Analysis Overview
SHA256
bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
Threat Level: Known bad
The file tmp8xkfq_8s was found to be: Known bad.
Malicious Activity Summary
Play ransomware payload
Play family
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (8947) files with added filename extension
Renames multiple (7380) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 07:31
Signatures
Play family
Play ransomware payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 07:31
Reported
2024-07-24 07:33
Platform
win7-20240704-en
Max time kernel
150s
Max time network
19s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (8947) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DOTS.POC.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\tzmappings | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Bahia | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01468_.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ie9props.propdesc | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195812.WMF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe"
Network
Files
memory/2556-0-0x00000000001A0000-0x00000000001CC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini
| MD5 | e162cbd6e301c329abeb0c4894da8da9 |
| SHA1 | f201a027398c55f4ab096c38ceb637365d616e12 |
| SHA256 | b63d4a6d170a4768e1266340767ed78e315ac3fa527c307d38b6ff192803dce7 |
| SHA512 | f4957eb08cf9e667fab7986a3cbf3e5312ea8064615cd4fb71724244ad3ddedcbf3d42a21549bd14531b6f8fcaa7f899eea5820f8434a9f637310b10ddeb3856 |
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml.PLAY
| MD5 | a6a534fe2b30de940f6d68df24b39319 |
| SHA1 | 5891be2062b106a23d9219209a61726ba4c11ea0 |
| SHA256 | 2be2d6e8586bde5860474d946a3ea912ca6ac0b1afae0dded73e71eab3e6babe |
| SHA512 | 58db86ea9bafd968926d2142509431118e6f8e44290cec851386392d57770172ff1c6c9f2e4696b0f14a9decc670e497f650bcbc06780d8c04965061b9d93690 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
| MD5 | 569cd88514e9079e68aa69b328ebbb70 |
| SHA1 | 8b4af07c89eef97cc54f36b73571c662716b68f2 |
| SHA256 | 09515c6677e1c9098f76128c3f10832527ba29826977b95b3b9f02e70f901075 |
| SHA512 | 005ef2a33384717d23b9f8d3378d41a2735e228757a36955d0d9c1834540d06426e6fb6ad1c1146dac4db7d1e2a034962631b9dc0811bd424e82c4cd30bbe6ed |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
| MD5 | 441d5758a590cd9eee6afcf997612c94 |
| SHA1 | 7f33c876bed7eb208886abae2637fd91c31b2ed7 |
| SHA256 | 78037f84c5c69716c78c7454fc5a7a57bef8eb6150dfcb6aa692210b6bf0a908 |
| SHA512 | 292bd969c2312a570814e865b7d4b35b90ac82c5131e8acfe9ca8355bc120b2603c7c974357f260d2e87c3ed273145cc058c00bda36cf61d808ccbbda82e59bc |
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.PLAY
| MD5 | a53c42dbebdfa123026db570fafbc4b2 |
| SHA1 | f6ce16a8a1272ce5aed7f15031172ef71f1a3fc4 |
| SHA256 | dd53538e950a9070ef1d70564b024011f606cd2fcb7287e1dd7798887d005d1e |
| SHA512 | f14915de0cb9299d6c82b8376dfdfa41a1a425dafbee11448b2d6d739dbbc680cfc1b53ff3b21502cfde616a5721b3a4c71786fef3b08c0bd3f42151e08bbddc |
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.PLAY
| MD5 | 54abd42a84d1ea54f4bc87d959b679fb |
| SHA1 | e503154c55b0a7fd0fe2496fc0874d840e44115e |
| SHA256 | 5c6e284b23ca41bb3171c5b49ed5a370df4102f646f3db6115ce71ef9a8daeeb |
| SHA512 | 9960846913cc2cca1cc6aec2cb19c38f27f0e1bd5eca072b5cfe6fd51493b26a98179d84ef9e407ae202954365dc614ce207da91f1fda01465c7da9be58170f6 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.PLAY
| MD5 | e2ffda50500203678bfc667b3abab27a |
| SHA1 | 5386d57a62929aa7c8354e5ba2bbcd71fd3f0eff |
| SHA256 | 12b0464fa0f178ed27686cd1e4f95d27e60c5263ac01d4063c7dd00dc95d5ce8 |
| SHA512 | ceb0ef31dbc6c1eb24200bdf7927b9ff8a8623ea625f6387509a95e6b54c4795fad927ba5bc01ca4bec2b513372f6496ae476e20509370380dd584b2ba19d679 |
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.PLAY
| MD5 | 488d6a30925675e66d93c81441d93f17 |
| SHA1 | 43350734e8845572ff8b758104f5960434ba4230 |
| SHA256 | 80ceee099007c763e267545a766841e47870da7540e6c72cbdabb44e61bda414 |
| SHA512 | 7bb30ef7b2dbb67800b0ea04479eb80390269ed8fd86e2deaeb3df8d338c1eaa2ecaf2687a0b12e5abb9612489a8668ebe6fe3fce6cf569b42447086656ba9f2 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.PLAY
| MD5 | fa94a7e659432f661ddfb92e86dcade7 |
| SHA1 | dbaad60c03ca715e4df5ef23802d6362cb207e28 |
| SHA256 | 49c5c91f08731d22a5f4530b938cfd6b11b3edc2f8d96d9266b10c1c6e893b1d |
| SHA512 | 94f6be6fec060bf211df5059ff399b3f4590d98e7156907e76244e6bb8c1b68dfa6a7b02240fc78dd4cf33381b8f75d52cea430a8dabf8eb4aa21c77a4ff2438 |
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.PLAY
| MD5 | 8d058c405063c997f5a8a61e12e6eb28 |
| SHA1 | 860068ce80b5d2f151d1e6973d7485e1dbd95cc6 |
| SHA256 | d61f8f08074bbb537326ffb213c83df7f30c363e3ed5f67d96c43dfe755e31a3 |
| SHA512 | af2d4b44e6c91b65188151f2bc9552cf796a9ecbe620eb73ab016e8bb2d1c91025afe33ff8898b5660215a6e7683d89b0e8ce0c42c737c38ef610a62167612ca |
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.PLAY
| MD5 | d3578fa970c187158e61cef342220770 |
| SHA1 | 5a3f48cadfc6435ba74680fcd34a0de782a3e168 |
| SHA256 | e29c3701b17bde1ce5c6a06621b241ddc92bdbdcc8201b2e4d9363d46894b9c7 |
| SHA512 | 0481da373d9253508b39c842f14894a574cfa49046c10c949af007083b4476b92c9075c9272189e3732ad3651a3e30a384e79b95e6e1ddc96ef01f6099126980 |
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.PLAY
| MD5 | 8cd3b38c288a6dca45f8cdaf1dfadaf7 |
| SHA1 | fe2363b9fc603de27ecd29109db9091e3cb48fb2 |
| SHA256 | af5ac2088b07647012b6b421d0056f2d95c7c7538db19409dd8a0daccc0aeba0 |
| SHA512 | ac8a3694b47763e3c9d33133db9feda16d5628ce93b829ecf7b674da54135cdf0caba579b7dfed14f5c00d02e0c8fa7bfaa338f0da05cfef769d36c234335112 |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.PLAY
| MD5 | 7bdb6ef71c4c9bae5e931a987582b795 |
| SHA1 | 1e80a7171fd6244125b10a3c76959e57658033a5 |
| SHA256 | da842fd419aeb2813c1b1ca2db36ac39561d1f5cd364a416e2d485a305ea32e5 |
| SHA512 | cca2917607de611a3875f31315e9bdf6a397316cfa4b6fe7a2776a81460bddb7d79c8c2e0959b351c10ea6ad53c2a25f0371335fb711a9b39141d93f0fda408f |
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.PLAY
| MD5 | 6ffdf42342bf06837f5477637cf5ef0c |
| SHA1 | 0d00cb8e007ca4161896c715bca424c4fea0dd65 |
| SHA256 | dd5e89a5cf8062b49d01d359f7a004866c6f5892d337b1dcfd374c4ef35a1835 |
| SHA512 | eed732fd0f0ef90b7da395a0a35035e0ece4fbf1c9c54ca65e398a3f38c7d908f89313583da6b7664b68c91fda4f29306aa620f892a993cbc160521cc39d843f |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.PLAY
| MD5 | bc5a678891f3272cb914f0c36a3f4a1d |
| SHA1 | 65e68efb7a25ffd4499473a88ce6c7d6ed38b4ea |
| SHA256 | 7feb908f7387436ac195c1e4fee21b120b60e9f8d2a8ba256f1843f50204c491 |
| SHA512 | 276afb2db07d698a824a5102f5628fd4d518c362920c9f3dfa75f1d46fbe47d2955d9fb00762436244a350aa83d9c3c582061b05351fe0fc115eee1fcc8589ad |
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.PLAY
| MD5 | 584c0c870eb918d306b8f62cd02928a7 |
| SHA1 | 67b45205ab56f8a2a94baf0c7a7c747703691b91 |
| SHA256 | 92a4770cdcd4b0caed0806f18d6369c83ec37b077ebb1b1cfbd67a5ce520be44 |
| SHA512 | 0d27868c431a8248db4f94d44fea5ba56bf4947e7a4b39cafcab4309b0a875754f40044c63616c9a055cd7ddbe81a1fcacb3cb6bed31c3ca84c0d381454a1587 |
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.PLAY
| MD5 | fb7560bc546d163d2c605835c25e4fbc |
| SHA1 | 124072944f122d915134eaf12b0b1fd1e8a5e892 |
| SHA256 | 36b69c7d7d747f44a897d79018aad98721f20e3aef3afa6141d0d19df118be73 |
| SHA512 | 716a67b991a3dad31b8801a5918cca5081c2bb218cb5cdad632050256f2988dd0e433bc3867f8cec212d3c7d5888562016241c94e5d867d1c185e4e66de40858 |
C:\ProgramData\Microsoft Help\nslist.hxl.PLAY
| MD5 | c14bcf7f9f38e3ec3abb89b13fb037bd |
| SHA1 | a80ffa49b06d73307518bc66d0368f937040810e |
| SHA256 | d86845af58b15486a97fc388ad8287a16b48ee109ab685c4f43e86902bde6511 |
| SHA512 | 69205171f95948584ad3f50e40b26c33507d25c5af2c72288d073607e984668632abfbb2f042e2529a91de65d415f063bd008163fd261371c7f428f475476870 |
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.PLAY
| MD5 | 2e691867cfa073852ed16c85483bcbf5 |
| SHA1 | 25c4008ad176a31b7b835c9c1aea575645db18cf |
| SHA256 | 0728349ec8a9c61ab0000e548faee66285d7d4d4c27492f2317152dd1766bca7 |
| SHA512 | cc9176d2aa8bbfb9288477e6b6f72cfaa68fe04f18887768f67593915eb480fbf1d66689595c8eb53252aaf4a152803654485fc176ff6254ba3ba9e7fff1dff0 |
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.PLAY
| MD5 | 24f5223d70c491ef3cc206e3cc563344 |
| SHA1 | 1b6819d4709712bae12bf5bbc7bb7f07233255bd |
| SHA256 | 969bf5438d625a692427da6951e9de5458a76143553ed00f05e361b7dcc028da |
| SHA512 | 61f867a3b6b7874c2be6b546c43a00029afff1babb9cd07832d0699d18a83a0d5a5fc3ede1a1114d903aea0fe8b2140a6ba9bd9b0f40ffd03f20ef5b54e91d8b |
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 47ace850044db9d27a476688e20c5344 |
| SHA1 | f93c166dc729db805071a73589f3829c5a6b0564 |
| SHA256 | 4f95fc55a2e16cfe5b9c722065bfe3511a0c6c300100df9a3690387890d0b9d5 |
| SHA512 | 1ce5bfe47ee9d9b1959aae9c83cd5e20f4937222a7ea0c514b6624ff3ab24a418e306edd1df52c682d8596559c1799810de0ad65da85cbf5e46a003a419c6fe5 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
| MD5 | 12e7e4b909686175ec8a245167c9d5f3 |
| SHA1 | 8b63bf4a7be1d7a60793f1a6fe895af82a239750 |
| SHA256 | 328f19f298ae0268151c17308762c7f29610bc9b734c94ca259383978a4407bd |
| SHA512 | 2773754e389188549d517f8176f431fc7c77c48ecb1c6128fad0a044c215d44c23487b8689796471e313d2a2eece24e7e0aeac9eb74890941d74a900a2e97869 |
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.PLAY
| MD5 | 4094f932d2ab239e0bd77b14e3105178 |
| SHA1 | 355b82ca8d7d49508ed4f762b69cf299ca1e40d6 |
| SHA256 | 025e41cccf7c04dffc958898ffa5afb90c9d236b5d681496064a65a1c758d247 |
| SHA512 | 2719b5bde8a26768b5b0b86b0bd278c4a91de9b4b48bb1bbd22587fef582243d8c92418f25398ad5cdaed5f0d073695bda792fabdb0cd2580ae48c7b62134b06 |
C:\ProgramData\Microsoft Help\Hx.hxn.PLAY
| MD5 | d6e22aa4547a717f0343852b302cb967 |
| SHA1 | afde689e1ae284c1dcbe762d178f946cb82fe860 |
| SHA256 | 319940659052707cbb49d197e86b678cbf04239685f43b53d495912dc1673814 |
| SHA512 | d0afe1f607933dc6a7b0092ed8adb85e4d602dd4a073a1acb4971871761fad7576a142c59529a4f04123b5ffbfb97b1c7c4667f32964db97f23bed84be579559 |
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.PLAY
| MD5 | 0db46380bead2cb457d99a459c8dd2ec |
| SHA1 | ac901ec570dadce573c137a23c5114641bb5283b |
| SHA256 | 07e5c2b78b6cf197efbd31db97d13a3a6f4e7320168ce5c65d763e193a351b26 |
| SHA512 | baa335301b441b67f461105aba1487203271b7bcfb5ab47662e5221db5232fbfd7645f1e97e9da78365f92b0a7885378294213000dd31a796c6ca7032202be7c |
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.PLAY
| MD5 | 602879ee9c1e475315ac19834f5ed23e |
| SHA1 | a3ac8383070cd82f143eae838a3818f1f99a35a2 |
| SHA256 | 85361dbc4705fd6ef1974b2a6b52bcd8a57b5d0499a5315639fff2a4463b727a |
| SHA512 | c15fe2f5fb1cd3edb3ae0dc0fe46bb9ba159648bdefa2c861d1f127d951ca97dd8e12ce6223340433f62ca8e5e47848567a13786339fa374194dfc210ecc72ac |
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.PLAY
| MD5 | 61c1b166ae1b78bfe9e7ba8b2ea8db40 |
| SHA1 | ab6785da9cd43ed1c1621dd6b4aeffcf5d9a2bc0 |
| SHA256 | 6a7ce25e060b9b2f3349a68cd6ff53ea9097f09888822a408ca19f04dfc06a3b |
| SHA512 | 4c56e3c43d620a688406b40fd6a2a0d35c49f6d8800f850ff32eb1059f6d8884745950771c8a37c1d637997fde84c2d4432252819419026a1dd3b70d4288f555 |
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.PLAY
| MD5 | 1bfcf2071d04031dd3fdc809188a7f49 |
| SHA1 | 8cafafa494346d3030f04262c2e72f5f584c983e |
| SHA256 | f721e106307d576fd044dfa5501b4b4e997a57951785de5a2a55abb4630bd71c |
| SHA512 | 117ba1af0e5f6a5a453cd1a6c000e26586e5a0637a8da589fbd316ef0c9b71f0ea5b4ee5bdae24dfa41e12994f3091cba6a7339185cf9c324e4c31feca96085e |
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.PLAY
| MD5 | c81ee934baf09fcd298e04efb582579d |
| SHA1 | aacd98eddad6d8d1e83e4b5bf4be3405f396c151 |
| SHA256 | eaf75e8afe1ad2d92ca4124182469ca967291714cfc9196fc7796d1320c9d0e1 |
| SHA512 | 4de11913a2a4119a6a364e821485cf20949984bcd6de11ffafbf8255c72e3e2cc5b4d1ceb9443c285cac40ba6c7ddb5e78b63ba8bb1bdab4bfe1958f41526368 |
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.PLAY
| MD5 | 60d1bea2665a1b6ceee92189613aee0a |
| SHA1 | b0d4285230f7c6e47cbe6d4621fbf0c479182573 |
| SHA256 | 2fd2538d8c3aea4319027a0ca9a54dff33d4b91525ba6f4f320edcbb4a70c3de |
| SHA512 | a3b74ec89846138ecb8e5811fde39c3dadb7a576dec45c6be1d3f53b5c2d76d1abe5cf4f4627229da4b6df3a36192a06b02b0a67eee56e631355585e89830756 |
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.PLAY
| MD5 | e4b778dbc8fdab6b3243b8d0cbf0b8c3 |
| SHA1 | 48716a723009ab2db47b260d3731446a6b3a4707 |
| SHA256 | 6a7693b67dba596dd8fd30db4896bc7cedef5530ba32217d488651a6323b2dab |
| SHA512 | ced07664bdd1d0b850e924f139be27563a95a84b82cabd44201d528161d6b0f7d69ea75059aecef7c7694470e06445d040b4928e2fd4441ca85436e7513a54ac |
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.PLAY
| MD5 | ed333c44b9cb557f2325fcad65360f99 |
| SHA1 | fa1ac41fc52cd9f30757d6302879244124780e61 |
| SHA256 | 125b82a79e25e07713d1d88581c9d27f34259e76e12e93b4bb86b046812318ec |
| SHA512 | e488a995d75487b95c4fca282838f3e95b9a4aa2367ccfebdfe907dd92b4b4597177bb83aef41328ad1766474cf4c206144bc0525487c79c6a17eaa643c12b80 |
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.PLAY
| MD5 | 529e2db51c76ef22d6d96cdbbf2fcaac |
| SHA1 | 077784f41e5bf2f92de76be832a46632c214da9e |
| SHA256 | 7eb36fbdf669a409e8dcffeb5e02eed2be4c6af3e2a787e4586c1b2ab19bd3ac |
| SHA512 | 8c734e7e5aabe3d0eaa10e56216ba2583081fd065efee1a680b0a341217644d2381972583a16005bee650a1683c40251e8ff85464b075c6cdfd9b7d17dc0aae9 |
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.PLAY
| MD5 | 101c8fedcb21f324528727c5841442da |
| SHA1 | 50c051c98ec8235b84b58a3da7cdc00686124199 |
| SHA256 | bdfe0c39df25b5c351df083560d5a2af36184be3fb3a664baf533395d0da0282 |
| SHA512 | 5db1a302c66b76bc4d48fe993c96983104dd964d9c7d59e88a9ffa99fcc6ef35c56201e98d1a80890ecbfcb193f3f8476a92ccfab7a07369b4784de4457c0b6a |
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.PLAY
| MD5 | 1ae8c53c58bc7d6f25aebcb05138885f |
| SHA1 | 00755a448bb51a652c2482f461a8a78358b66c97 |
| SHA256 | ec28fe9a2e09f6a6553926e9c446e02cb675db47f3d695379c59a6a78bfbe046 |
| SHA512 | cafb303be90187e4811ce2701b07abc5a425823168216d9e77162a39ade39b1913d54e140ed4b2e69be438bd99d24ee49bdcacd1218fb5dd08e4611e19b6d9bb |
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | b5b81d1f62fec780d70aa88c14a51f66 |
| SHA1 | f52f708ec139bdc7f1bad8fa378bc74ceebd646e |
| SHA256 | 513ccebab9c9211825521198018b8f0a538d6dc898bb8e2d529522c163033f69 |
| SHA512 | f7c20847e3121bb89328e8fedbb803302788d0ea58b43503e4fd7275297c5a1dc36a83056460533c355966dda1345889ee823e067de0960d5b753ea89903f984 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
| MD5 | bc7596d64b67eb97e1bdb59b471c50c6 |
| SHA1 | 0c2e50553c713f6cf47c5638aea66da93fa3f89b |
| SHA256 | fe66586a2c89233725cc0f5f52cd61cae23588563c11c38d7e8c733c27195f54 |
| SHA512 | f96726c6022fe613640ed7915d347a6f49df4914fff19b1e967b904a1133e2a92c9a861ec7f6bccf46d18435a9efef401dbf64005ad48986481bfc9b52a20995 |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | f57a3e10222378bc2a6e232d164c90d2 |
| SHA1 | 7f4f81ba0792f295b961f21cb019af105210571a |
| SHA256 | 41314e60f2beab2bff31a0ea6453a20c1bc9f1b9418a0c53829206e381e02182 |
| SHA512 | 17c99daffe32425440d35baaa109cdc700f74762f894bdff3c3a3d0d15b5369adacf51a09e883e60eab9045dbf9d3c0f8c9974aac9d074439bce908f1275bb4e |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
| MD5 | 083784d1dfc7ea3add17c9895fde6189 |
| SHA1 | 6362dc6aecce0080126e6db48e90f7505018f050 |
| SHA256 | db73cbfd240b7fec95060b31ad77af589f53a0b75b40bf3e104967d812237c78 |
| SHA512 | e00e720d40210a2bc39525a79d3e34f5f16a08872230ffbb6cf00ee5958ad759018299e708111da8a81670f0864eecb278602657dcadd68ed3c6c91d3e077acf |
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 8965eac73b9c623d49235f8cf6e3b888 |
| SHA1 | 52e05df081c4ae846f8dd6e9e804f8e34b76aa37 |
| SHA256 | 97811b77afdd71561813e2a5746c134bea63b57574c58d08f27698117468c486 |
| SHA512 | 0223e94c6acbb770c57644c128c4076d1dbb11d1b317941bb5b9706b711d66833063f19b579f7becab1dfdf1b04589cb10504dca7678b40e62f979a2d2e0578a |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 6224d5f3d674a6cd52377341d519af5b |
| SHA1 | 777291cfa303829243b51c2815fb712ddad0e767 |
| SHA256 | 90e89b15a8cc2dc4fce3fbbe9ee24ad5b336b147e29216d6d2f9df3a5719a3ac |
| SHA512 | 1e5a592c47b840624e3316d6e5364797966004de8f6fba8691e2e83fbc781b848ba1ef7bdffd9e25a5b73c005f4d2089d48dbe5b3ccc8b4957cd96b0cb8be780 |
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 20dfff0367e9ebd9d30f99b16c598fa6 |
| SHA1 | 0a93ac21836cb20163edcc5e030796e389a71cb0 |
| SHA256 | bb4711c60608ff8367defc09f320e46950d548097d64e84ec1ca674d1f03a7cb |
| SHA512 | 1c48186c61750e106cd15acce4b1a7547cea1416f53979172ac1ca1cfeb979f8e3d56942f71cee438468c8fe019360891d63ae0019bb86c95ae59530293ac60a |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
| MD5 | 691c68770449fd67d80326431891f670 |
| SHA1 | 61f66f797007457146f52c66fad856f7f793a6fa |
| SHA256 | 2cb37b3c479cce6cc9ba9a7b10a54ec72852819dd0fcafd1de5abea6f36a1ad6 |
| SHA512 | d75c5fadb1bf8a13c07ec845939ce6554b63f78ccd2f35c1f6506b560f7e0c088ebeab47d8b36b54667abebeaf3782ea88c878e40112aa8491cecbe221509b90 |
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 8da0ec632c8949fd572c1f5657b9944a |
| SHA1 | 9c6578c9afbfacd71e2557fd425c096ceb05b601 |
| SHA256 | 3a79c4a6d66600e3dd0fcfe4900a9106f66adf2237421a8d26a7e719386c3f53 |
| SHA512 | 707a26cad85aaf3ff8da731c21ebd581d55408aed8f9da1b09866e7e4e8ee12c4120241174a399e9c4ab0a14d231f08bf22d4cbcf0d75ee672b074e472600d81 |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 7ac5dd9a1affe1ac6f59a55b7e148c12 |
| SHA1 | 8fa82c2e5645c2c4ebcb2366edd3087f1e9876bf |
| SHA256 | 784ec2e76685fc8aa5e4707423419da0f88444f6d052a696164632e6dbc75ec6 |
| SHA512 | 31e9eb92126e5f80e303904a4310a7f72ba240c20c0634a6d8e3e2ea59cfc5ed2eb300f77ee93cf6730243b4bbce796d55a6c55fa03f8303945b9f6ff58d8456 |
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 485088ffaa75aaa3b3ae396ed94280d0 |
| SHA1 | d94fa4a94cea3d78bd823f523b4e839378baec18 |
| SHA256 | 2d94f07dfcd27262c393bfcb8931628c26259e8895feafe7e316abd660ab8580 |
| SHA512 | 4593bac4d2253be625947ee041e4792c88904056ad4a56f51985ea1a2f270492267f49587e3581da9bd36c79a6d0b413d26e1da65415c3131dccd91e4e2e36d2 |
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | fc9a562f9140f2f0132591c5947b8200 |
| SHA1 | d0078fa32a508ea32f962616a95cdfd5d8a79a73 |
| SHA256 | 76b4b1e05304c16e33ed0f53c7f562d22f3ee06fb5cd43774e2a4f6f54280409 |
| SHA512 | af381a221e440906b826eea0a5fc1ebf86eeebe91254ab977ac02ac7d70e6f878d8702cc18f08dbe4b63f770854caf6ea911acd88b94991f788c3645593f8b6e |
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 22880e0410e1ddc462cfd47c6e704033 |
| SHA1 | bc85bb1fa14fededcc6f6d254a778f17ed121fbf |
| SHA256 | 36c0e11d11c7cde9aedf92fb1d9f1e8fc9f8c030dd32eeafe45d2b961aac24b4 |
| SHA512 | c482862177c16dd92e1223fe1e33f413a4d133fc6f8835a18902f4c61cedd0247c29b8705ae439142563e9190a9a087613b1550e3a37e419661657861bd31036 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
| MD5 | f6e623fc945d7e73aaa05ff7e2f09c41 |
| SHA1 | 61998bf542bdc5c4f74c1cdbdb068ba31b750c4c |
| SHA256 | c60392a45d3a968ca9901a648e780f986c83ad17eeeb1d0ada80b9d42862165b |
| SHA512 | ce560b38b93cf16eae7a3b27daf684a39b96b5213a1b1dcd028ee6f05d2824cebc619e0ac806da7c325cc41d8eec3231047e7b9b888a6cb0e0d7f301bb427bb7 |
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 4c5f5075b6029c393ef117e82b437a2c |
| SHA1 | 802b7059ea60f1e2888f44c5972c8374307ecaae |
| SHA256 | 04228a48e26ac74ae44e91dc9cbb04d4bb49e63858aa0e8db6929464fde79814 |
| SHA512 | 91518710694a33aa61e82c8237e0043f1d44a74d7fe3101ffbe3e5c82cfe512513aa34f63a7c1a90225ad25a939e2fe54b1df8969494b556f023b34a31e7c14f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 07:31
Reported
2024-07-24 07:33
Platform
win10v2004-20240709-en
Max time kernel
127s
Max time network
150s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (7380) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2650514177-1034912467-4025611726-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PlaylistMediumTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\net.properties.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected] | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\SegXbox2.ttf | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\localhost.crt | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\tab_mru.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8xkfq_8s.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/972-0-0x0000000000AE0000-0x0000000000B0C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2650514177-1034912467-4025611726-1000\desktop.ini
| MD5 | 490d86d8ea8ae889ccaed6be7b1d5a0a |
| SHA1 | 20b1bbfa2e22fa034d29f6a90195934d419e8d3c |
| SHA256 | d6455092025f68cc4da80012b84e5237f21b67597de4e13020b111162120df32 |
| SHA512 | 64493c4b24fd9b2604370d43c7233ad05916b6fd8289914735d175d09ed19e587fd4708840fbb00ab70751dda08edda78e37444b7be652aae384f61b88520bea |