Analysis Overview
SHA256
19f287ad3d83ee5798284481bb30fbb4eb9dc0c1ceb5f66682a8a83ffda5e1c0
Threat Level: Known bad
The file 762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.7z was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (8454) files with added filename extension
Renames multiple (7307) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-21 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-21 15:14
Reported
2023-12-21 15:16
Platform
win10v2004-20231215-en
Max time kernel
111s
Max time network
113s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (7307) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-125.jpg | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\webviewCore.min.js | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v2.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square71x71Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\tzmappings.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-300.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe
"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4032-0-0x0000000000A30000-0x0000000000A5C000-memory.dmp
memory/4852-1-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-2-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-3-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-7-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-8-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-9-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-10-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-11-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-12-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
memory/4852-13-0x000001F5E8250000-0x000001F5E8251000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini
| MD5 | 0d56e154e8216978772862bcfbeddd1c |
| SHA1 | a3ad9c2d02a3aa20528359275f8f82271a4bcf5d |
| SHA256 | 702a9c6eaac570f7851ef168294f5decdd61343c26e6aff6fccd3c5319e24665 |
| SHA512 | dc84a6152c51b03ef8976d2ff9b24bf16b84406014c1f53cd0646cefdc8c831c51d139405cfb1c6ecbdad60fedb1be104061d2fe6835d7f92f1721bf17350f64 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 296c7489c920de2ec0d70969b021cf13 |
| SHA1 | 175823c16a923fda98504f4cece6121536101e80 |
| SHA256 | 27b6d80987d736e6c3d36803ae0910a64cce7bc4a6204316d28960512c1b64b0 |
| SHA512 | 1d6c8419ea906ea15aee5f540cbedd2ef4d589a753b154834afc3322435c6930b2a5f8d701bf100d5a5cc8a8979e3c368ebe587900df2e977dc8aca9f5dd1faf |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | dec76e5686a38ec0960f72d977f3f338 |
| SHA1 | f4de38c59f905ff8697f117e8f2dff204cb52b36 |
| SHA256 | bc6564436316292c0e4326834daa059b8932d72d965230a95804284ef28e282c |
| SHA512 | 7e498de31582bb434dc35a45881a1b42d91ca5e0d8b1278c896132ecf00488837f72d79fbcbd40c816dfdc5af7d819650caa378eb275b1d3c8154fcfa550d91f |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 15:14
Reported
2023-12-21 15:17
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (8454) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\server\Xusage.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229385.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ca.txt | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCESS12.ACC | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png | C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe
"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"
Network
Files
memory/2488-0-0x0000000000180000-0x00000000001AC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini
| MD5 | 9a97df47b740422e36c3e76f4f45d757 |
| SHA1 | f5cf371d25aa58d3ff8cca59ba96b02e743f9976 |
| SHA256 | 6cfd0928cf4f84124e7b85afa82ba1dd949e37a87e327a425ab3b6e0ed1e5775 |
| SHA512 | d2d155222e63e0c02703aae8420d8ae2634b66d263237da624d3664150352a1e46deb150e2b2fdc044c62037fe9220bc4c2469e3c48ca24ea34bb334b04f5805 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
| MD5 | 9bd8f5ec7f7858323e6b2b6e99e79126 |
| SHA1 | 125edb5b4ffa2bea98f2a7cc9601e470600d05ef |
| SHA256 | 57d743e6bdf514b6fc42129dcda3ae70356f7266d6c2171a5326f742453c3e21 |
| SHA512 | 696c692ee7cdf8f8a6da22ce2dab043fb13b893cca368cdafc68b23d095194f69cede813b880b93c68f3fc596db6459b22f61458c03263656def74421826cca6 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
| MD5 | b4130a1e34ca50aefa6caf9fc5288fc2 |
| SHA1 | 1f9a4ef780062458f51635f5c773d6500120527a |
| SHA256 | 66941007f605b1b724bfacc061413ecfcf37596cc3b78c5452527fc92dcd9929 |
| SHA512 | c00c9a8351ec8d8176649489503cd82a927c26a24132d13a722d73d3fb7cf1d8ba3d2132e3d4ace0284f4f955a842d276a1a8c68bd0a113d765d3a1136b5a4a0 |
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 11b6edac61597b98bad84e1be3548417 |
| SHA1 | f12785769d27a33ffe5e4d37aa06a0559d3c4eae |
| SHA256 | 685f7156b0109324fd61f063520ab3c6b35252d0e39a6296b22867fd2952c62a |
| SHA512 | 9cb3fafb50d8c001727e136f672cdff2d42be9ae02aa039e606210c4762128aff2103f55fed484b172154318414f808f5e956c75cd68b2d688d3b7ddf1339e55 |
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 743a8e72fcce06b09423a09cfd383ff0 |
| SHA1 | 5abff354f78693de32e5c84c743a70d5ce7b95a6 |
| SHA256 | f79d39ab3dfbae9ed2e21dfc74ab97d21178f68114c065745803da656eea19b0 |
| SHA512 | 717f53a871d5c31abcb14e33ea61797009e205202d0f146b00dba79bc8e6bb7f5e26e5e3b3eae6f3ff59d0713923f6ccb46748eba88073525721461cc4de1528 |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | bd6692d8e3c5f45769e87a8f29629a4c |
| SHA1 | bc5cb2436106c88d6a445f819fe714ee57c6501f |
| SHA256 | e8ba6791b330325e79b154a8e67afd798d2253ffd656d83364f882ad691793c5 |
| SHA512 | 0bba98b23f79888c20e45e4d9cf6ee1a14d02316dabf50a638679d440e229533fe65a8eb7694f89fab921bfd9635f5956a81dc1d04b66928b6e7ab0734d76526 |
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 31f67b674434f85b2801e033a1da2637 |
| SHA1 | 9de0010b1ab1104e0ae18b8cf42dd5610cc140ac |
| SHA256 | 799296a4c701259e4c42e7db25d7c2b4e48afcc66d672b96f51975c65b9ad17d |
| SHA512 | fefceec07ad3db8384acd40c8ec28ec7657fd07efef53ab18cb429e467e4dd8ed682bab441b856ed6d8cdc4debed3e2a38c2ba64f7efb0dc708effe1a2e82527 |
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 8d2af0a96d99c63110fbff0bb9f1d638 |
| SHA1 | c36d706cbabe31bca5900a2ed350a32855511356 |
| SHA256 | cff8b388175b0e9f2e1fc5beea8ee425994537634c744127e19fc0d8a4b533bc |
| SHA512 | a9ae02cead62baab3bfebf71fd6c146bcfb52145da597b9320b6695393309529fee4c8daae51f8d38ecb83d99f56b4ff215aec84f4c1ba684a95316cd986cde7 |
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | cd46382437d65edf457ec16a8c586ea6 |
| SHA1 | 5a1d6b8fc698654b21fd7276a0a0512da022a308 |
| SHA256 | 3851d033554c203e02f9f3e4fe121e6975e7aa12aeba122f00ef7ea801957d16 |
| SHA512 | 47d57d0c1b7d04d7a932254abe1240ea80f59a63de284fd4b105b535b215d98640348cc71389ce2a1788537a1beb3bee484d72ea6e5f6e308364df317ffae0a4 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
| MD5 | 0c3121ecbbda24d33e3a8799f448a9b1 |
| SHA1 | cd0ea6a946ceeb81479dad4fe7b06176b10be194 |
| SHA256 | 95495c1bad52a8886a6dd11e253deab61864236663370643ef7973b22b3db6c6 |
| SHA512 | 3c08b0c1bdda2fbe66d07dbb30dc94a272c36dc4988301ff34ac46b6d531b68554f5c88d3b840b172f25db48b51d6d6a1a7d7ee99ed0bec201b1f1780cbdf5c9 |
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 42a861dc95afa6ed1af11eef1f472bc3 |
| SHA1 | 7a50a1310c99cac3b2be223bde5dea919ac9206a |
| SHA256 | 85bddfaa58de4d6220be7da2a48d2996c5ef5ce8158e9af6ffce2ac31c2674a1 |
| SHA512 | 7d0c444fed6da7079add28ef556495a99baf7a00cd125a2ad54b069362d47a2020c97ebfa7d11e45ada642fbc7eb54ef4c07170113c0fc7eeb4c765533af23ff |
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 766323d0fcb41856d12c4fe80b8af80c |
| SHA1 | 4d8d76c18615f45def7db6e7a70fa54fabe9e120 |
| SHA256 | f376e2e83be7e1a4c391f8749f0546ff940476043c67acd15511906bf3a70995 |
| SHA512 | e631314275666bdb2925bf5f3424350ab78354607aaed7342f58a5ac70eec99bc0db4b88273c8322ada9ee19f4cf37b233ab29cb4eed82055adbb824917b6c2c |
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY
| MD5 | b23f2db4b3928129f4a87604c1708051 |
| SHA1 | 214c78be082676d423a177c61ccbddd89d640df6 |
| SHA256 | af5ee4d9d8508afdb1b9b44f088540d38f3f6c13a5fe93c8fddb5c7a1781ca08 |
| SHA512 | ab0435a15436217a854e38d304d30bbd948ff9787b91ac05bef7d1db0009e27e09a77497f2559ccece2189c377c75c3bf243123ac42f879cc86d1719b54969f9 |
C:\ProgramData\Microsoft Help\nslist.hxl.PLAY
| MD5 | a861b69dbe6866417864cf8741c792d7 |
| SHA1 | 7d6a7285c63e13c37b0c10ba73e5c77576536662 |
| SHA256 | 0c683054107a480643daf018c4575fb329e50594970b2be76f1b828497aebb3c |
| SHA512 | 6f250c50a7be6926ef1a49269ca8a1ff331114f48d40b89d014ae2ab51dfb122139273634efb9d6ea566e58998da114ad429008d826b473b7b484356be0635a2 |
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY
| MD5 | d26db1f7c141977e2581b1ecd4a3e7c4 |
| SHA1 | 43f75f6b41a6bac0084d09847a06b275483de579 |
| SHA256 | 6a69b717228efb2bc13baf3f98980adcfc5fae7a8e56ca446d9234525a192f24 |
| SHA512 | 09c490b28967eaff6a3c4e6d44a6d4dbe4dc2c25cb0b33222a7d031c83468add91bc0165730290e60ae481d4bfdce0840493a388ee5378cafb5317c84c87846e |
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY
| MD5 | 92ba6fc642dbba41b86010740d53a1c7 |
| SHA1 | 13b8a2fbe2d6e5c31843b75bf467cd4715dac6b7 |
| SHA256 | 662714988ced02f6df9790b7241fc5005d81d20800a81ccd034a4dd2f72cd783 |
| SHA512 | ecebe56959e200c1346ac29eb68acb44593f3b80b907abda7c5bc03e614f1e48a5c35977b0fecee810b498eed019543c4fbcd96148c173a8c01beaadb3330022 |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY
| MD5 | b5b98c390ea665fbe42f1a52e255903c |
| SHA1 | b2a42a9a7ecffd6b5a15c6d946eda8576bab4753 |
| SHA256 | a282d9a753853960a746a6500b415fec7a4620474cd0cd46d2c30a26c4254f84 |
| SHA512 | 35c782c16afbc97a990e92d7b91c72b36625008d54fbcfca718afd4e8b7d669b2731f7790b71492954b9aa78071ea625fa7b29ace38490876418bb3717c72746 |
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY
| MD5 | 8af4d3b133482fbf543951bbdbd70f95 |
| SHA1 | 6219f0ca68b40689c5c02a8e0e9f7d6ca5f5456c |
| SHA256 | 46d26750328b508bca9c1bc606368bbc48405389d16268ba68e21c0c93afa824 |
| SHA512 | a17caba0a1b68078bfcbf2bf7c7edeb6b2c5fbdb5d72e8b8ab3c5a16bb8e237fc69715d47c1d923d8797fc1f7c2121fc7ec057fa854c26201751e9767769ce07 |
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY
| MD5 | 4f6bdf6b2cf1db0f07dce5088aa17691 |
| SHA1 | fb5df587b776213bbcda4f192cb4b7f97f4fdded |
| SHA256 | d85fb70d64d50d03e7f70db799f6f1cc1ee37d1b9adfcb7adfa8405db7992129 |
| SHA512 | 28ec2e49a5344e87a3c73618319f842b7873b8b6a564bba86f1bd152e4578964b78b3f2d050c4f8bb8f392f35161c4b75c8d6edbdf6e2cdc4728886ede1d7883 |
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY
| MD5 | feaa4cd93fa76fa1cc9d46056c43bbb4 |
| SHA1 | 304d03d0c1358b7ed3ebcd7bfa7eca7dedabde68 |
| SHA256 | a3fa917ebe4086c66439f81fadae4a94f362ffa774b239edafc5a418f16b8494 |
| SHA512 | c2cb8e26da2e8ce58cebd64b56b9cfd87ede9dbcfe072bab6112e22832e48944ce22ce413efa23c0595c3463f80d01cf4d142a7a12b654e8a2b5caccd25bf56f |
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY
| MD5 | b6f60ae77955d914806f7844c13e25e0 |
| SHA1 | 15050772b971b2ccc4fdb519831b3bab41585522 |
| SHA256 | ec751cdde42b269781f1d10f108638220bfeda735238a6a7f86aa818cb8999bd |
| SHA512 | 23c968ff034ddf8f4270096578df5ed59d677a74650e7fccefbda559a0cdd6e1b4d0d6d6188f968330428e85d96430203d9e1ff64a80371234e0f7ff1539e1de |
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY
| MD5 | b569902d2bdefaf419567580388e28e6 |
| SHA1 | 2f8d1a3b0c31ce53f04b08018fa64b16512adeb5 |
| SHA256 | 78ba06d4da6b1bccc0dd84d21c813c968682ffe3ee8b66876d928a1c49749416 |
| SHA512 | aeb7543bb68aa1eb2cc2396e19172ede1f90b92e772d85dc16290b813081efc966224485ca4c82a06aa27dc34a1839c9be28ffea93b0d08162756f6e97d6f493 |
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY
| MD5 | e288b73d65e9c698987e445b4368f0cf |
| SHA1 | 7d6e23197cf16bf9c6bdeecd31f0f36c16c436f8 |
| SHA256 | 4f564fe0e1219c29ea417097e7148c051cd9390114f8a5197fa698da61f0bdb3 |
| SHA512 | 07633e00b0868e7e2f3932e716d9e6f357d60ddd4101715159f3894fd93d0609136b93ff7e585282a8b0843e51002e897ac6ac662cde6c23bd8103493d4689ad |
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY
| MD5 | 263f99fb6538b484961a6e1453c3afab |
| SHA1 | 7fd984a3223d3401a35f91a6d6028b0c5d5590e5 |
| SHA256 | bcae03a407bcdd1de21275e7a33af168da2cd0daeef0924467feace8853689f4 |
| SHA512 | 19c0288b65b4fe195804010ac3eecf3edc48753e8764e2cf78ec7c4b4f737e13891cc932e2341a595984691fbef321a53735e39a1e95977f49b7b9d630e02827 |
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY
| MD5 | 113df68733e1b3a7b2f9d8f2f6b0a8e5 |
| SHA1 | 9f5b50170c58e86c04482609eebd1b5baeaeed68 |
| SHA256 | d1fd7b1b54182ba52e14dc032b6d2f7a43265aaf6002e02d473b260b70179a92 |
| SHA512 | f3ed702060600740a495512eecd2dd48e388de1a12b292814bd5d69f8b712329f4fddbe4655056b55466db68b0705d578c44d7e7cb6fe566f1ec1d99fae4d150 |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY
| MD5 | 380cdd654394867f47988200a09a3ed2 |
| SHA1 | fc9de59fda391d3236661f5cb8f1dd922427c64a |
| SHA256 | f1f59e46f6122f20da56158ad81df5e4d37122ab4c3bcd4f3e8ffefaa24febe6 |
| SHA512 | 7758467c4bcdc7ca665e08d6740d28080696de7a547ce04a4fa5830d2e6cadb1b0d73c81856ef519f9594a5ce5fc5ab8047aa2157dc73aaa823882b6c73c2769 |
C:\ProgramData\Microsoft Help\Hx.hxn.PLAY
| MD5 | 0efb2dacf2016fee1ca6d267e6e7758f |
| SHA1 | 15266a30ca7c0347ebca7e76b9f6f989cf2a5098 |
| SHA256 | 805c3e41778d037b9abc80d433e62e9c019fe37e5ac20a8e7ba558cb62be255a |
| SHA512 | 84b135843c59e7ca1dbf9ab5a0175ab392d9a7b77f6b58bf58d135bd21cd07cd9a37a9e26855182ece191a72cf342e99fcd65a07984c377ae5c7f3561f5b41fd |
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY
| MD5 | e9bb6ca503499442a886dd036791ca2a |
| SHA1 | df84471b4330d6a15e57418aba2073631057ca28 |
| SHA256 | ed8809b119253094ce674cac3c52f04e128b4960ec7a28f221cfb242b7e3b971 |
| SHA512 | a200b848206d408e72d0e56492ac84d329eeab3b8132b12b043c044797345c151aec0dbd79de0cb2cafff6fe5c639bf491465875c54d49be0c6551b3c88b2830 |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 683d87d1c6a4c5aa13ac00ef7d3e5d42 |
| SHA1 | ae89f3840130981c002a4c473f9bfe157d80a969 |
| SHA256 | 6e5342d1760275bcda6151acd5324d5a55916964f6b9571fd70bfd01d77b15aa |
| SHA512 | 7b4584c4af812211457f31b9bcfc86d6071c4cc5512e168b8256bd11e535c3b85a55fa5052a3e00b0b418e93aeba2a910f286171045aba6e240f58964fca1a4f |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 97d79bc6a81bc931b7701bd317f435a7 |
| SHA1 | 1650943bc9d8f175f50047d7d33b1b9818db46dc |
| SHA256 | 9cfc9d5f1a2eaf636ded3aba02aaffd737eeed7447940e479d3b0b8f446ff1a7 |
| SHA512 | 184aa8544255b29435127bd9ba87c188599557836d704fb1d6584868e6a84c0345172c302d29b1a9b3bb08e3e4106e2e59b193a4a64177fba66a5786fe84dbb9 |
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 8f91075e944b1be768d32ebb0e107172 |
| SHA1 | 412128efecee8c5aeb0955088dbc5f6a25b177d7 |
| SHA256 | c8b27f35bd92b175f1c512fac94d47d755318fda5fd70458b99023898d52da80 |
| SHA512 | db39d38f3f6572db0c59ab18fe2fbff4d67200f3db4256492cca900571ab1469798bf4000c57f85192984e6d9bf5e2710a9dc07ef5a4dd5ef398e1a3237d8a69 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
| MD5 | 7056db7f16b51b4c8eec54c3a11d61ac |
| SHA1 | 878aa157f021efc945843f0b5a961f451b0641c0 |
| SHA256 | acabaab84bd67a6d074a58a064a24992234ba50c98f81ac2a0862fc2e0ee373d |
| SHA512 | eba264f4174ede3eca1b90c437bdced3483892fd45e296389f70e58d427bd93439e03a142aab3e2c96174be91a6bebd54d918c3ff1b1a992c7b1f961350f65a4 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
| MD5 | 351558fd42f5585aea9aa3022b375b89 |
| SHA1 | 65977ca46f62c568ff513be41f9132a2e49efe56 |
| SHA256 | f90811985d355888b2254584cd9612c7ad558b5c28af36e974a45700c1ec7ea2 |
| SHA512 | 1b8685fde11e889904b15e863c01c5e0e98faf1762369c34bf949a5605ee4c8907e0a8aca4f07afd2847dfdd61f351a5fee68b8081a3a9b941e449cd680047f3 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
| MD5 | d3e1bba1810bda7a3804b9a694cb09d4 |
| SHA1 | e856ed4e71f1d5a8362f428ff2f81eb5ebbd16e2 |
| SHA256 | 97c4b96c791a6fef6fa9b870d3ee00ec3e4b75b3fb45b1fe748764ec7e94d917 |
| SHA512 | 7adc1aaf3a2e00a4e1b898ea582c6b0b4c708603202881c220453cbae4fc7b661cc87d1525ddd268c86c51982e4a37eeffb41538f44dc365ca461b338faa059f |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
| MD5 | 2428ab7131efc27673a79739d555f940 |
| SHA1 | 4f875c604932bf8cccd290bca5580bd8efd30be7 |
| SHA256 | a9fc602cf061f284b890a2cbb28af4977949711dc0ea228330786dcb78777422 |
| SHA512 | b07525fbd99e321adac07ade737965afea24c9042499e7b5223ed3493b732a46c1744987c7fac7f1a9cbacbfabcc25b90b1f95d645aeb0e0fa9de14f093b8d0d |
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY
| MD5 | 63aab98d98e62ca042692784cff1d34e |
| SHA1 | 470382b960a7ed8a4324f81fdb704163afb64e0c |
| SHA256 | 7ece7d28645832a08881a2bdf0378180bb0775f620b4847cc73bd7f807699a49 |
| SHA512 | b2fc102a8e2cfd4a7e8c4782053ac20614b5393a9feb8af662b3819d2c3940b77fcc4e4adbed3a45a8335df1a7da7649809b7510593532db506fdbf6c4a82dee |
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY
| MD5 | cd8d766bc82c358d18f843c7571b3429 |
| SHA1 | 0870a01e6c4cc451a9ad65fbd65f815e4be92b8b |
| SHA256 | 7898d19a3e337fbfd33d60ad74c9e17bb2f1fd507046ebe46481a06248561c24 |
| SHA512 | b0443acaae6373ff1e1b2bac73f5f76b29cc0f38aa8d913f9ccabab16a3cfd46d21dbfeaad9b394325156ec0ae41a6a8814babfabe40c7c08faf460d1aa7b646 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY
| MD5 | 60234295dd39a2b358b286588a7fbc3f |
| SHA1 | 5d78ca47a10b9b92a211a1b09979c496909d840b |
| SHA256 | 59a3c3262912d6da2667c5d1c14fdf341693191b08621df58fbbdf1fc92967ec |
| SHA512 | eae51e90b9be19e202495c9e1d5cfb4bae5d10d014dffa96eb3786d784868633555a5418208c006b0d54b8aac9b0be9a3ff086325af8043477ef74a893532b6f |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY
| MD5 | 295731ab7718b8fb2c4524e7aac69e53 |
| SHA1 | 6f84d4066e156419ed09c047f1dc7f958aaaec4b |
| SHA256 | 8f54727c8cb35ed6bc512a59dd72f0c6f2c6454cde53f82fb3e166bae8a320d8 |
| SHA512 | 7a486e119229284c08901bed75cdadd218b54026503f205a7f85a243ef44c66f0a6ad442ada91aafef0cc9319fabd84f5ce32359120316e80143235a44788afd |
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY
| MD5 | bb2af9ece6c4b714dfa3ed58968fc377 |
| SHA1 | 1c27e5413a6d8fd0afd989610daecde42a8e9fbd |
| SHA256 | de857068a76dbcc3951eaa64aaca015023457f815a61e20a5c81307863279322 |
| SHA512 | ef1fcc627883230afa58ec51e93dfc03a01cfeb5af5c50523b828e73f5b2bb9f400969b64ff26916b63e8d530575d97ec655981cddedf7388d07024231300c46 |
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY
| MD5 | 6aed75b559e3816473863014ce9b0588 |
| SHA1 | afeda23a1560b2dc56dd11723e6eb316d26f4e51 |
| SHA256 | 1afd90af65f4f5e60c9f912e035a10d93c0af7d3d5806380242bfe6ba3657967 |
| SHA512 | 5a8fca776a1fe4405a312c52b574a456f0b0f1f37ee3069c12c242941f144ec0c28df3e3b9f337a78a5e0028c1a8339fce30c098a775f449ad230aa375c1f25a |
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY
| MD5 | 383f690582c20d8a0c7c2ea8b7ebf2d2 |
| SHA1 | 54e8211d13d64aed559df7442287924433a15cb7 |
| SHA256 | 5acc6a15ead0c25a812575f480fab3fac1662d6c28c053bc90f36814eb68a0a2 |
| SHA512 | c5afd96c291b012bac42be6c2821a1feef1aab8b74e96b80e7f12bff8690c60148ae129b9a750353250d5b6ede5e5f9f9721611a988018e6c81f95293feffd95 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY
| MD5 | 38accc2c25964b2ebfe1df7748a9553a |
| SHA1 | 4cb13758a22916c6e6c5d5e5ba0b7d857c93025d |
| SHA256 | 6acfcbccb1b2ea4300aac7438300538e78501b045a59b2205966d87fdd20c261 |
| SHA512 | d7ef12ea7c0bfb1debb2126ec580869313798c9f905e203af3896286cfdb4b6157505d538e6777dd22b897e5f7740c9ee48d31db8198a490862dc52f1e232ea2 |
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY
| MD5 | 68176d926191b3c6e19b939fccf032c8 |
| SHA1 | b00d73ce35e4574e4da69c5162ed76e39ae257fb |
| SHA256 | 75f0076901fba24d925f8161d2bb8e84f2dadb789f53f98b4e32986627e38b7c |
| SHA512 | ba66849d08dc9f4c12d5edecbbd5e0a628559db55e615882919de73c1987adeeb00d87ef4eabd26152f0f47e167a47893c14b5ebb4aa7f3ab5714fc73cd9f4cb |
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY
| MD5 | 3e86adc38627b761cb756343d0b2e249 |
| SHA1 | 434f5355d8dda841e18908c188cd50acc2566110 |
| SHA256 | 62e0624b535b9af74b02ee82499e0320cf2d95d9d3e588d9e3c11dfd760bffa8 |
| SHA512 | 93e8874ad3cb15f97deeb06c814724fe0768af530d887c988c437095c40bbb64714b04dd5f4bb02598f6020e3a9311e7ffa0e10ca112af8715ca6f988385dce5 |
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY
| MD5 | 9ebac6acdc1f3f96e3b6827197e2b68e |
| SHA1 | 9e523c2aae24fed3d67e5c736792b10cef6715a4 |
| SHA256 | df97207bac88c4cb59a5304d015ea1871a3ec438936a07c183a60a71b9ea6dea |
| SHA512 | d42da559eca257fa7d262582f58c5b7fe02523cdcdaa477b8ce7a5a226fde954277a2231477b94d516926f61d27aa0fb1c17ff3106caea6e4c5bd00740bae50d |
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY
| MD5 | beeca1344b5fdf285ac489e47daeb132 |
| SHA1 | 37a02c815be4c67a110bf22ad4a653403a57e004 |
| SHA256 | 4b0d0c69531feeb15fbdef7f370d9e052dd5283b460174f6c96d34d801e09194 |
| SHA512 | d8d07ea826c7877491fa183ea0c49db436d2a9f3970d753cdcd141acd5ff53ececf4231280d0bebd6578d05f085cf9906f0f7e3382ae99776dde93bf753a5f4c |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY
| MD5 | a5e5d426c3dcbedd6e20f6fdc53058a7 |
| SHA1 | cb776523dd069b29d50a1d60d5ef512bd9db5c6a |
| SHA256 | e1b1c4355dcba9d1d81011f1b81f079195c2fd48c779d87321e9ab89f605bcda |
| SHA512 | e3944cecda498c534e199a848403d41d2511b6b818adc80042036566966d0f22909be674f5e7ecdf9aa258e0d70a00dacfc9abb1b5d8e3bd398618f5cbbf1413 |
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY
| MD5 | 5b06375fffcdef8d88818d407b929a78 |
| SHA1 | e70d0c5a646b5cdb6360e179a75ac225e0f4c542 |
| SHA256 | 8dce5a4bfb24ca803217cdaa750a8a3358772bdd8bb86784ff70de0eb07a56c5 |
| SHA512 | 72b0d1eed588770fb111b179716b458cc544edd4952f5179fdb64307490448f94bd866c553079505e23a30758327d856557e8ab13a3e20d12c4a85515a6e3469 |
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 195138aae50a3570fa2e043b7b76f6b1 |
| SHA1 | ebd42c9ccdc885609e037a70c1416d66d0d0def1 |
| SHA256 | 59d7eba2ee3dfdb86aa8d77ebdcd87ac6674dd712322461b060f69cbd6cd42f9 |
| SHA512 | 51ef80c93d0d4580a55eeefa8b02948573ea705604cdf5a29601050a797ab46f77446f34e1c7ce65771daf7c1faf6a00317b06a1e71054bec55bbee5f2b5cc6f |