play | 14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-07-2023 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
Size

458KB
MD5

1bf9cd6a26890b29260ee6843d3d0bd2
SHA1

4cdeafb53b3c2ebf4cbf1764590468eba979518a
SHA256

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72
SHA512

fade8f43f6a69258ad009ae7cfce718d17f83a1acf9e3dfaa82ae908d6ebbeebf43179af3b379ec769093eb83d0ce4e68f4ee431ecb6cda22b696eb469527bde
SSDEEP

6144:EvMaXoK921y0Y0V/XhY6AfwKMXGhcWLzFPR6U6mLzmZpKVPWLlKsp+:EH21y0JV/XCSO/LTn6PZprTp+

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (8426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 39 IoCs

Processes:

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

description	ioc	process
File opened (read-only)	\??\W:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\L:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\P:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\V:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\J:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\M:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\O:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\Q:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\R:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\U:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\X:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\H:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\K:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\N:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\G:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\I:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\S:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\T:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\Y:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\A:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\B:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\E:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened (read-only)	\??\Z:	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

Drops file in Program Files directory 64 IoCs

Processes:

14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQS.ICO.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCL.ICO.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\THMBNAIL.PNG.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCOLKI.DLL	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01060_.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00177_.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\RemoveRevoke.xlt.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.PLAY	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac	14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe

C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe
"C:\Users\Admin\AppData\Local\Temp\14315662ccecf8a6f1e85f7cbb89b437aeb947684c1830a5d72d478b13aeee72.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:2564

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini
Filesize
1KB

MD5
daeaa739dd4fefd57574bba66db14573

SHA1
a048b291d51c7350588e389e66d689682a096f5b

SHA256
aa58bba1341edff46d985304c6b95f37254b7816546998cc8224454d9cae797a

SHA512
38b43b48a13b6bca0e230ca272d6b8e3c2109cb59d676d919d4983c9d6e93ba5ee9e9d291bd6963e5d6b4908861273e3473845e6aed927073d05f3fc33f3c615

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY
Filesize
1KB

MD5
4bef5b8ca7f3c656346b7a8f81803bbe

SHA1
a80b93cd04ddddc8e8fa97f5c4df37f63be097ea

SHA256
008fced0375ac3b15a015c1aac6016c94e9808549edfcc3f3ae958713361c856

SHA512
768d5d7b568a13b5fa6a7fdcef2e8df48ce1fae0ccf70b557ab5cc97160a55cec7f20d7d0ea5c68152a23105da77e7456139d244c810564116a1e49b2de63a2f

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY
Filesize
1KB

MD5
59ffd87a54c8d668b34a0379e7719291

SHA1
0f7e78b46ddb447748eca683b9554053ab014835

SHA256
73302224428eca777af1a2f8ccaeafa51eed310712dd4cf3bf892ce987e37a0c

SHA512
49f208cb019621b1030f71ea5eac7d9dd4d160fda9042cdd6428bfcf40f8805bba16194a169b2465ebab3782a99b835b90ae80e6e396c8c49a8dbab580207eee

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn.PLAY
Filesize
1KB

MD5
4f82c111e3754cb27394586a53edeae0

SHA1
d303ed1abb744c21a4673c07f325ffcaa950bce1

SHA256
312c01425cac8cf041bbf046799714a49fd7c1c5057d7ab4dce4ae5ef2c88594

SHA512
b2bdb1a7fd3e6415754e5c3736e7ce90b9f9dba1f35933e4af6dc1dda613e21b36091efa875d0671ac00d04cb7605d88936d2c70b0e8cd898a8ced02d25c0246

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY
Filesize
14KB

MD5
48fc7a0793fead8470d877a998ca2ee9

SHA1
e51bbb933fb942a980eb20c6525525333bef9ed1

SHA256
9f018f7d3c43c5f2a1b215b6a93c24179abe0845b9fde7045f923da1e966d0ca

SHA512
25a77c9a6c14ec30ed0b26e352a5140cc6c9114453d44f46b5a7a10052198b4704e47e8d87ff50a9862f34f41fda6096a5fb7ecb3a4de2158ad93d97ea7776b7

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY
Filesize
14KB

MD5
004351bceb85793f9df8e1cb271cde9a

SHA1
867929a819a61e4f021cd98789e46f6e59b6badf

SHA256
2201028eb25a082134e74fbb1b1918579c2e6c2b0d09448b7d6491c991ccbea1

SHA512
b8575caa2fdeeaaabd1a0e99368845cf1dab649fa039c9746bece0d8456b6d959d16a6e5dd9865bc43fc690bc41f210d62247b030daa0c260f471eec45dc163b

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY
Filesize
10KB

MD5
8422cd76a78024bb6cd8335cea616cf6

SHA1
44f263c9234e66616c6d436d288b86aafece123e

SHA256
e1545d1389352623bc7e3f3904750feac2a5188c3d8dce76ccd4aed799ba0f99

SHA512
9ade5026a76d213aba75099eabc2bc426e31eebf73fb860056e5df8a4923cfcc3980b99be28928bd18d2647d9e2ada682b6862c9c0e8e9cb27c87b9c609b5cfe

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY
Filesize
10KB

MD5
38f5658d567a3caff15fd7ffd8328b13

SHA1
f5cd84f78bcc9dc9417c146ef575be02b2752a0f

SHA256
8596a9d8011d6db04ee87ce93355b529378b635f78da97110b2cf15b747b2083

SHA512
15be1b131fd3915fcd746c7eabca4454c6f0fd0b4e9f4b47cc10a16e97c1cc80dbbcb2c7413712c561824022133d4f4531c7a8a1fbe0e517d6e78c10f483c5b6

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY
Filesize
1KB

MD5
c1315e78a27b123b7562e2c75a41f963

SHA1
5033e267fb1373b8ab927bef1f1990c039353de3

SHA256
0f12b76a125a5d9a336633b910423a66afb8f935ddfea5aed0366994181f831c

SHA512
3de7dc44bc0af35cb244fb6a6000373a04d31b735479ea6b8652f258544fd7465f0496208ba87485220016ac63509999eafc9068076e8287bf68b8b792fe2dbd

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
a2179c9c7e59e11b27786505993c46c9

SHA1
2cce0fff38cdec7b8da94801efbf0814015b090a

SHA256
e2ff650d418ba19a671de953269323c72462c533ecc9e6ec734e14ba7c532c8d

SHA512
a92bfffc840c5a4687fd5969067dc276a213f879375dd2199407e25b0c3382b944f7fdda794c7cf91684baeb3f16eec79719eb501bb3f4bf8f776a94db6e7188

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY
Filesize
1KB

MD5
5b65b8954c7bab05099cc3594162fb60

SHA1
f9171c20480c99ee9b0de77eab570cb85d2dbc6a

SHA256
b612875aa8a469c4fadda582398e41866185a5cf7e60f37da91fba402e4c1625

SHA512
85dbbe540a361e0869981dee20361fad0e1c65567bef4bcc9eb315549ac36d565ac897fca6dd789560d86f9775570c7f9f3670adc62e87bd2dcad9c7db9d2ac6

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY
Filesize
1KB

MD5
65bdf30ecc342d06eb76ac54a199f496

SHA1
960e1cad1c9154e7dc50e5a6aa1db6d569df2e10

SHA256
f6f1c36f1eb0e3161961772ddbb89406d6c75db7bb0837b111c0ea48a4a4a6fc

SHA512
27b416111e6d2041d167130bb5ea2c58c30c9ed2958a2f27f0fb66d98bbbfbb73d12441d3b12883f76bf7c70e11b30c0525563b2f3ac188cb5fa01f18c44f965

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY
Filesize
1KB

MD5
684e120d96c4af1c9854f0c19a8667e3

SHA1
d3533c6d85587e976cf843b043ad6795e35ff023

SHA256
7ddf69130c2399f34bfffbbc18c90660933b939181a6b20851870e80dcb8f10c

SHA512
8a7e47e7cdc6bb7494372b715f22559d5820a987bb7846e6af1fdd734d08a46770615a63f114401ee906f7fd343eaaacf071ed88ad622e0da9961b931da4f724

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY
Filesize
1KB

MD5
ee46412dccf4d508665861bae86af6d8

SHA1
b0a698d2caeb82db6a67fd2068d01f9415072649

SHA256
2b8b69b01b777dd55382fa5d9a54f31a2d3b7bcd91286a24ca9c58dc4e2d0a73

SHA512
9419f9dee5a6e64e4f23cdfd085723abd150d017ba5d6e09610ff98e495f721cb643d37a5ec5b173278895bdcadf4b61318f4e2d2fc9e91c887888ac79fde972

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY
Filesize
1KB

MD5
a2cc544b24b1a961388ff245e570adbb

SHA1
1d37bd9d6e28544101341f3a1362b09c94577b2d

SHA256
5123276e12766bafde33103c9267d73d38e2137527b538709c2e1f701f46a376

SHA512
a7ed5ce6c972ac1194b8b7cef4af4e6ce1acb5fae301534091c04c8909fdb57881a28bcc8c06e881c6b01c58380dbd189346867a2be955cd802efec689f46787

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
796cbae96cc8dc843fd2916131c05517

SHA1
5beec832b92824f1675c914051f43fa54c567a4b

SHA256
ca00c21721b5e2d201c58b979d9a7d43c9177f883cdb40adb8fdd5df6995fa45

SHA512
e499e98b49e61c380011a3b9a54439baf86f03ca6dc1781f727ae57cd81a09cb6ff40ffebdc48b575d2ee19f31c07303bdf008621097e1aaf4d075d20e96b763

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY
Filesize
1KB

MD5
74690dc696eaa5833fbedc693e16f71d

SHA1
844ce50249cf88c8bdedcb5036c246875aac04e0

SHA256
28ca1c92e547a40dd2fa4e7e9904c261c62d3aeb571e1e3ada8a8763e1179b56

SHA512
10a1c0e5e80dd41ffc313758491c32ee0414f44cdf7e3ec7b717cb68d5700c957c986dd2da8e2d35ef92a914cc130c69516342dddd49cd9af8191169a7122aeb

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY
Filesize
1KB

MD5
39c6933f97f00f64ce9c28704e55af04

SHA1
98fbe8fb618abfffad6340160603bab65717652c

SHA256
4ac1cd4e71814437beccde6314373292488d3d2a1dc5e110192f75ab0a7092e2

SHA512
1629153da4a98248a7f7ed272bb1e2f47099d9ecfe82f83c71f4b74b2ef64d1f2342f77c0b737ea0ec29d4a6e178e2833903f1b2fed51dea36e16caf996d580e

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
a010a6cb26d42c79abff811bb72efbb8

SHA1
e3326d2efd28c75fd787dbf392dc78257f684821

SHA256
6f13588e4bf0d62392c9fd6cef7e91a88fd7c5d86ad2e29d56f3d8c864dee4a0

SHA512
9ff6092fc1bb152f21043091788a8ae9ebd30c2f554506bdc0a437e8a362a08da951053dd6606ac472cba945db53ba1794e9ef07b67bc167d5b7e0f178de4c14

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY
Filesize
1KB

MD5
6c6959bb9d6823ee1d45e0c69d23b6f0

SHA1
b30469e99695825d6bf3a255a0bd8cfd07439cb4

SHA256
c1c96c6d02eabc8cce11faf4ac1b788506756ba6aa3bac2f0a3b8776c8ae6595

SHA512
81646f0974f51111231fa7fb55feaa50bb4bad437ca95bbfde77d784ba508c5a64b4dd113bbc8cf1af6e2c002dc5781e555996db1a09e55c33b7eb73748b2710

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY
Filesize
1KB

MD5
5e0e310ba5b7aaeddf695b428f0076a0

SHA1
f885d091362482104bcebdd81c86a54081e1ac8b

SHA256
7760a9ce599bf747ef8cf26a42d302444c630571a42096857fa78bcc975abe85

SHA512
048a8b780c04f2da645a79d1b7cde536b1d2221a8dec3ae8489e2e641a03dc7819c5e57bc3715a50127ddb9f0c4ad1f91fd88ee770cb2c8b04500f6a6cd132e0

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY
Filesize
1KB

MD5
edd446eb5fa054bcd826ab0492ffc3ff

SHA1
b175cf87cb4b65b2f2a34574e7614abaa76b4bfb

SHA256
8f5d781567e6615ebc9021023a3d214baa3e24e1b0257a59cd48f4df95cc63ba

SHA512
5fc34e75d738393ecf9c0403001a274afe22545f98df11b2d5a83727f67afcb67d0bc74d5e3dce23b263e50b89510ef05b4ee9128d5e1e057a8907ac2e2a534c

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY
Filesize
1KB

MD5
aaeec876754b92f99e3865f6de09429a

SHA1
679db0b061c1e3ad1e894950f123cd34ebde1e0d

SHA256
30d0dd0f1a7725334d6752ba2270db9d1a5ad1cb27e55702cc2468c4bfcb05a5

SHA512
35d0bc8ca912f0b55b60b16438a99686c88b69bfa37bb65bbb3dc3c704e93499c6861799068c696d6796ea5c7d3380157274bfa49ec8c8e46daf5489153c4848

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
a8a681f72a2464b1e586f35c6b36dbbb

SHA1
6c8eb8623f6f8f745d6620c1d17ccd84f0b45ba3

SHA256
b1744025e53e7a464615392a69f58e031ddf05adac4b24846aabc49518edfdae

SHA512
b6386177d95e012fa6f26ba91d492b2a27d00173c4bffca7a3a2c2f52abcf35826b1c6233acefd4a9a8e76e750500b6606f76adb0e05ad4743dc97f81479a118

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY
Filesize
1KB

MD5
79fce6d50af8bea54ebe2db04cc122ce

SHA1
581cacfe4d016fd4f857a08ba9a8864a98134c0d

SHA256
7a2c1091a6ec9da17a6167d73756c12a37f1300993199a523fa4a12be3670ea5

SHA512
e49e2ccdffb4e35e1ddc20c44ce9bd05e4af5a849a772dcbe6766ec0cd3bbbfc86ebded581e03c8d4614dddf355a9c3b614128e6493cfd2030fcc1225d2046c4

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
ec282cad791a3c1635bd631c46225eed

SHA1
62f4e179ecf1b0e629b6a5b2be16c8b5696f689c

SHA256
76d5657b2476a9bbdd65f0bb43482b6d0c964bb1a12c65939d7e8543410a30ec

SHA512
7657e5a9ba291a5a6edfccf03873bfdc1fffbc116d586394e1d22654f17e0871f478243cabd75166ff8832432a3dd9cf9c81b19b188ec8665b22ee404549507a

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY
Filesize
1KB

MD5
35db8a88f9221e374ddc9a14d0075e1f

SHA1
b2a9121512c6a389706e28786c3892961a2f02b8

SHA256
6c68429de0045c8db62703cf119d6b4b4b87185b6740db1b9c72085111190da1

SHA512
08283eecbbd9b475f72a388fd84ce3d9c9f9c7c3afc076bdbb96d3a7899f70fc725c384056af043c992cb72a6e2f7decd0db154486169838e4610695893e6fd8

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY
Filesize
1KB

MD5
e8e1935f500f17566daa1f3f7770a15a

SHA1
5f9bfe1c076d03460e8d06f6429dd7ec71873772

SHA256
ac40803fcb571f742e93ae768c707a90768489974588d8f1001087e774323c3d

SHA512
29f1a22c448adaa93335b92483d2c5ccad2510cee0c2b3d0c8595ec978a3456ab25ed81af30c25a3c7bac5ced4b776ed307ce8f74f6b7627f1c8c36b50a473e2

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY
Filesize
1KB

MD5
39e5ebf4b30550b646bb267bc17bb47d

SHA1
bdc69978f7dc211afa88b07fd0c6c7a662bc7d4d

SHA256
e06002739d9ee769103a72baddb8910e8cea9165216c59c2ab0a83808de8ae6e

SHA512
c311968ac61c13b6367af57d5965cbf9f121fcd8ca06e7739f301e288ffaf92735cd24c123e1745cfca865804bf8fcc8f99c364871e7b630e7cd694bb4ad346d

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl.PLAY
Filesize
7KB

MD5
16efe1c9d7790ca41b44327e24a70dcb

SHA1
84ef9495a4bb9b250511a9b9b33b8271e16f19d0

SHA256
39e7388820e4321344100d564cbe89842c66e2fcbeda5142953ec1c46ce9669a

SHA512
3b14e8f9e85ee8d1ea838db4db14c5d398f9acb27ea030f18901448f3b85125765e073ac4aff4d2ed1da0cff6636d8c42ba1c3c20ca3a413d76eabcf9552d1b4

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
Filesize
1KB

MD5
bd9c871828acaf316d936dff0c42264a

SHA1
f737d93d6ae5ff9b9b26df86b4e3ac07e2c3f6a8

SHA256
07c500a96a193de983a94340a0e760945f142dc20f9b0086ee6357e7bda4514d

SHA512
e1c69f1e3ec63ba8a4cdd826b0055a572a6c6681ab01888e5f89d08dfa55559fe963010c9f67360196392ec787bbe49e484d897b97ae9caf116670eeb6e4ae92

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY
Filesize
1011KB

MD5
293af9cf5aa83238a6cd7d2eac32a2a3

SHA1
858030f4523322f03c35561154a505379ff894c2

SHA256
9289e6defc720e3f74ca8009ac4d049b35b7150fe5a609c686a54b7dba182772

SHA512
384b26164bc0e0158040bf80a98b9a6d4925bc6379882b9c17a3056e34928215f13942a9ed198ce95d386d8dffcb142aa730a3ac58a7c70fc648be03c2ab5c50

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
Filesize
1KB

MD5
fc5e53698d1011b15b251fdcbadc0e40

SHA1
1ffae8804f73039a02356f28520718c9e289e744

SHA256
6a58fc2db7aa90c6b02d9a76bfadea4bf950ae9784df8b770f8462f20efba66e

SHA512
815091750823429d14b2e22e91503d62f4a09450938c7c8badb4500df439d38ba54b1af8f6136342a748dd661fa15b7fa679cedc5fbf33faa5110d6171216f8b

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize
5.5MB

MD5
a429930fcf4ad945be59da8dcf4195b3

SHA1
579591710f4f5d02b748b19b2262f536305bb280

SHA256
cae27003a084e5d9307eaf4b877b054782ea14b98180343e4188d059a0827505

SHA512
ef054217d1c930b1a3a3a26d8f8519c248168a2fd33529e3710f7ac836a6944e88d084c84bb0bba63280e5714799b29c4bf6cf14ae5a50c73cb9d395bae35497

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
Filesize
1KB

MD5
c38fe2f742f39e5c9b68188bf6ef9877

SHA1
2e8a69c03fea273ffc9e728e61378cc6bb6e8746

SHA256
9a4918c4dd34ed5a61a97299032c15908207a17c6abaee853eece9485d394075

SHA512
6c00f7c649c0ace09c7fb7ceb6c9399c4de96b7fdef27c2e3b8836bd17d76cd6dc6a1c4351b691a59dfcbeba8d323100a04c30de7ec33bc671907da315ff8fca

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize
5.3MB

MD5
1945618c3245ed220a666b74dab3bbe7

SHA1
f7331c20b9847e0349b35d2fc0beb37a894350ed

SHA256
9a49d08e4b5c2f14222083edfc7edf3a338964b23e02a85c9a735f8b31e6287d

SHA512
13d9086990534759172c04fec712c45640d964f74b3427546945ac625d9ec4c7563bf125354cb5025b41667b9a0d950bf0058cf7e971f13b0726ce64b5e79595

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
Filesize
1KB

MD5
2f35254a0e39affcd99c12e705b2ffd9

SHA1
fad8aa31a0fa4b9cae94de8ee44180b1bc9ca062

SHA256
b3655922b43abe7e6b1c9685f07657c7dc8fd4acab21a1e6910db3fbd8dd7e77

SHA512
dcb82eda9b8ca7ed9de473cf149fd07faed38e00111b4d49105355f33a9b316e5e87e6f9cb10850937d61cbfd3933e8c6585c375b6f355a413b4711c6eb1a0a6

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
Filesize
1KB

MD5
249aa3729bdad678ecf323bc7b835137

SHA1
4443a936d46cae2bc2de1ef913e631b35691c4b9

SHA256
5086fd59346739904d8869ce28e6dfc06df7ebf39384dd83451edfab5effda97

SHA512
27c8cfa885eb1ebe6a84197dc188e2008aeba5e54656887555953a3e17b8ddc12b9642326d7f2fa57d673898979ebca2b8779f46b59659273ed45e44b3cb0040

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize
870KB

MD5
c1ac6426f9c66bfa72336a788ee1b571

SHA1
3f67d5756975b74dce36e5ee976f43daf03931ae

SHA256
f807ee58b83f53a833ace2145857725f887e0c4458c1b3b0bcacb015fb92e4af

SHA512
99601d279fb8f7f5207a85eccb59cf69c6d331829d5262bfc8aa0bc6b759919bced1b19381a9f43065a6648e584d23811474bab163cf047f01ccabc2748d9574

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
Filesize
5.4MB

MD5
7c26c48ac501e9fd3260f26d55bcecfe

SHA1
5d37b52042cbfff2c041c0ad67e37f871439b3fb

SHA256
61e960366eb4755ae013815df312277f5f7e9d748994b2ff5db8852f76b33448

SHA512
c0c3eb74a17fef778b7799a33fa9528b40ee8511985c5a0f6efcfe88bc9d65d522f6d541153dd37c87d96ed12c6a1d2e204f2959f464a567ba4329c36cbaf7fd

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize
4.7MB

MD5
5b25070191815c9909e8a98cffe879d7

SHA1
07945a77468e901e9d539aefdf00e4584e641955

SHA256
6da937c618aec7255723c85476c389bf7bda20364def6f329a12ab03fbf5bd63

SHA512
623d1cce40bad74333590cc43a6ec4ffa0af7eeeac90c9277ff99ff7b513a4696e174ce95f1716777b1bcd79f5077b63e29ccd3194fe52ff65d480f089a14f03

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize
4.9MB

MD5
dddd84a99e53342de39d0244ffb16f84

SHA1
cb51ff68772dfb0226f0f65f5ed5a05fa7b29dc2

SHA256
628952f304383e4b63fd33e70800b11c45a9310c3cf4146d56b84c6cb8b711c0

SHA512
06bfc2a954f26d03a2d293c958ad36352623eac9ad6c33c4935c2e420e3a322c75c32c901de1e58b48a315959d28d1abdf85fd8e7f13ae41fe8c695704e70348

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize
803KB

MD5
cd253c6246264322f8628192f2d588c6

SHA1
be666aff8b1b852a439528b3caa081794a0cd39f

SHA256
2fa20ba61c2c76ce6aca67e35d21bf86563c991fa0238c95d1ee7490dafc341a

SHA512
56881b5704acf38f7fc231331341adf8210b6c135f2cd1853078da17daa8abb4cc1c35e5ef63e150e3c62c24aa693fdbdfecf1097e594413919c25431bc50567

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
Filesize
4.9MB

MD5
4f3c40b61684ab69862e9b868818a1a0

SHA1
2c825876bfe3e340614a18a368549a960f83cc7b

SHA256
646437f7477dd534f0c8bac25ac3127c5750b8d8f2c978b00dbbf0caf0025ab3

SHA512
d871b8a10a11b764bd4e5eea312ee9f571a8e074d134db5d311be4945f98459e66645f619d4e1c8d1f16c5f6b421988a8384975a0e0f949c4c7ca28a31e96e20

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize
1011KB

MD5
5a234be53f48932b8fc88c4fc94a4b24

SHA1
527177a0c919fbe8fa2cadf5194fe88ca24cf5a4

SHA256
1a84d1f5d3160732953dbec16b5f8fe2dec67eb22c25442187343e3bc87878c0

SHA512
80f0d73aaafb00d0feff76408d10ead67477c05a1680fa0a8416f92899c30297767cafa8f4f579660fdf1d659a1736c9afac8d36a5e2f26347dff7e06e59d7f1

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
Filesize
791KB

MD5
acc43db99839306c30265f32392edb92

SHA1
fa2ec4edd6343d8222be3048731f305a3ae4cb85

SHA256
bc7d68c001fc127fb737f3996ccc2539fde8cf2c2ea9e79ee4a5d87ad5d31b31

SHA512
eb1abb1fe375c00f230869b04f82f9dffa5cc7e1eeba234a08fecb4cabcb5bc17ee8f11e0eca7f372794dbba51e657d63e49c4d397d8d58a0a36f63c825c0ddf

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize
974KB

MD5
0dfd6710464af88078f685f4ed308c3c

SHA1
324ebe9925dc2ee265ee94042e73174529b7aa3c

SHA256
fe56d7eacb3c4b9e0c0fcc5154212e187f391159d3f52810b3d61afdff95f5f9

SHA512
0b8a96796527c83d0c12b39c043bae7166d3224196e66a413a22a102b9b9cab2ba007cfd80b3d225306c2f9e178dab0655050e819e5824d0b9d8558c7f99da3f

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
Filesize
742KB

MD5
82b536ecd306728bbee120e9dc1aa205

SHA1
76e72d0310b4a30af03b0cbf189ea4509340c96d

SHA256
d05a74ea04f5ffc474af6b8415b12623fc481b478188dfb6e8c8e1beff7bc264

SHA512
b6321a885021af38495656d2db94410cd173a2500ca7238eb20951072b6363948ccb155fbb7ec7b20009a188efd630fd4c1fb4da099f6013acee8c26e7064c4c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
Filesize
1KB

MD5
2b238a695a170abe83d2445dcf677aea

SHA1
adbebd8c274f753a3796d133b419a926af5b6675

SHA256
45b0f0dcd6921acb89c3aabddeb89195542541eccdc6766d3e509bd6c44c723a

SHA512
42bff8855e7e22658dc83c91d8bf45623c06178c919fac7aab62ab41d19650df4591e9636486d0666d18b4086ab4d8e385f56d7d2ec24d508ae2c822dec4cd62

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
Filesize
1KB

MD5
1e53401f53952b0193eb60e9510f55d1

SHA1
e032da68008984fe6f8ef765b00315edc2516d6c

SHA256
8133e01ed1faa9decf3c7798562c890f0d14183289a7ba4a711f3ee97c06c2cb

SHA512
b3d710b22d54c17318ba301fd783457f0f0855635d1af80ef90e52a7aeb28b7de88da1f2989a53b6a549bd818561002e3eedff3ffafa593e3675292b92757bde

Download Submit
memory/2564-53-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads