4BD8DE041D11534D27CEF
        SHA-256:299DB2B943B9E5D132CF25B4DCFEAC214D40D9C29D2FBC964FCA63FD14D6D6A5
        SHA-512:B89CAC30765E2821A782ADC68D991A8426511847477935D2DFAF2D13BA64DC0D5FB90AD5C3BB7190C3817969DDEFB639BE2CE13DADF650E88E65C2049297D408
        Malicious:false
        Preview:..?..x.Yj.........w'+f.m..& .X...2..J.......".._..T.5..YRB.Yi...8Q.u*......"v..+2..}T....o....G4.....#..09.....W.5$-....b.....r.N.:.......6^L...P.....7r._.Z.>7..P..!a....l(.w.&y.#.f..Q.0...T.)(.{...E.u.E.....B^^......I~...R1I.ddn".z.A...E.@v{1...9$P.~...M#.@..5X.Q.^wu..vE....K.....I.T....<...9....Ydue$..........H._.N.#.>...k.r#e}.G.?.W.#.......FT$.r..%96V.`..7.p...` l..'l..5*...._....bV..=.p...8.......p...#.E..D.P.K..j.m...b._......zT.4......;\.xM.....79.....V...`.EA..o0-O...ta.~..w ..3u.uf..7-.. ^/...T........G..;.1..o....#.D ....XaL$..,BC".-_.R5..G....`..&05.T...^..i..Fa.d.[6H..r.........n.vA@. .Q...bbfi.<.....u..'g.AC2-R.......X......Ph[Y.= .....K1.....Y..F..^.x.NP.c..K..P..).X.pX.<x.L...K@2..S.....hQ}.T...T..U.|.!.I>...........................-?2..w....!.,.....m.E<..'.).../.9v?...t.m...J@v.*_Uq3...&..i.....r~X.D..:.D.H...!."..q..U.[.2..b.Hiu?..I.......PI=.+.....G..u.0.S.c)..=..kv.?.w..t..Z79.T.c.....Qs.W.......J../Z.q..H.~....p(p......G..

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1240
        Entropy (8bit):7.819328164318204
        Encrypted:false
        SSDEEP:
        MD5:6A9D096D5617859A458FCBD5ADF1D988
        SHA1:ED3F0F5ACDE61D81FCEDCA2ECADE22EDDF9BBF6C
        SHA-256:DEBAEF40E146FE3E61AFCD52FA8B216D236AD004EED52282EB1DBB1E409B5DE8
        SHA-512:41A5F7C226D670E53965FFB611234A753B1F17FD4223238C18130E06B7930641F8D4E4057BCB9ECE165C47F90883D9CA2CAA3EF254F632CE3A44D857BABB355E
        Malicious:false
        Preview:'dx...+{U........-G7.Q+%.d....X_..3..... .>o:.,.0..%v{..*H.....`<...].'.+...........#..K.....u........K..C.*w.a.c.j....7]...RQ...:M...q.....AH...E..VLbN.yH}{p.1.......T..U.|.!.I>...........................4.Rc..y#.y)e......^,.^.C...l..Gm.1.f5...*..'........s.7..Ypq.pA...h.f8..P.R...mhI...D..J.?..&,.+.......$.".....a.l...~...`.... ).a..F[.b.k.\...+7..+..u..c..u.v.<.....k..G.....iy........F5.R.f...<:}.AaX.F..._._..E.;:.Ef...b<....K.....EPG.....W.g...........'.. ...^.&0C.,.Fx..1..^.1......j.....j..Z._V8t._..O..6...A....y.=.C...A......J.&.N.n..K.o..5...w..u...*...[N.....=S...F..m...R...[-d.i...0.....+?....}....9uJ...d..`....z.....4d....o..6j....V`..V.,y..._..k.;....T...;.6...f.r..G...5....HB..Y)..0%.....Tjxi.^..h($.*/.]...O...h..v..AH.n5......._..x>...De...-xhm...F.D.F....y..+gd....2.. ...u.......n ....5....>N.Q%.......b!..{.IX...R.;..M....N.T...9..........a......:%.[....//?.F........../YR......E....X.....!.....)i4..H6..J.9.......5..p.

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:COM executable for DOS
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.852568270849338
        Encrypted:false
        SSDEEP:
        MD5:E9A90AB684F88F7787605EDDFF1FA2DA
        SHA1:AB76293517DFE0878CA229D854BD6BF8432B8386
        SHA-256:E30FE938F29CEAAB61F7524AE2C0AEDDE707DF47BE89578AC0A9EBF9658026D3
        SHA-512:0462896BED29CE27D46BF30E43EE86AE1ED1EF62AEAC9C438778DBC28ABB41432579AF1FF187313538B97AF124F8178669C7E54FEB681948F0D623AC074BBCAC
        Malicious:false
        Preview:.....E.,....d......B.ye..z.3..s..N....q ....R}.....v.XF-.'|W=L+..8(s;/..6........!.wc.k9.'R..^n;...A.E..Et...G3...\....+.F...B>>.....Gp..C...C.0...cn!...!0.%........6.X.^.......[....".3...Xm.....`f.R.}zP.!...8...>k.6tFj.T.t...g...z.N\..X...R..V5..b.nM..Q..1..._0...N....[....J{/m/.e.W...tWF...7[....'.a..yE..C.7h=>..?.7..z.I..K.j].j...H0.}J_yb..d.j....dJ....${.V`...T..U.|.!.I>..........................[.0...)..$/..'.*.#x....?4..sU.,l.#<KE.6..&o...!,"-..R..V<2gs....mC2...S>;....Q.a.&[.....S..P,M...y..%...Z..#/Y.0u...;....(.o.J0..1~U..X..%~..g..hwN...D...OZ...q?..'....kRJ.d.Q,...-=..'z.4)G!.... .....l........EYY...;m..S.u........_].U.....BC.=.....!'....$.*LE.v.7...t7.............'z..t...QLb...-...xQ`]c.~..t...l.M.d.7b..t.....,0....>\...(..?..bB...&h.9E..0):..........C@:S....z......sd..c.,.=. ..RpL6.z\>.r.[^/.*^...bE.u(!w.6.!_rF..z........:OB .x...=6.....0_.r.G.yE6.6..?..w.a..I!.5...K{../..7fWMO......NVD.......'..5.X.[... .....S..c.7I..jK.Q

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.858946323909682
        Encrypted:false
        SSDEEP:
        MD5:AA6F7D329E6DE8E74992E517F0000CD5
        SHA1:F2141BE2617C4415973832030DBA3697C24E026E
        SHA-256:199F56CB72541267B3CFC95472D931FA8980B167F8827DFEFAB8137F11C15B5E
        SHA-512:2DD1ECD7E67B4D8C6482951BCD53B56DCC126D2937905EF36ED16C969A4F1CD91DA0C775780CF9D0D6C4D47F5536B1BA98CF0B745FE125926056C4DCF4B0C3FC
        Malicious:false
        Preview:....TL.._.2...%.gBH3.u..J...?.`..Cd.WvL.r[..w<A.\<........B..7..ut...0...C8.`8.....?(..|.]...E.".C.m.-<Z..D...5....#....K.s.....`.....U.m.........bT.......Sf\.......R.........x...*.jF..#...,...m.....+..h..^>}..D..3....,..x:V.4].;.J.d....C..7>.( ..S.#5._.1.#@A*.8..b|e..it.$).x.t$..6.w..xaE..e.'....$.I..R]....+....t.*.s%.U....#!P.....e.rk.).U^..R?.!.d....l.c.n.*14......T..U.|.!.I>...........................`.K..m.[.w..i...dz....z.B.NMiO....,.@3.]..'.W.&...9.diQ4.p........m..@..+.r0.......\....$.QAer........<.yF...*6.N......g..8.....)....G.L.TNut..z...........~.$.S.Y...=...5....P..D..9F.oE.?*P..qz@......M....#|.6.......Ms .5}...7.t}.WD.3..sL.....wK&.4...a.>.U.\=.C.7.o dQ.x.........t..$.{......Z....?..m.....N.....O....!..Z..8.w...n...Ri....s.u-..^v.<...a.h8..T.v..uA.-..@.y..Ms..M...e... \.N'5A<.{...P..|....cg._b>/.x?.a..b.pC..../2...[.s...;.".ZAgj.N...8#W(.&...,.C....j/(..|b=IO0`...T...%+...S...|...P...VMI.w.<.......W.+...n..>.K(V.R.....

        C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):1448
        Entropy (8bit):7.828961300467192
        Encrypted:false
        SSDEEP:
        MD5:CD143AD3D59B89050F07AC69CD0486BD
        SHA1:10FABDB4ADCC641372BEC0354058C8052B63E9A4
        SHA-256:8D2B84B7028E9F1C290D64EE23B985DDD583530E16BEA4C9095ECA1EC4720998
        SHA-512:0FDD62473CE4F9FDF52EBBA857466DA5FD92ADFFBFFA0ACB86465C4FC0DA8E09701AC19A4346EE2127D33CE81AAB80B75B55DBEBECC24FF037CCCC686A10FADD
        Malicious:false
        Preview:..5....j.lV..}....n..o..M.otwM...C.(...9..9Y.9....g|G..`....o].1..04..7/S...)...L.b2I.<P#S.0.v.(^.=.....Av.[...!..h.J+........@.Y..T....4....A..q._^A..%......~.9"<..@..."p..y.t.}......:.Z+._.%..j..GP.L.1gp....~.....j*.7..........o.^.y..r.B. ....-..$..=....8}....eN.bvp.Z...}.x:..Y.S...[.my.a..;..2fa.5....[.Ag\.Z...|..x.iH.;.'S&.Q..+..&*.r.x`.......)F..;.....d........T..U.|.!.I>..........................W.A.1N.^.[u./.........8>Yt...Y..\.G8H9...!4[....>.7-.Z'......$b..^...%.$.[..7hu.....o^.....;.[s.-.2..4I.....#M;.f..j.O..........%g.TD..MV.>....&.C......!t.vo...7m....p.{7.|3...zD>........:..............Td8...."m..'.3.4..{&....p.m....n......!.....`".>B.O.v7.'....9ri........&=.'.....^....CaL!. @.?.k.yt...u.%>...7m.n5..,:S.zB...AJ...H.o.......:.O?.w...e...(.g.......h=..U..R.H......i.$.........(..1....m`...?.......{.!9.2@.X#0."...*.M..n..J.m.*a..5M...S|..x8.y@.W%H&N..=..Sc..............U.V..~.%p..m.~.p..3..='.............e....uMf...`#....u

        C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\DownloadMetadata.PLAY (copy)

        Download File
        Process:C:\Users\user\Desktop\PLAY.mal_.exe
        File Type:data
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):7.975594319449011
        Encrypted:false
        SSDEEP:
        MD5:8611076229442312FD1B17E703A323A8
        SHA1:8842EAAD76DB36EA9FC69589DAAE2EFB7BE64B70
        SHA-256:C0494EE583A959D719BC8F1AA8788BB044A0B772F13CE267C3B8A417A8C2DEC9
        SHA-512:0AA0C7693ECEE2CB9CCC28A24EC022320640C110828D87D98E7886431124D1B589840E2818C76D5947CC8D12109F3EF77A28267AEB3D18B8EBA4D286AF27FA8C
        Malicious:false
        Preview:?.r.J...O....m2.U! ....f.O.!z&T.P...H.@[..{..d..%@..?.:....D.1ri....%}....SgYX49..=%.*.-F5}..g.- 5L.z.W.w...g%<.r].bt`.QF?..3I...:.?.G..#.mpJ.x...............7$.......g..T..J_....H.o3=.s./tZ.....4..0.O..=..>.n@~R#./.G~Y.:`.'............YIr...y.h..%L...a...x/$ .:H.?.SZ..pO...kt.S.s.....?...f....3.0\.[.;..h+.f;|.L.<y..+lS6=..... /\*....../...7T..~m..B$)K ..w..9..C.....pe1R......q....'}.%.....<...0}.7<...^..-fA.j[.6.:B0.Z.(H....N..........\F..EZ'...8U.!.."....Y..aRkm..>..=-.v..k.7.....|.....j...zO.P....oV.`K7.fU.8O.%Q..;......b.F...f...d...k.[....s..l...4*Y.:WY*...z...y=.s.+....../N.gQw-4...O...2......GQ....1.u.nd.}R.T..}/...;.:....=..}.)8...:U9..d..m.......R...d~......b..i.W.LF.YN....hL?......,"vS.....;......h..fT..ly.b.)....I...L+..T..[...}...Q.F4.)w*...k4...../.kZ.]..|.Or,.c.{.\....Jx..Z..r&$..]qEW.j....mKV.b...+...;N..tz...(.....{.p...t..#.VS.].......`.R.o........n2.9m....z.}..Z..F...l.6.&.. I .e5@......@..r..B.......

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.681707525912978
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:PLAY.mal_.exe
        File size:182784
        MD5:223eff1610b432a1f1aa06c60bd7b9a6
        SHA1:14177730443c65aefeeda3162b324fdedf9cf9e0
        SHA256:006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
        SHA512:cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36
        SSDEEP:3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17
        TLSH:F2047D16A7B1D075E4B6847026E98EF1CE693B320F01C8EF6781176959325E2E135F3B
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.X.$...$...$...L...$...L..3$...L...$...L...$...L...$...L...$...L...$...$...$...M...$...M...$..Rich.$.........................

        File Icon

        Icon Hash:00828e8e8686b000

        Static PE Info

        General

        Entrypoint:0x417ea3
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x62F05D12 [Mon Aug 8 00:47:14 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:bfaffd974eb97f13ae5b4b98aa20c81e

        Entrypoint Preview

        Instruction
        call 00007F2DB8718A31h
        jmp 00007F2DB87185BFh
        push ebp
        mov ebp, esp
        mov eax, dword ptr [0042B004h]
        and eax, 1Fh
        push 00000020h
        pop ecx
        sub ecx, eax
        mov eax, dword ptr [ebp+08h]
        ror eax, cl
        xor eax, dword ptr [0042B004h]
        pop ebp
        ret
        push ebp
        mov ebp, esp
        mov eax, dword ptr [ebp+08h]
        push esi
        mov ecx, dword ptr [eax+3Ch]
        add ecx, eax
        movzx eax, word ptr [ecx+14h]
        lea edx, dword ptr [ecx+18h]
        add edx, eax
        movzx eax, word ptr [ecx+06h]
        imul esi, eax, 28h
        add esi, edx
        cmp edx, esi
        je 00007F2DB871875Bh
        mov ecx, dword ptr [ebp+0Ch]
        cmp ecx, dword ptr [edx+0Ch]
        jc 00007F2DB871874Ch
        mov eax, dword ptr [edx+08h]
        add eax, dword ptr [edx+0Ch]
        cmp ecx, eax
        jc 00007F2DB871874Eh
        add edx, 28h
        cmp edx, esi
        jne 00007F2DB871872Ch
        xor eax, eax
        pop esi
        pop ebp
        ret
        mov eax, edx
        jmp 00007F2DB871873Bh
        push esi
        call 00007F2DB8718EC3h
        test eax, eax
        je 00007F2DB8718762h
        mov eax, dword ptr fs:[00000018h]
        mov esi, 0042CDB0h
        mov edx, dword ptr [eax+04h]
        jmp 00007F2DB8718746h
        cmp edx, eax
        je 00007F2DB8718752h
        xor eax, eax
        mov ecx, edx
        lock cmpxchg dword ptr [esi], ecx
        test eax, eax
        jne 00007F2DB8718732h
        xor al, al
        pop esi
        ret
        mov al, 01h
        pop esi
        ret
        push ebp
        mov ebp, esp
        cmp dword ptr [ebp+08h], 00000000h
        jne 00007F2DB8718749h
        mov byte ptr [0042CDB4h], 00000001h
        call 00007F2DB8718CEBh
        call 00007F2DB8719352h
        test al, al
        jne 00007F2DB8718746h
        xor al, al
        pop ebp
        ret
        call 00007F2DB871BF6Ch
        test al, al
        jne 00007F2DB871874Ch

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x2a8c40x28.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000x1638.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x2a1d00x38.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a2080x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x240000x104.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x221450x22200False0.613846440018315data6.744506431104587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x240000x6e8e0x7000False0.47984095982142855data4.945197895884443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x2b0000x27500x1c00False0.25948660714285715data4.439440123336567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .reloc0x2e0000x16380x1800False0.7708333333333334data6.423094865560977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        KERNEL32.dllGetLastError, GetProcAddress, Sleep, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

        Network Behavior

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Sep 1, 2022 23:19:42.312827110 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:19:42.337165117 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:07.759740114 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:07.777781963 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:30.524529934 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:30.527321100 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:50.520207882 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:20:50.526673079 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:12.758860111 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:12.764676094 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:34.058525085 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:34.109307051 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:53.837146044 CEST60626274192.168.2.3192.168.2.1
        Sep 1, 2022 23:21:53.857904911 CEST60626274192.168.2.3192.168.2.1

        ICMP Packets

        TimestampSource IPDest IPChecksumCodeType
        Sep 1, 2022 23:19:32.799357891 CEST192.168.2.3192.168.2.1cec9Echo
        Sep 1, 2022 23:19:32.799431086 CEST192.168.2.1192.168.2.3d6c9Echo Reply
        Sep 1, 2022 23:19:42.312905073 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:19:42.337223053 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:19:57.405159950 CEST192.168.2.3192.168.2.1cdfeEcho
        Sep 1, 2022 23:19:57.405203104 CEST192.168.2.1192.168.2.3d5feEcho Reply
        Sep 1, 2022 23:20:07.759836912 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:07.777854919 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:22.446391106 CEST192.168.2.3192.168.2.1cd03Echo
        Sep 1, 2022 23:20:22.446455956 CEST192.168.2.1192.168.2.3d503Echo Reply
        Sep 1, 2022 23:20:30.524578094 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:30.527390003 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:45.756715059 CEST192.168.2.3192.168.2.1cc06Echo
        Sep 1, 2022 23:20:45.756772041 CEST192.168.2.1192.168.2.3d406Echo Reply
        Sep 1, 2022 23:20:50.520282030 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:20:50.526707888 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:06.824150085 CEST192.168.2.3192.168.2.1cb09Echo
        Sep 1, 2022 23:21:06.824199915 CEST192.168.2.1192.168.2.3d309Echo Reply
        Sep 1, 2022 23:21:12.758925915 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:12.764714956 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:28.139507055 CEST192.168.2.3192.168.2.1ca0cEcho
        Sep 1, 2022 23:21:28.139592886 CEST192.168.2.1192.168.2.3d20cEcho Reply
        Sep 1, 2022 23:21:34.058574915 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:34.109369993 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:49.144785881 CEST192.168.2.3192.168.2.1c90fEcho
        Sep 1, 2022 23:21:49.144834042 CEST192.168.2.1192.168.2.3d10fEcho Reply
        Sep 1, 2022 23:21:53.837203026 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:21:53.857955933 CEST192.168.2.1192.168.2.38307(Port unreachable)Destination Unreachable
        Sep 1, 2022 23:22:08.785002947 CEST192.168.2.3192.168.2.1c812Echo
        Sep 1, 2022 23:22:08.785059929 CEST192.168.2.1192.168.2.3d012Echo Reply
        Sep 1, 2022 23:22:25.656336069 CEST192.168.2.3192.168.2.1c6d6Echo
        Sep 1, 2022 23:22:25.656409025 CEST192.168.2.1192.168.2.3ced6Echo Reply

        Statistics

        No statistics

        System Behavior

        General

        Target ID:0
        Start time:23:18:57
        Start date:01/09/2022
        Path:C:\Users\user\Desktop\PLAY.mal_.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\PLAY.mal_.exe"
        Imagebase:0xae0000
        File size:182784 bytes
        MD5 hash:223EFF1610B432A1F1AA06C60BD7B9A6
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.380476408.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
        Reputation:low

        Disassembly

        No disassembly