Analysis

  • max time kernel
    1800s
  • max time network
    1225s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2023 12:38

General

  • Target

    952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe

  • Size

    673KB

  • MD5

    2e8897ef38d4abe4861360a4b6e895d5

  • SHA1

    f668b1110d8a6b1a3f638fd8a6276a7a1efe18db

  • SHA256

    952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f

  • SHA512

    02d7fe9141b25c74fb4721fa5cba6030cae671ec159987e1e0c95eee65fd5185586b0101af63e36f788cf8b7fc7044018e059301b17e5e63e68564d31f3610b8

  • SSDEEP

    12288:fjVr5+jJNj0H5zPYXADL1vpQ/ywpll/nh:fjB5WJOH5DYXAlvMyUJn

Malware Config

Signatures

  • PLAY Ransomware, PlayCrypt

    Ransomware family first seen in mid 2022.

  • Renames multiple (8309) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 21 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
    "C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:3204
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:51076
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:71424
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2840
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1572
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\TraceWrite.docx.PLAY"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2888
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:71628
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceWrite.docx.PLAY
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:66636
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:18580
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExpandOpen.html.PLAY
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:70028
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:71580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini

      Filesize

      1KB

      MD5

      5d1f5e27c5d77d9c6158d3ba90eb7a08

      SHA1

      5b3e88ce9c569ae94659a72af50bcd19e340e409

      SHA256

      401a6907fe93d6016a9dc4d66bb601ae526c6df929f588006f70ca8b16378e23

      SHA512

      a28dbfbed444b122e0d1069513ebb8d8d098947022b3586f8518fb6fba3fd769f8b76a9808f0f77951ed2fdb8c228f12e580f56be8e03dc9f058dd9585a57ddf

    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

      Filesize

      218.2MB

      MD5

      b3e4c478f6354241ff55b60bb44f50dc

      SHA1

      866f88c907e16e4f41703c65c4111175845febc4

      SHA256

      974aa720e3e8cbf4b03c3e7fccbeb12360d174dc1a19e2caea71260b09537540

      SHA512

      e378f124bc51c4843201ef6778b2237dc9164284f5f42e1c2f18cf618836f4d885a58d14b3c7475cee8972f80b629545e8e3bd2fe33f87db12889fc69f32d20d

    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

      Filesize

      167.0MB

      MD5

      3815db7df7ee0f6f81a8a7557aa93ab0

      SHA1

      7d8bf6383dac3c1941bf9261b37dd3a0d91658a6

      SHA256

      0fd640a563662b6a4b9d3756196231abed24777118f0c8fda84f8d37971ce8df

      SHA512

      fff290748de219786edec59658863a0ea95995c6f7317e4d8b221b7255695bf41dcf373a58274168339df4549735d97f760095bc4afb17fca66e5de149455a5c

    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

      Filesize

      1KB

      MD5

      28071b6cf2a6c73a073733f02b95b6eb

      SHA1

      d0f1bfc0399d5f059fab32f1e6631e04ef056808

      SHA256

      34b01ec923b81326794ec41a0125d86ddc7e8db3e27850220612d330a579754a

      SHA512

      6a62ac71df35a9ae6001cbf52c72fed90bf3c0753d2c27ce63eea9d94ffee05e03fcaa623832ff71ea1f415a361dcffb50c7e36065f65020420ba8f9c27e85e3

    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

      Filesize

      1KB

      MD5

      48d837177753f54cb5cb41baa66bd9de

      SHA1

      92646b5a3d51cb769221dfbe3655f12741deb9de

      SHA256

      1ad500986fd70fbd7889bb3b80db910fdb93f21725cdff440ae18d9dd9b5655b

      SHA512

      ade92662ba6e4d1af28694e3cab86e8bce216a8ad6cc7e50691c3e724515210c3ec7aa7b3ed376b55c9357e164f6dd8176f834f42b771f65aeacf2ff2b61db17

    • C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

      Filesize

      1KB

      MD5

      2bb541c2f4f1b4300b534ead32279dd6

      SHA1

      63a139d2be0ec79a51814be586aafb5d4a6220ae

      SHA256

      5f6fbe7a9bbca5fc85fea17c69af99b9c14ca2d014fb98537dbaf83ecf6f807c

      SHA512

      882366a156f79aa5e6bcc6742fdbf459f7b0367f7eb312b112c9e80e47359bea0ff765802f723539e93361ffc7dffe05418a1cf7b04c166dfb65070630403fe4

    • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

      Filesize

      1KB

      MD5

      8f7eb56295dc1f951d346e167fefebc9

      SHA1

      05a6fe15a7507fe27101f5fb861d79049cac770e

      SHA256

      b1b9029581f32f5dd6ebd61128d0c0ea604a7781bbc1b29da2b85c07b0ab4e0a

      SHA512

      a08bc1305bd5bb990e7a196cb9b9b77c355cf13b78942f6ddda9264177f91e875700864cf604852a47d0eeac43ecdd8dc5b8ebafabd07685d1718bb3e4431b03

    • C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

      Filesize

      78.7MB

      MD5

      066b65b8a0917d1ceb9809b4c1433d31

      SHA1

      b7289119356faa7a335502d8c7aff19d9208648a

      SHA256

      16c6438e9933459fbbadadc1d38da673b61eb66a30b93da4e508b1ae967a6190

      SHA512

      03c4d0879df91ddcd977ad6e6a2d764eba434b1a318d2909ea84bed5a27a0a15891d76f04cc12fd2a2e957d3377e2d7519b993155373f060d8974073e5e841c2

    • C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

      Filesize

      1KB

      MD5

      e9b0cc737e1bb988f9a70d67e79e447c

      SHA1

      c04fbf80456d4d2949b8d279ad547f683b74a32c

      SHA256

      b2a8ea61dfc4c6607fb65aebb640495043489d267c052d011be66ea709f1d10c

      SHA512

      dce9b866db3c9853b02c6d5fefd628bb9328f8e9778ca1e6c7d75764380755fb4f75e932c5b250dc082f2657ea8262933b089bdcf733602cdc738ae986ecb0ec

    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      5766c54b1e07afae5895e8d937bdcc39

      SHA1

      55f3b5e729aaa27f53521b8da897c671c9175d3c

      SHA256

      7e62f478f7ee0a2ed4b5ee0baf1c6eee6ce19f2650de888514effa855a30d8d1

      SHA512

      264f6f28e916d315afc7496a5b7511db8a3a7e0cd981d875cfbef8f0a1b5414a44c167965519907cda2ca9b629e1fb45acf08f0e7376c14942f13721ee1910db

    • C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

      Filesize

      5.5MB

      MD5

      6aa10dc261b1d9c24720516f3ecb121b

      SHA1

      7f6245356282a0ae9c4308523934cf8f419b78a1

      SHA256

      91c2746571f351b5601bb58bdbe28e56273c3806cd16cd8a45aff8fb87dea219

      SHA512

      89366671b5be4e0600a41489fcd9ede4328b74199672d53f4a891ee12b6e56af18bb508e5b47758c5cb3356b778d476d7c902711ee0388d7fb328e737786cbbb

    • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      dadb3fe845720fb8956b007c494c14dc

      SHA1

      13a70d676df48fa0ec3f6485508cc229f9674290

      SHA256

      0f870d04d7cc2952b4a0bc45769af2f551b196288eb50dcd250b303ac3a0c27f

      SHA512

      7a7430babb75b71111a7d1163f7510e9d76547973dbc982c6bdc3bc4cc41f938741ccbb515b5465a2081b2cc8aa4041744458a56449b1f575e520c2fb5926132

    • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

      Filesize

      5.3MB

      MD5

      45fc1e2cea44e4e7944b96f0c794e79e

      SHA1

      4ffadadb730449b737dd376613cc4a941830dbd2

      SHA256

      10953c72245605dd3bf86f4e2a854c37df00489a660f4f725bc4276fef33c2fe

      SHA512

      c878ea96cfddf09dea1fa92968e9e9181e47783de7439698f22b97837f43c22275ec8f7ca1afed9131197fc6e8564601958eb2289ee56ef1c50be8511d2eb5ef

    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      8319488a6808ee3816837de8efa97205

      SHA1

      480fa3e8787b4e5425040c2e16047086d0fad539

      SHA256

      79c85de002564d5dbaaa1c12faf351fd52f81055c4f5634c403983ec11259bb4

      SHA512

      6f019e0da8c1100565582c8530e65995adaada0194b9d7a05b76200caee5b3e01f987962e18ffb8bbab991d5e4e47d1e6468d342de05b5b2f9cd46255105d890

    • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      6ca1acef60278aa55a9bc41f7611f8da

      SHA1

      b1a1dac10e9c79fbe6b890c43c1a37ed7278df28

      SHA256

      34bfc6b47a4b74e1262f2510bb1cebd5317378795f32f2d887708caf299efee6

      SHA512

      f5726261f52c664dfbcf70afaf6d05885f80acc44483fec776de000cb739f28925088717196fede374984f69173bbb670b3acb732aa7e364eb89fcd4db72fa15

    • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

      Filesize

      870KB

      MD5

      833ed492701739ba06cd2bc5be5e8682

      SHA1

      786414975fa5180e73b9bdc7c7a3042e9b129020

      SHA256

      6dbe1c459276b24f56ef1735cfb3e83986368627acdf6f4337cb7db80728d7f0

      SHA512

      282f774127cb57fa05c84858fc1822b5e409fda2e2e42664dc08ebb07432550f937e14650bcf59ad860aa29deea3c3b997edb5121c44683d63e3082745e51498

    • C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

      Filesize

      5.4MB

      MD5

      7d146cd254c0100b8e95f77c70d76616

      SHA1

      c8cc180ec599c9c9892fed23b622b93f7f71d14d

      SHA256

      596d7dec97878888454643b0b5758633d1ece1aaed343709a497a00ab2a8125f

      SHA512

      e5a2e39820fad6e1e6910879109947e94b0a3e299020279eb6233e37e10ad2e6fda49434122b292fb8dbd327a38ccb19a22913d4f68e1cf4c9e3ca4383887fe6

    • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

      Filesize

      4.7MB

      MD5

      d7a880f13ba8526d0368024102cd8148

      SHA1

      68432791f4557cd1d6bf47d0444dce5cd21cf6b6

      SHA256

      50dfec72f03507b062d033b4f89a6b38652b55aaa7566e2d6c1b735791cdb151

      SHA512

      cd28615c99e32c5413dd188dbc3bf6f210da0ae64bc94b8b55e148d669c382774dd267dfd95949c77d8a26641fa1354663abb1b7d3feb06711c69f88f766e66e

    • C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

      Filesize

      4.9MB

      MD5

      8341aa85d97bb8661a2c0482a3dce49f

      SHA1

      6b18567acef18849e3f94e5659f26d96860d4784

      SHA256

      a45e7c2461044caf0fddcb65c1ab01ab6a345c47135cabf5dfcdae34c54bb26b

      SHA512

      dca30ec29d1d66aeb6c96e4ba1096ae26a161082bfa882df98707c0a637f4db33e4276f0466c35a5bb9aada067f093fc3df938b841a3ff9e5a2592d40e3bca79

    • C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

      Filesize

      803KB

      MD5

      e4f3e57328b45f79a62928281ebcfa1e

      SHA1

      77e25bbc31ae8084c2631676308080cd23bbe4e4

      SHA256

      6d54faf6c6cfa3377a14edfc49bd59c0d2891cadec23728e04f526d5e70cfc05

      SHA512

      cb3d5bfff57d10f530a5066f34bd94a3c617ad9247fed22fd0ab28a98a0721e82cc679148fc9cf0b057afb71aa32048421336a36fef52f9b8082a59b6c79c88f

    • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

      Filesize

      4.9MB

      MD5

      934194896a16f2fa72ef1f11da5a35f3

      SHA1

      2baf9d34d147fe5a8300750eda7435447cc67433

      SHA256

      ebab74acc31964467c8ef8d7c1104f0c40bc79b03b683cb9605e95fb78b8627f

      SHA512

      7f4a2bc9927e580d7a812892146114869f314ce1ef242bd6a589e3e7355e6475131d747e5be90f4baabb81ca9bcc11d4742e61618e12164a40e7d704c4cc822b

    • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

      Filesize

      1011KB

      MD5

      a153d47deb67f8d08777926b4689dc9a

      SHA1

      01c8c3820f26cfeb58481f3e0fa58e9513222202

      SHA256

      f6666ce00f6d535e2cc9defc7b709b6b3f14c6dcfca3f3f2094012a7ea665eb3

      SHA512

      41982c38882fe358867bd0fe4a85e4257b0cd1192723a1658a814ea8df85ef408fb5903f94fc5b54d3b6f938eca7b3a95bcb528385f0899cf36addd33c1bef84

    • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

      Filesize

      791KB

      MD5

      2cbba6114cc59cd8d265414b2f1122d1

      SHA1

      a3e9995ec267bf6c5f79efed0a0a9867bbf7ff1e

      SHA256

      6a2fd0d72672282a79c9f2824be71801e4c681b313a79c6f1611d326722caa08

      SHA512

      8695638767fb97a5a207ea83d24f80f0859e673fae9c6f5fed5c7d2ae2c2ad84ca7675d8e0d6935f63590507b301f25bc72476e2b74faa1f749a3da7fb4b5073

    • C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

      Filesize

      974KB

      MD5

      8676a1e6f69a7841bfee577b8f85557c

      SHA1

      4c96470c1f8050cbcf9698da9dc5257d26ea7a08

      SHA256

      740b7e76a69c26cdb6c84ee06d6bcbd1925b90c0bf2a0867a857f05c21a92f69

      SHA512

      1ddffb22818a8d1d6ad77ad2ccf2a768ac8b968ffb9e532363b5877184233092117ec0afcd47a01a537722c2051eb88ead3a77c423fe301274520861acb7fba4

    • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

      Filesize

      742KB

      MD5

      60216ce85f0d6b70b3c1adfe959e603e

      SHA1

      f09e6afa57031e1cfb66aa56d21b818e4fe13c23

      SHA256

      4fe47a4bdbd236bd95dd5b1d7ad6db8a714a5be393106a1c8582b73800840201

      SHA512

      631c064a93347b6ed8c5917d57b3f156b8193a9a0d52343a5d6237220ca12ed74e4190dbb7b3c197c25dee809544103bd55a312e658a1b6e99b4cf427eded78a

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      0b419fae5cb9f9b891832ecc79055ff0

      SHA1

      a5c9f78fe589cf65028c5e592bb74c238f3ae4c6

      SHA256

      c8c82d15063844de849f97c842f91d5025b21c9082f6450437d044fa3f23050c

      SHA512

      b8490ce5abbfb05b13f3f3caf775d9c7f33e7c54fcc2efa2ae1ebfaf639fbf060b36f3a4ca1f32968c6433e8f0e3a538b57fa74eb11605feaca146d7a9f18326

    • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

      Filesize

      1KB

      MD5

      4f085b85ba7cbd45a2c9c634f0be06e1

      SHA1

      716113d1eb63f5e815e3b590afceaf69cc5b6ac8

      SHA256

      7c4c93f3eb9660fde09e5ff14e155b61cdf18f03bbc24ee607d06c9bcd94c1aa

      SHA512

      72d77b6b229911a9985ec130dea6b575ea98ad824b7c0e0c3384f79372b8007e9533de1ff7be89fa47e85ed3f942f1c33703d1b36cfa033059a245296bfc3847

    • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

      Filesize

      2KB

      MD5

      9049840aeee7a24c7cf193aeb113687c

      SHA1

      40e0ed443892952ba75d547f2fdef854f7cdeed4

      SHA256

      e26b85ea955f5c7121ba8f14539215647201f881bfe072dd74c890dc5aa3327b

      SHA512

      3ee011de32ff40d6f6e944678864166f4af774916fa7070e92c02f9a0ecc1898ad42c95fa1a8a082252c886962abbf13c3273b6a506c7a61496e4bdfe2fb96c8

    • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

      Filesize

      2KB

      MD5

      66f7aac55a10f143726f1e27601162b0

      SHA1

      5cc51ac3190554f99dc219b01b8245646d36facf

      SHA256

      fb7adf0ef1920239a5536bb9d9f2efaf33b2ae40bedf0d7094e39c646360b86b

      SHA512

      95527601ebe3c4cbb468d177afcf0a9ca6b3b1f887c3d624d15a36400da415a456471d4835fefa800ad26095ea252f859cca6d51471a249ba83d3b7598a37d02

    • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

      Filesize

      2KB

      MD5

      fc8066c0a65c762eb7a2d169a2a4b47c

      SHA1

      ccc26a4e6c136b5ecdfcc02688cf067de2612ae7

      SHA256

      a9d40783ebaca9a91fd432ef6840eafd1ccb536f77c0c76cc71e3df610f5a33a

      SHA512

      39e7fead50116b3a1cc4c8f23475b61417c834d7d722e7d3c49719ee536e412b5ed66d0581ae8a499757084150003be6a6cb29a1604fc6acd2887bea6f915ff8

    • C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

      Filesize

      2KB

      MD5

      3611bb04d64e968cd1a959730f5c0f07

      SHA1

      9cba8c9f7e6f1a241b2389f830b3127178a05ea3

      SHA256

      203b4e4b9e0f170195b4f1884711a5edb52f389cba401f891484531ccdef8c6b

      SHA512

      be35ddbeaa0f648c36fbbfaf9f026696f4b76a93ac54f35faf7f56365455404569aba9682c8e980e4d1b49288c4a4b762ab16c8d63eb9ec58a67dcd4f78e59fc

    • C:\ReadMe.txt

      Filesize

      30B

      MD5

      0eca4058401c315fd630ca879e45e158

      SHA1

      bda153fc364827fcd1a8b4de22b47048995e0d47

      SHA256

      7a4fcdb7e62b5267b21681a93fe4aca5ee72d3fdf17c1227d372437a10c0bc61

      SHA512

      e7ccad8b45fb1e88f0ef985fc0e70f8f764edd49a23079e6b7f02de5776b3218ff6af9382dedebc3656b216f0af66693f1bb3da05924683070bd66791239c330

    • C:\Users\Admin\Desktop\ExpandOpen.html.PLAY

      Filesize

      275KB

      MD5

      c4ac426700e26b5c4c1a95f4787dc37c

      SHA1

      7a2ff05940233da0d8a2ebb213bb3f303a46bb0e

      SHA256

      c0ba467cb2920f3b333cee8a1723403ee443a2c3de95e093e8f4d7e2cc4cc4ca

      SHA512

      737338ff1bb2c9f91eff1ced2640fb55314455f6e4d4cf2f6b254b9f5e99d7d747b61f1a4395d437422de5dd3566f3782b10937dbced2620cdfe7ad17c2bc646

    • C:\Users\Admin\Desktop\TraceWrite.docx.PLAY

      Filesize

      220KB

      MD5

      e3d34923dfb17ca0b4f7443445812728

      SHA1

      15cb25b77b011ef00483a0a2a3c54d3ed7c3c3a4

      SHA256

      309be19b761dc28e0b9e99c0dd4d60b94d1a8e283943c5fd4d8d778b39504032

      SHA512

      30566062cfd906ab035055f9476d9d505f3b5425561000e657f77fbfe08eecaccfa88f36c416b9067cc2228678c8b384284265da4f02ccb5e6f4f87700569399

    • memory/3204-133-0x00000000007B0000-0x00000000007DC000-memory.dmp

      Filesize

      176KB