Analysis
-
max time kernel
1800s -
max time network
1225s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2023 12:38
Static task
static1
Behavioral task
behavioral1
Sample
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
Resource
win10-20230621-en
Behavioral task
behavioral2
Sample
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
Resource
win10v2004-20230621-en
General
-
Target
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
-
Size
673KB
-
MD5
2e8897ef38d4abe4861360a4b6e895d5
-
SHA1
f668b1110d8a6b1a3f638fd8a6276a7a1efe18db
-
SHA256
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
-
SHA512
02d7fe9141b25c74fb4721fa5cba6030cae671ec159987e1e0c95eee65fd5185586b0101af63e36f788cf8b7fc7044018e059301b17e5e63e68564d31f3610b8
-
SSDEEP
12288:fjVr5+jJNj0H5zPYXADL1vpQ/ywpll/nh:fjB5WJOH5DYXAlvMyUJn
Malware Config
Signatures
-
PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
-
Renames multiple (8309) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandInstall.crw => C:\Users\Admin\Pictures\ExpandInstall.crw.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File renamed C:\Users\Admin\Pictures\NewOpen.tif => C:\Users\Admin\Pictures\NewOpen.tif.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\ExpandInstall.crw.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\NewOpen.tif.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 29 IoCs
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Documents\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Music\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Links\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Videos\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Music\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened (read-only) \??\G: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\S: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\A: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\I: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\L: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\O: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\P: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Q: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\R: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\T: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\U: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\V: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\X: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Y: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Z: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\J: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\W: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\B: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\E: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\H: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\K: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\M: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\N: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-black.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-100.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-125_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportError.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-400.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FlagToastQuickAction.scale-80.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-200_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Modifies registry class 21 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\.PLAY\ = "PLAY_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\\ = "PLAY_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\買戀ᔲ셠 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\買戀ᔲ셠\ = "PLAY_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\䟌펙ഀ蠀⪰ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\䟌펙ഀ蠀⪰\ = "PLAY_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\.PLAY OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\PLAY_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 66636 NOTEPAD.EXE 70028 NOTEPAD.EXE 71580 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2888 7zFM.exe Token: 35 2888 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zFM.exeNOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 2888 7zFM.exe 66636 NOTEPAD.EXE 70028 NOTEPAD.EXE 71580 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 71424 OpenWith.exe 2840 OpenWith.exe 1572 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 71628 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe 18580 OpenWith.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
OpenWith.exeOpenWith.exedescription pid process target process PID 71628 wrote to memory of 66636 71628 OpenWith.exe NOTEPAD.EXE PID 71628 wrote to memory of 66636 71628 OpenWith.exe NOTEPAD.EXE PID 18580 wrote to memory of 70028 18580 OpenWith.exe NOTEPAD.EXE PID 18580 wrote to memory of 70028 18580 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:3204
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:51076
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:71424
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2840
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1572
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\TraceWrite.docx.PLAY"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2888
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:71628 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceWrite.docx.PLAY2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:66636
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:18580 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExpandOpen.html.PLAY2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:70028
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:71580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55d1f5e27c5d77d9c6158d3ba90eb7a08
SHA15b3e88ce9c569ae94659a72af50bcd19e340e409
SHA256401a6907fe93d6016a9dc4d66bb601ae526c6df929f588006f70ca8b16378e23
SHA512a28dbfbed444b122e0d1069513ebb8d8d098947022b3586f8518fb6fba3fd769f8b76a9808f0f77951ed2fdb8c228f12e580f56be8e03dc9f058dd9585a57ddf
-
Filesize
218.2MB
MD5b3e4c478f6354241ff55b60bb44f50dc
SHA1866f88c907e16e4f41703c65c4111175845febc4
SHA256974aa720e3e8cbf4b03c3e7fccbeb12360d174dc1a19e2caea71260b09537540
SHA512e378f124bc51c4843201ef6778b2237dc9164284f5f42e1c2f18cf618836f4d885a58d14b3c7475cee8972f80b629545e8e3bd2fe33f87db12889fc69f32d20d
-
Filesize
167.0MB
MD53815db7df7ee0f6f81a8a7557aa93ab0
SHA17d8bf6383dac3c1941bf9261b37dd3a0d91658a6
SHA2560fd640a563662b6a4b9d3756196231abed24777118f0c8fda84f8d37971ce8df
SHA512fff290748de219786edec59658863a0ea95995c6f7317e4d8b221b7255695bf41dcf373a58274168339df4549735d97f760095bc4afb17fca66e5de149455a5c
-
Filesize
1KB
MD528071b6cf2a6c73a073733f02b95b6eb
SHA1d0f1bfc0399d5f059fab32f1e6631e04ef056808
SHA25634b01ec923b81326794ec41a0125d86ddc7e8db3e27850220612d330a579754a
SHA5126a62ac71df35a9ae6001cbf52c72fed90bf3c0753d2c27ce63eea9d94ffee05e03fcaa623832ff71ea1f415a361dcffb50c7e36065f65020420ba8f9c27e85e3
-
Filesize
1KB
MD548d837177753f54cb5cb41baa66bd9de
SHA192646b5a3d51cb769221dfbe3655f12741deb9de
SHA2561ad500986fd70fbd7889bb3b80db910fdb93f21725cdff440ae18d9dd9b5655b
SHA512ade92662ba6e4d1af28694e3cab86e8bce216a8ad6cc7e50691c3e724515210c3ec7aa7b3ed376b55c9357e164f6dd8176f834f42b771f65aeacf2ff2b61db17
-
Filesize
1KB
MD52bb541c2f4f1b4300b534ead32279dd6
SHA163a139d2be0ec79a51814be586aafb5d4a6220ae
SHA2565f6fbe7a9bbca5fc85fea17c69af99b9c14ca2d014fb98537dbaf83ecf6f807c
SHA512882366a156f79aa5e6bcc6742fdbf459f7b0367f7eb312b112c9e80e47359bea0ff765802f723539e93361ffc7dffe05418a1cf7b04c166dfb65070630403fe4
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
Filesize1KB
MD58f7eb56295dc1f951d346e167fefebc9
SHA105a6fe15a7507fe27101f5fb861d79049cac770e
SHA256b1b9029581f32f5dd6ebd61128d0c0ea604a7781bbc1b29da2b85c07b0ab4e0a
SHA512a08bc1305bd5bb990e7a196cb9b9b77c355cf13b78942f6ddda9264177f91e875700864cf604852a47d0eeac43ecdd8dc5b8ebafabd07685d1718bb3e4431b03
-
Filesize
78.7MB
MD5066b65b8a0917d1ceb9809b4c1433d31
SHA1b7289119356faa7a335502d8c7aff19d9208648a
SHA25616c6438e9933459fbbadadc1d38da673b61eb66a30b93da4e508b1ae967a6190
SHA51203c4d0879df91ddcd977ad6e6a2d764eba434b1a318d2909ea84bed5a27a0a15891d76f04cc12fd2a2e957d3377e2d7519b993155373f060d8974073e5e841c2
-
Filesize
1KB
MD5e9b0cc737e1bb988f9a70d67e79e447c
SHA1c04fbf80456d4d2949b8d279ad547f683b74a32c
SHA256b2a8ea61dfc4c6607fb65aebb640495043489d267c052d011be66ea709f1d10c
SHA512dce9b866db3c9853b02c6d5fefd628bb9328f8e9778ca1e6c7d75764380755fb4f75e932c5b250dc082f2657ea8262933b089bdcf733602cdc738ae986ecb0ec
-
Filesize
1KB
MD55766c54b1e07afae5895e8d937bdcc39
SHA155f3b5e729aaa27f53521b8da897c671c9175d3c
SHA2567e62f478f7ee0a2ed4b5ee0baf1c6eee6ce19f2650de888514effa855a30d8d1
SHA512264f6f28e916d315afc7496a5b7511db8a3a7e0cd981d875cfbef8f0a1b5414a44c167965519907cda2ca9b629e1fb45acf08f0e7376c14942f13721ee1910db
-
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize5.5MB
MD56aa10dc261b1d9c24720516f3ecb121b
SHA17f6245356282a0ae9c4308523934cf8f419b78a1
SHA25691c2746571f351b5601bb58bdbe28e56273c3806cd16cd8a45aff8fb87dea219
SHA51289366671b5be4e0600a41489fcd9ede4328b74199672d53f4a891ee12b6e56af18bb508e5b47758c5cb3356b778d476d7c902711ee0388d7fb328e737786cbbb
-
Filesize
1KB
MD5dadb3fe845720fb8956b007c494c14dc
SHA113a70d676df48fa0ec3f6485508cc229f9674290
SHA2560f870d04d7cc2952b4a0bc45769af2f551b196288eb50dcd250b303ac3a0c27f
SHA5127a7430babb75b71111a7d1163f7510e9d76547973dbc982c6bdc3bc4cc41f938741ccbb515b5465a2081b2cc8aa4041744458a56449b1f575e520c2fb5926132
-
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize5.3MB
MD545fc1e2cea44e4e7944b96f0c794e79e
SHA14ffadadb730449b737dd376613cc4a941830dbd2
SHA25610953c72245605dd3bf86f4e2a854c37df00489a660f4f725bc4276fef33c2fe
SHA512c878ea96cfddf09dea1fa92968e9e9181e47783de7439698f22b97837f43c22275ec8f7ca1afed9131197fc6e8564601958eb2289ee56ef1c50be8511d2eb5ef
-
Filesize
1KB
MD58319488a6808ee3816837de8efa97205
SHA1480fa3e8787b4e5425040c2e16047086d0fad539
SHA25679c85de002564d5dbaaa1c12faf351fd52f81055c4f5634c403983ec11259bb4
SHA5126f019e0da8c1100565582c8530e65995adaada0194b9d7a05b76200caee5b3e01f987962e18ffb8bbab991d5e4e47d1e6468d342de05b5b2f9cd46255105d890
-
Filesize
1KB
MD56ca1acef60278aa55a9bc41f7611f8da
SHA1b1a1dac10e9c79fbe6b890c43c1a37ed7278df28
SHA25634bfc6b47a4b74e1262f2510bb1cebd5317378795f32f2d887708caf299efee6
SHA512f5726261f52c664dfbcf70afaf6d05885f80acc44483fec776de000cb739f28925088717196fede374984f69173bbb670b3acb732aa7e364eb89fcd4db72fa15
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize870KB
MD5833ed492701739ba06cd2bc5be5e8682
SHA1786414975fa5180e73b9bdc7c7a3042e9b129020
SHA2566dbe1c459276b24f56ef1735cfb3e83986368627acdf6f4337cb7db80728d7f0
SHA512282f774127cb57fa05c84858fc1822b5e409fda2e2e42664dc08ebb07432550f937e14650bcf59ad860aa29deea3c3b997edb5121c44683d63e3082745e51498
-
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize5.4MB
MD57d146cd254c0100b8e95f77c70d76616
SHA1c8cc180ec599c9c9892fed23b622b93f7f71d14d
SHA256596d7dec97878888454643b0b5758633d1ece1aaed343709a497a00ab2a8125f
SHA512e5a2e39820fad6e1e6910879109947e94b0a3e299020279eb6233e37e10ad2e6fda49434122b292fb8dbd327a38ccb19a22913d4f68e1cf4c9e3ca4383887fe6
-
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize4.7MB
MD5d7a880f13ba8526d0368024102cd8148
SHA168432791f4557cd1d6bf47d0444dce5cd21cf6b6
SHA25650dfec72f03507b062d033b4f89a6b38652b55aaa7566e2d6c1b735791cdb151
SHA512cd28615c99e32c5413dd188dbc3bf6f210da0ae64bc94b8b55e148d669c382774dd267dfd95949c77d8a26641fa1354663abb1b7d3feb06711c69f88f766e66e
-
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize4.9MB
MD58341aa85d97bb8661a2c0482a3dce49f
SHA16b18567acef18849e3f94e5659f26d96860d4784
SHA256a45e7c2461044caf0fddcb65c1ab01ab6a345c47135cabf5dfcdae34c54bb26b
SHA512dca30ec29d1d66aeb6c96e4ba1096ae26a161082bfa882df98707c0a637f4db33e4276f0466c35a5bb9aada067f093fc3df938b841a3ff9e5a2592d40e3bca79
-
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize803KB
MD5e4f3e57328b45f79a62928281ebcfa1e
SHA177e25bbc31ae8084c2631676308080cd23bbe4e4
SHA2566d54faf6c6cfa3377a14edfc49bd59c0d2891cadec23728e04f526d5e70cfc05
SHA512cb3d5bfff57d10f530a5066f34bd94a3c617ad9247fed22fd0ab28a98a0721e82cc679148fc9cf0b057afb71aa32048421336a36fef52f9b8082a59b6c79c88f
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize4.9MB
MD5934194896a16f2fa72ef1f11da5a35f3
SHA12baf9d34d147fe5a8300750eda7435447cc67433
SHA256ebab74acc31964467c8ef8d7c1104f0c40bc79b03b683cb9605e95fb78b8627f
SHA5127f4a2bc9927e580d7a812892146114869f314ce1ef242bd6a589e3e7355e6475131d747e5be90f4baabb81ca9bcc11d4742e61618e12164a40e7d704c4cc822b
-
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize1011KB
MD5a153d47deb67f8d08777926b4689dc9a
SHA101c8c3820f26cfeb58481f3e0fa58e9513222202
SHA256f6666ce00f6d535e2cc9defc7b709b6b3f14c6dcfca3f3f2094012a7ea665eb3
SHA51241982c38882fe358867bd0fe4a85e4257b0cd1192723a1658a814ea8df85ef408fb5903f94fc5b54d3b6f938eca7b3a95bcb528385f0899cf36addd33c1bef84
-
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize791KB
MD52cbba6114cc59cd8d265414b2f1122d1
SHA1a3e9995ec267bf6c5f79efed0a0a9867bbf7ff1e
SHA2566a2fd0d72672282a79c9f2824be71801e4c681b313a79c6f1611d326722caa08
SHA5128695638767fb97a5a207ea83d24f80f0859e673fae9c6f5fed5c7d2ae2c2ad84ca7675d8e0d6935f63590507b301f25bc72476e2b74faa1f749a3da7fb4b5073
-
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize974KB
MD58676a1e6f69a7841bfee577b8f85557c
SHA14c96470c1f8050cbcf9698da9dc5257d26ea7a08
SHA256740b7e76a69c26cdb6c84ee06d6bcbd1925b90c0bf2a0867a857f05c21a92f69
SHA5121ddffb22818a8d1d6ad77ad2ccf2a768ac8b968ffb9e532363b5877184233092117ec0afcd47a01a537722c2051eb88ead3a77c423fe301274520861acb7fba4
-
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize742KB
MD560216ce85f0d6b70b3c1adfe959e603e
SHA1f09e6afa57031e1cfb66aa56d21b818e4fe13c23
SHA2564fe47a4bdbd236bd95dd5b1d7ad6db8a714a5be393106a1c8582b73800840201
SHA512631c064a93347b6ed8c5917d57b3f156b8193a9a0d52343a5d6237220ca12ed74e4190dbb7b3c197c25dee809544103bd55a312e658a1b6e99b4cf427eded78a
-
Filesize
1KB
MD50b419fae5cb9f9b891832ecc79055ff0
SHA1a5c9f78fe589cf65028c5e592bb74c238f3ae4c6
SHA256c8c82d15063844de849f97c842f91d5025b21c9082f6450437d044fa3f23050c
SHA512b8490ce5abbfb05b13f3f3caf775d9c7f33e7c54fcc2efa2ae1ebfaf639fbf060b36f3a4ca1f32968c6433e8f0e3a538b57fa74eb11605feaca146d7a9f18326
-
Filesize
1KB
MD54f085b85ba7cbd45a2c9c634f0be06e1
SHA1716113d1eb63f5e815e3b590afceaf69cc5b6ac8
SHA2567c4c93f3eb9660fde09e5ff14e155b61cdf18f03bbc24ee607d06c9bcd94c1aa
SHA51272d77b6b229911a9985ec130dea6b575ea98ad824b7c0e0c3384f79372b8007e9533de1ff7be89fa47e85ed3f942f1c33703d1b36cfa033059a245296bfc3847
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY
Filesize2KB
MD59049840aeee7a24c7cf193aeb113687c
SHA140e0ed443892952ba75d547f2fdef854f7cdeed4
SHA256e26b85ea955f5c7121ba8f14539215647201f881bfe072dd74c890dc5aa3327b
SHA5123ee011de32ff40d6f6e944678864166f4af774916fa7070e92c02f9a0ecc1898ad42c95fa1a8a082252c886962abbf13c3273b6a506c7a61496e4bdfe2fb96c8
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY
Filesize2KB
MD566f7aac55a10f143726f1e27601162b0
SHA15cc51ac3190554f99dc219b01b8245646d36facf
SHA256fb7adf0ef1920239a5536bb9d9f2efaf33b2ae40bedf0d7094e39c646360b86b
SHA51295527601ebe3c4cbb468d177afcf0a9ca6b3b1f887c3d624d15a36400da415a456471d4835fefa800ad26095ea252f859cca6d51471a249ba83d3b7598a37d02
-
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY
Filesize2KB
MD5fc8066c0a65c762eb7a2d169a2a4b47c
SHA1ccc26a4e6c136b5ecdfcc02688cf067de2612ae7
SHA256a9d40783ebaca9a91fd432ef6840eafd1ccb536f77c0c76cc71e3df610f5a33a
SHA51239e7fead50116b3a1cc4c8f23475b61417c834d7d722e7d3c49719ee536e412b5ed66d0581ae8a499757084150003be6a6cb29a1604fc6acd2887bea6f915ff8
-
Filesize
2KB
MD53611bb04d64e968cd1a959730f5c0f07
SHA19cba8c9f7e6f1a241b2389f830b3127178a05ea3
SHA256203b4e4b9e0f170195b4f1884711a5edb52f389cba401f891484531ccdef8c6b
SHA512be35ddbeaa0f648c36fbbfaf9f026696f4b76a93ac54f35faf7f56365455404569aba9682c8e980e4d1b49288c4a4b762ab16c8d63eb9ec58a67dcd4f78e59fc
-
Filesize
30B
MD50eca4058401c315fd630ca879e45e158
SHA1bda153fc364827fcd1a8b4de22b47048995e0d47
SHA2567a4fcdb7e62b5267b21681a93fe4aca5ee72d3fdf17c1227d372437a10c0bc61
SHA512e7ccad8b45fb1e88f0ef985fc0e70f8f764edd49a23079e6b7f02de5776b3218ff6af9382dedebc3656b216f0af66693f1bb3da05924683070bd66791239c330
-
Filesize
275KB
MD5c4ac426700e26b5c4c1a95f4787dc37c
SHA17a2ff05940233da0d8a2ebb213bb3f303a46bb0e
SHA256c0ba467cb2920f3b333cee8a1723403ee443a2c3de95e093e8f4d7e2cc4cc4ca
SHA512737338ff1bb2c9f91eff1ced2640fb55314455f6e4d4cf2f6b254b9f5e99d7d747b61f1a4395d437422de5dd3566f3782b10937dbced2620cdfe7ad17c2bc646
-
Filesize
220KB
MD5e3d34923dfb17ca0b4f7443445812728
SHA115cb25b77b011ef00483a0a2a3c54d3ed7c3c3a4
SHA256309be19b761dc28e0b9e99c0dd4d60b94d1a8e283943c5fd4d8d778b39504032
SHA51230566062cfd906ab035055f9476d9d505f3b5425561000e657f77fbfe08eecaccfa88f36c416b9067cc2228678c8b384284265da4f02ccb5e6f4f87700569399