play | 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

Analysis

max time kernel
330s
max time network
318s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
Size

178KB
MD5

223eff1610b432a1f1aa06c60bd7b9a6
SHA1

14177730443c65aefeeda3162b324fdedf9cf9e0
SHA256

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
SHA512

cf8b097e4d8dae444c4759a6588bcc5769694d34675f17fed5ee6d0b7aa52ed44263b0cc73f4ff422182a01ad8d69b18a71110c4fc4e9dd2233e9cfe833cbd36
SSDEEP

3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (8486) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 39 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\Y:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\Z:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\J:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\L:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\P:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\Q:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\V:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\G:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\H:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\N:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\S:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\W:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\A:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\E:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\K:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\U:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\R:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\T:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\B:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\I:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\M:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened (read-only)	\??\O:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXT.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jre7\lib\resources.jar.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF.PLAY	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe
"C:\Users\Admin\AppData\Local\Temp\006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1132

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\CompleteConvertTo.mp3.PLAY
1⤵
- Modifies registry class
PID:71124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini

Filesize
1KB

MD5
18b6ad674d9773c32fdc96dd5154663f

SHA1
ad145c5a1017c5786e5260acb6c84478e020ffc4

SHA256
ed8d8ac929024497298667a830a578c53c5367f4e8992460a51cfc5c3f3375d8

SHA512
947a03c11bf7fbda76abab3a756c0a2a0e5187f00bf8a15944a24b3298a11c51bd40681463c2f1fa40eddd5526beeb47fbe2670d7d2d94c7cad1e64f6b3129af

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY

Filesize
1KB

MD5
2ff718c89e02cae624b6b8642697e1c4

SHA1
9180b0a0a169f9a3ecbfe03e1661d256b0bcc04a

SHA256
aa441f0cab16ad666b3435fd2b2958533e212082e8de1ab1c94bfd93946ec7f3

SHA512
f319073ed31f24cd9cf508119f2bedba7f687676075c0bae584203088e3fdd287373d811f3787aa74855ada721d5b910db8deffdcbe6dabb731eb6c946e52cf1

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY

Filesize
1KB

MD5
104acd2ab10ed21b3da1d5ccc352647a

SHA1
73f5f03fba9d05914de289d9f03e260c5c512c19

SHA256
210b8bb9a92d9ed40da0ff63ddccdcae2704742848f7b70bb02bfce45afefc6a

SHA512
85df8ca2fc0489ae1720b310339ac5f4772da2de3a3b9376a5d43f72c7080cdcc413fce1c4252d4837529a2eb72c19ad69ec31df87a0154bc3fea8bc83e7db09

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn.PLAY

Filesize
1KB

MD5
46ad0a16b95c7b00e3113f0a78374813

SHA1
1cd8405a0c43a31e12b4e5e37d7fa0f352baeb90

SHA256
cd162a647ac2c0bc2a20bd6b9670b1ebc60e58c354225fded8cff0f5e46c4c95

SHA512
164b11c7a46daa90345d5796f44d4067c2e2499e02d19b6b603257beb31f77012f600942f96133e2453ded6a85cf8c59917676d722613709294d64ad832edf9d

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY

Filesize
14KB

MD5
b92246e1241090b578cde42f11cb9b05

SHA1
1f6d22ebdafbe0e0dd77ea6cd337a91dbd3c681b

SHA256
70601c7b56a7f67f23288c60b6b81232ce4b746bd6828012df7a7e0321cdc2dd

SHA512
edb067988078a6619c1617e15fe29aebe49123cefbb09446f2a339737b30ea13b3e47f4a02b96a92c3910c85c4cf24082def90eb99dad1859761c5ff87e8993e

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY

Filesize
14KB

MD5
fb2a4f7257ca3472cc9a4e0963bf2f21

SHA1
094e13303b968143f9a892d779fa89d76ca700c5

SHA256
f720fc6984337bafde72f09e71408c86e5cb0f0e4acbddad90ede9254fbbb4a6

SHA512
c65562e6949b878e202af917611c4d62331cd88794f09e3f700684a5c2d3e74931bb17857a180fe0ca084f6c830a00dc165f79563ae797d97f6f84c6517f5583

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY

Filesize
10KB

MD5
9ba24d40e9c5021d284e6001593b107c

SHA1
5f84f6bef20d5d05eff559d82323e522f9331d87

SHA256
e1ed28444ab0c9c38ea147da219859a9b94a446b8a7814cd22061841703efcf8

SHA512
76f947edfcbb949dd5ac68856c58823e4133846bae8e45ab81dfa8c3a0fc647dcd236c449d3e582d3aeeddf7634f754c673a813f42eb51ef5cece5a12889d438

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY

Filesize
10KB

MD5
ad933e360cb9003603e214e1582464e0

SHA1
f883b6818a364c8b6a51a362cb46266b189a6d76

SHA256
d195fae7129c703f4f6abdeb1bcc1f5a485eb3426d4179cd6c1e6e056bc70db4

SHA512
9324247133f01eab07e3baee46acbab27e64a025c2c458536ce0bd8cac2a9ee2408ac45cd4f9e7d585d65b63176dec31c3d75dd7baf990a8db89bcea958a4400

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY

Filesize
1KB

MD5
c4d3ea7f736fc9c6b584cb894ea91610

SHA1
d0ba90b73a05160d74ed00931bf8f551fefc120a

SHA256
f78a8720e0e3d09f140d3cf7c51acac55d5300ad228f1b4289fe4a50294ac356

SHA512
0f44813504fa11a3c78b3b288659cdb249074250df5273061f7fe299abba890997eb417f6e4b9e042a213eb43f62faa6666e8914480a77a8a05797d74caf655c

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
d983f1dfb2c239599562a00dfc1a32b7

SHA1
7cc3c74314746ce62ba23ac31305b05fb1f0eca4

SHA256
114e357d678691960035827b8b9a4b2bc3dc0e8177fda47b8375f5cadcf2db71

SHA512
4784c35bfd985357da9f824538c792a20db46d59e3ecb603ad8458c953138ec9f9130da15f328bd8819bb26095c054ec96a7c7613bb6dac201a9357b973e723b

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY

Filesize
1KB

MD5
e46e2f57e8d6cdc404dd59d9be4dd50d

SHA1
7b5b7bbd0d4bfc693ea61fe1878cd7ccb9404f0e

SHA256
78b27366cc7fec651206417fc04b1503ffada13bbe4a2ab446af2588f74232d1

SHA512
99183c0e116a3545fba5f3f47612f97b76b0b221f480405330eed1d36fd7e32c76b7f0dfd426717c73e9240ab7b60ae60dfc5b36bc43c353fb05e222796dbe78

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY

Filesize
1KB

MD5
cfd4b155042d34285e8905e9d91bf753

SHA1
af0840fa011626b43371fa2837998b6dacc28177

SHA256
45ef44d77eb011a31ff8d34f0e5c2cc927a8459c605a28a484269ad7d75ab783

SHA512
3d7fd10a201c38136dc567b61e7cc12ebbe835c24316fd3e0a2fb6b47ac8bc3c1a6e302b0657b5e7839d01622264931ff4cf1cf34d3510de94998565e5aa9ac5

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY

Filesize
1KB

MD5
df010e990b4c40103c5aaae8e2e38bb2

SHA1
1ff90810c3d03d67eb7b24741d11d8504e2d15df

SHA256
20e33ca9f59171c4033176761c8b43ceea1a1f5601dcef69db3263b53832fc85

SHA512
d7d18d5e9c34fb743c14df20efb9f61c24ed62c1b18386461c7873af4c9038c358365a08c948da5edfb7a72a1b9d412bc607121ceff29a0d04e8404e5b2fe1f9

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY

Filesize
1KB

MD5
033ce878e76d00fff4db0a15e66bf17f

SHA1
64872428ba4a001a5599acb243cbd423f0c6a4ef

SHA256
2b330544509f91b300470496d7221ea4469ef65d3cef690b980d3a570556e298

SHA512
92371d34c8205d8c6c9a5451765e14879039c5772e005b211424bc6caa77d99bec1674a6dc2b6c35c52f163eb799ac9c123db8b8ca0f2e87f6f7d0bc1a72832f

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY

Filesize
1KB

MD5
33f30963d20674a54c15c04c282443c8

SHA1
ece9422ca4ff88cba174e250a47e29ebb320cd4d

SHA256
94b9845051f085b7ccca45b4829e277db3bd3abe0a920b8cab870991fdd1191b

SHA512
b3598bc3c401f5a2840ad07888d4079ffb16d7aa2cf01c855cf0c56095525b7708d2a7c6e8e34860139d30a0ff356480e09581c5154268441f14adb2b24aedfd

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
3a0a3524419d2564537e6059b46b0034

SHA1
a2f510b97c10b89d33907386cb1c31bf670d16d1

SHA256
5c828e453429470a13ee75c31593b343d3a6eabc3f266a09fc0f9c07a32287c0

SHA512
3632054f0a28818639834084a0d5de69c072978483c68f8aed8bfe9174e1174f761cae89ef9a6f49640c3325211693a81de348bbc3731d655a31d48ba4d5ad53

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY

Filesize
1KB

MD5
4e50d8ab554b3b650a375e65fb1d6f96

SHA1
58df99a83410128a8fabfe223030b6535afaa09c

SHA256
359ea08d581d0ee5e47f4c5676121edfafc72dfd09c898265932680e50a2c1c6

SHA512
09ad1011e3e7f3e5fa8d07932872991b626a32b8a60f49337e48a1d514f9468a628d3348952bc03d12efeac84ab4053427863e579ec6a21a605004692c2374b0

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY

Filesize
1KB

MD5
adadf92109fc9ec6621678ab8bf52a1f

SHA1
b49f3fa6bb48ff4d5c7447fab7a391ce79a0b655

SHA256
60b1f82c9f34e0090fbedbec2c3a7a897282d777285d68de34f37402c656bbf0

SHA512
e00b52687e6a553080cc17c4362e046471768e33f10af8d819fdc36ad5d398a7e625cc61fab5e56794155cc0a847b012cbf06f8204db287b79b6233e39c97e40

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
e14f8e0de1c0f29d2fb21d79018f831f

SHA1
a9a75590c0a8d7a30f737cf35f0ac680c683181d

SHA256
bba78555b10ab473df71f629408916f266f43b6e882bbd842b5a770edd607c04

SHA512
5d6c27deb5ab482870a4e069e029e25c98b05051d61dfa4cbf7b2710a697dcbdd976f2a44486445071e17e70bde0a7570fbf784f1fb4da6e448c469872a13750

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY

Filesize
1KB

MD5
e553d36e2c19dbc07d7200919bf3b233

SHA1
c2b7c7192efcec7eed6ecee2e7b9f080435dc6b4

SHA256
7d33d505f052621b10c6923bbbc0bdd822de10b558f3dcb821c926d90a80d642

SHA512
7aa2dc3fe1d615bc6dc3200810be7de7af89e776456b53ac1e515e3ad0038bec8f4027f1817ae19edf7f3b71875fb778643ec5e71e80f284e4171b8c17322c42

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY

Filesize
1KB

MD5
70a377df3ccd729ca69b38f7de435ad7

SHA1
8015dcbf47bf2a67923cb6db04b6e16eaf92e4d2

SHA256
fe4e9c722ada1de6dbf53657591effa866dc4ade06a192fca048aa38d231fcc8

SHA512
c77a50ebe53dec9c28c9abf7b69a1e0a031aaa041d9be2be911603e8eafdbeb841742bc25e89124aee660eb38912cc72413c50c1609bd772ebfb95be0219aa81

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY

Filesize
1KB

MD5
7ddfe5ffadd90892bd001b66bdd2b1a9

SHA1
662bb95e02b427d02ce4d1ec1a383bdb79f7e245

SHA256
e1d6d20653d6af0bb6e5c8c1dc0952e0c0e7bac1f13df19841774bfd80199c3c

SHA512
78e4e6e3924ec060aa0890f953e8c3ae3c8b2ea4fc74f5e3e6f67bd21301d30428488e5364556b478a90c8793a24cc3ddf0ea42526cc0b0548533979e719d89a

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY

Filesize
1KB

MD5
52b1930765010e59b9d27f9fedef5c20

SHA1
9e270d45335e108f760a25341e157550bbbeecd3

SHA256
9152ac45784ceacf08df09f32501d2ef759edee5ee5635f2b546019e6aefe65b

SHA512
cfc2e44679072d8b90d54c29d37664deba21327091f5b1f20575ef9c1e0ad28478e51ece103fc1ce0b1f1ad1778c894fec0b5edd56e69aee52b68048abf39554

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
9c244e7289c010eaf5ea44d77a973f5b

SHA1
5cc878c79d43d5b7725a960639c840d57944e3e8

SHA256
dd4ecf492f12c492cf4f2e06d463934142eaff56e2676807394e87240c4f93f0

SHA512
a7b0b258d019a321608f7d339486c527ccc0e6aecadc6574cf522fc5b26125ff3134e8358e64b08a7b7986344a1137eef55cf6c0e26c506272fa52073c445e9d

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY

Filesize
1KB

MD5
811224053e3b71cda1fa98518e0663c9

SHA1
bf180194cd4a7c927d67ac3350749df5a403a214

SHA256
a82c046bbe9bafbfd818e7415537457b3489bfd5ed757de948b457133721086a

SHA512
deaf6a818758f43a5ebff67f404713c2cc4cd466aedbbcce4a4cae52a03056d503d4185445797f8c1a47c43321f671861eb8379666c1d7da0c126adbe47676a5

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
d861f09bd5104239f1f23bde1e147976

SHA1
ca34388cdaafa6656d07afdf746075f413d902d7

SHA256
4a5d65d1655bf6614deaba221ce5f2d8b813cdfbdd410f1f02542a9c251f13f5

SHA512
34cce0db46e3eeca85c66ef31e46431dc9050579c4282a0c1c13c9bd9fd17b3ae937337ae07b58c4e37867b04fcd1191a48c0312d2bab359c2844a3d1cb48ddc

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY

Filesize
1KB

MD5
36a59ea0e7d0d4cbdfd282deef4144f8

SHA1
42b881d8ad3d5ce8da81a28b9413c6d331012ebb

SHA256
cabafa929632701965cf11f076820b6e0fa62aa5a485c8707c75f7c03e41ee80

SHA512
f8d1b0864a7fdef72164f8e5c7e636e4df1da0d0226d206ca0e342158d64cd110801eeaef85a27911e86a6debc01a0ae44c5fcb62b1fe16e2dbe5435c5dc0f39

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY

Filesize
1KB

MD5
dcbebf6020494c8896e90a35cb7c14b3

SHA1
e688bcf9c13ce4accb8dec65ef5d255a33c8b805

SHA256
3ab5dc5a6a1ddc8978a7c44be61af45b7225b3daea289f0f64350dc0ff071cf2

SHA512
bfec2af56e54c0fe7ad34f71796d0a6c34b27c289da56cf79b2835b406afbd3797f2afc381077512c780a3e3fd01080772bcb9b0e8c984c079d1e81c99e58d74

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY

Filesize
1KB

MD5
76eae2964cdadb558ae9945e3006478d

SHA1
fef01fd4888108c8a3482572c23bb404c502de97

SHA256
2e2b6ccdaa39103eaf7f081a7716a5502dd46c71ea5b5a5ea56879f57a8906af

SHA512
5fdb5727d04d87f687711663ca6706842d147aa8867f4f72859e351e3b5404c7960230068054d285f2034c4f03938636c86625cb277b08ec6c97610fa9cf117d

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl.PLAY

Filesize
7KB

MD5
b83751940472d7ce49c3639125ec29d5

SHA1
fa542042ed853c5391fa2420a89d64851ea48f7b

SHA256
c549701d780f43af2036af392bf31a97d15ca67c2cc3aa3617cc7fc95f10a3c5

SHA512
5578875fac275c64284047d55bedf3d940225b5b9a44ffe61ab539fc1c2d37d43196c6c68a5d3bb76c60f15faa3d1dceb24ec7735dc9725bbf31156938a0e5ce

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

Filesize
1KB

MD5
440a6b38dc9b7fa474d4489a9bb0f3e9

SHA1
020c4fc71e9f5b2d23185d596eb3857e399dd01e

SHA256
6c84d042725d939b5575e9598ef1d2d4e2c604da0b61c093e815b47025f1be14

SHA512
3e2a51d3268a38b78d9999b876a3225143edc52a62386d8c4d393041ceb0f5bd03630c6e1304f4d72da00e6decd1ffedfa95afeb23d9783355fce09d10ffb803

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY

Filesize
1011KB

MD5
ac5ed2c8420d9cdd39c1971422c1a941

SHA1
0a80a5009eaaf180ec865cac0f3f01fbccfb3730

SHA256
1fc572888c0c8536d43b3e03a315d1df0e745763adf3669084be71383773d05f

SHA512
0c306abaf50964626a3a914df47953c66d610a9932a4ea292baa97fec2acc399ed0dfd7d9d6b723725dfed4b8636d8ab850b037be2d6facdfbaa6b66e59a09e7

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

Filesize
1KB

MD5
779cb4da0a98dd44939d3a70158d4f0d

SHA1
d3fbc97deaa5bbe5919250d598fb3b9948ea84fe

SHA256
cecd66741c04f486336616fd7108b8f5fb095ac4be118d3b7a495702213286a2

SHA512
b1417cee4f9b9f4fc47725204437d4176216401cf9d25e0e9f9485614530c0c1b8d7d5ba492b042dc1d479b3a7108e382ea9f8086465cfc814c6cdcb1b154d88

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
64KB

MD5
33c824c49a0b0aa7c818ea427a89dceb

SHA1
cd5ce8b6e0201efdc28cd11707d14a5e629c00d4

SHA256
28cb4cca77c145862d673de93a93f27f2bdf4bd78c15464f38cd0bcaf2bd51bd

SHA512
e9b4e807d427e8e66f1fe7495a1df88d27736a29df2b6394fcebb06946d7895b834129ccda66fbbd47a36984de03150b3d65fb8e7627f3cd171300f578447cd1

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

Filesize
1KB

MD5
8aa7c28d95878486f4c13dcc9c3a57df

SHA1
4e6c10ee442516681907b065c4e0fd0260b144ec

SHA256
33ea96e4ff4146dad0f9f218a68f47c4c17e30c1506a8b7e646df353b14cec6c

SHA512
9e839c89832e6f72db14bf75a96280d6c6b9510f30137f4597f0a84b8be9f3c5455bf5a0fa21bd83cb5045677275080ba74fe8aef11257a87467021482054402

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
64KB

MD5
a62639b74fa8189294ca0adbf9b68bb7

SHA1
cb588eb67c233125302b34d8ed88a87e05af962a

SHA256
678af79c83a93befa60612f18be87a319565a8db6f3f54ad965577cccda2cc8f

SHA512
648808a3c4a688b9b2381ffcc98c167a0695aa8d16496c03d4102abca2b6150ea4251bacb84fa43686afd80ed13b3ee78b5a6c764f48da7990695b323db2ea73

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

Filesize
1KB

MD5
808b58b9522ae02d73ddd9d6eeb3b43f

SHA1
62a9d0f39d6bcb1a511a2d94b507681cf76afbc6

SHA256
ed18a8c7632f4e53626a68ad07681f21ed876d99b29fe559cd86c6c2d1ea9b90

SHA512
7d61cc8d81e1912d6c6190cf19de102b8ca3ca8c9d40687e4f332dfd5a03ac20507396c54eace7d328c2947c4ac78ba1b757aa5b06d6c9e71e62d94db94d82e0

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

Filesize
1KB

MD5
35052d63371684b363f3203e9465154c

SHA1
0d3e0ab1579c1f3baf38becfe00f8b883b2380d2

SHA256
499c278f28ca14e28fd8e5ae14cac7bf00a4e501ac3e40474ce93ceb2c286648

SHA512
73011d6f4b48b98df64296c9123376d6197dd73fd07ee571c141d19f38029333132b97e38eecaa838b068bcb58d7f5c9c4aa2155f5940c0e72cbc6f265db5351

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
870KB

MD5
af69b51d60fa16e146d24e8fdbcc2fff

SHA1
960ff3cf92d1d37f35cea9b77c57b604ab161b6c

SHA256
2c5e1f3f324d2d199db21369e4c056ff174ee50794dc4853168fed810385c019

SHA512
efdcc3f684da36891fe70abb32236529870ef13bd89b1c0ffc5f6230e1c65d62e93b78f3672238368f2a3cd21e51961834d6cf1d04e5921f1f6b4fdf203f357b

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
64KB

MD5
e86da03deb7bb184d849f8c40235a117

SHA1
1f78722867a809fcfd080c6feda24dca6a463c96

SHA256
c9779b6a2d4b9372952a020eec1efe50efea948b2b0d2564794d70778b55fdd9

SHA512
18728b219d195f5a07132a42fad83fe2193d718bbdfa7a63363cbf24891e1e65530703bc8660eacb5a80d3d17c5e76215462de3218fcb1095cc6ffca2dd9f8fd

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
64KB

MD5
d1d5b0ae490f084286505d5e6333e9ed

SHA1
4de3c44713173665860810527bed821667549621

SHA256
b1dde6713ace3608af199a7556c228e43eea70dfef3bf5cc4e02dd033c75f3e5

SHA512
c814e3a2752474f08b9795d08a6cc11a706b70ee396ea8817284664211469bea92fe400552fba7830a5e4bae53a8b5429c40b061932289e0877f59e4180216f5

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
803KB

MD5
c5273485416b70072b69c2d8274f7568

SHA1
b1465e07214642c4532cfbcb01ee721bcca42d48

SHA256
699096fc3bd21c5b0fa5d85abd5738685d8bb0ff79987e62cb1ec7969c3f578d

SHA512
e966bd32479e9e5b042ea7d00fa210d1e0f9d79750438b63598df0097131f0c53b981b5592a7bd475202a4318ae3849fc27502867b77a23cbdcd8a237d75b931

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
64KB

MD5
d04143ef766693b38207bbd1f682db52

SHA1
906b65f7d5a2f372b1fcda8e8fda57d06e4053a0

SHA256
a89aa9456b32d7c974277ba208fd588939ead91bfe135d391d5bc0defda3c38b

SHA512
2ff6d59828f452c6075a6609f649602083b01f983c4fcc507530eefffacf22cddd471f3510025f250d736460d0947557e651091c100caaa963735ce27e7ae524

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
1011KB

MD5
34e4b8b2fb0e5e735a22c5c668564b5f

SHA1
8a3213498620314d175ec62ba4ffe8767a37f6bc

SHA256
1a8e9da5cbec60b6a72368221ab474ddb5ad8ce5215ad2a5561ba9f9b2902ff1

SHA512
eb5aa8227b899134a1e366d27fc90139342f065c5930f81a1a9da64aef0d2e491810d450c3768647cb4126d1d19a8423b8e141602e3278f86eec1f5d94436745

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
791KB

MD5
5ed4cf90130c73a1053fc2d5be91e5cc

SHA1
63847d11186f0bde716c07c0e44620d33fce1b26

SHA256
46f5829691842178eac25215db7fd95d3625e1f9b5fdd78bff95d51e53783d1e

SHA512
12d04495b5cc929269b6de8e4f31009fc9085f3bece76010e7e24c23e455ff44d7d9027a23aa61f7073c0379822389b7fa3dcd7f072e0eacb2b27f48ca97b4b1

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
974KB

MD5
9b495b7eff1a25af6053c684323f1c46

SHA1
9664049390fce48de728c36ba297c3bdba235a37

SHA256
c5b46f290c3df202f9b82d762fc898dccd2e1e6dacba1f13d00c1d8a7d8e1e85

SHA512
d1688cdace490c727b2f2de025b5ce730ef5febaa9fbd769ba054323b0d8ba30f7a2f6b9f564fd2474b1a4266fb85ba31361b16a49e39812317af0ddb6fb2879

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
742KB

MD5
40b4771f3d91be52ef5f6923a9767630

SHA1
bb82213acc6204d41ae3f9c6c4eeb1b14742cf15

SHA256
ec5a4841f3571c16f35bc46b8ad64119c96b41e74ddf74d84ed13147851b870b

SHA512
5319dd835c9ed4feb8621f621ad3874789ab0a9dc14c69384a9a4eba09bfebe4494d89f44475307dac4926b79bd1774d7db1fc6d7e5054c3cb0318a648b6e507

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

Filesize
1KB

MD5
4b3beac6049440f57093b5e66101eeec

SHA1
bec7a663b6bfe2ff335ec1c970d4dd4beb57cf51

SHA256
ba1f0ff4a345219b67c8694e0da6163dbf0210854d711206a27b0739d22f54cf

SHA512
f375aed553e7b49c242446c930c309bc8e02a44ecc067a01156a894200000fd28499f81834e1ccf45c7f9509185ba7975bc4b928dcc64fc3486b72b9ca581acd

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

Filesize
1KB

MD5
a4063a652044d2ca86b866a90ffa66d4

SHA1
e3e1c024c679a916a957c26e78ea675565a88e7a

SHA256
6d4725eecc16308bf1991953013e4e7654c80d084e27fc991b04f61f3af75c15

SHA512
d6db3ae2445171cb3f6bbd3cfbc5ccbaed949f3b95fef5327f80f24fc88a7b1b29bf83e14a255bce147d0ee926d2ea7a8c583345bc06c3a72b5122205dc028a4

Download Submit
memory/1132-0-0x0000000000180000-0x00000000001AC000-memory.dmp

Filesize
176KB

Download