play | 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2023, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

952fec5f9e7137951700d7e42.exe
Size

673KB
MD5

2e8897ef38d4abe4861360a4b6e895d5
SHA1

f668b1110d8a6b1a3f638fd8a6276a7a1efe18db
SHA256

952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
SHA512

02d7fe9141b25c74fb4721fa5cba6030cae671ec159987e1e0c95eee65fd5185586b0101af63e36f788cf8b7fc7044018e059301b17e5e63e68564d31f3610b8
SSDEEP

12288:fjVr5+jJNj0H5zPYXADL1vpQ/ywpll/nh:fjB5WJOH5DYXAlvMyUJn

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (8341) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExpandEnable.tiff => C:\Users\Admin\Pictures\ExpandEnable.tiff.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandEnable.tiff.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\OpenExpand.png.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\SelectStep.tiff.PLAY	952fec5f9e7137951700d7e42.exe
File renamed	C:\Users\Admin\Pictures\UnlockCopy.tiff => C:\Users\Admin\Pictures\UnlockCopy.tiff.PLAY	952fec5f9e7137951700d7e42.exe
File renamed	C:\Users\Admin\Pictures\RemoveDismount.tif => C:\Users\Admin\Pictures\RemoveDismount.tif.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveDismount.tif.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandEnable.tiff	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\SelectStep.tiff	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockCopy.tiff	952fec5f9e7137951700d7e42.exe
File renamed	C:\Users\Admin\Pictures\OpenExpand.png => C:\Users\Admin\Pictures\OpenExpand.png.PLAY	952fec5f9e7137951700d7e42.exe
File renamed	C:\Users\Admin\Pictures\SelectStep.tiff => C:\Users\Admin\Pictures\SelectStep.tiff.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockCopy.tiff.PLAY	952fec5f9e7137951700d7e42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	952fec5f9e7137951700d7e42.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\O:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\S:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\X:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\B:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\H:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\I:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\J:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\K:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\W:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\G:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\N:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\Q:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\R:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\U:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\V:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\Y:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\Z:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\A:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\M:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\P:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\T:	952fec5f9e7137951700d7e42.exe
File opened (read-only)	\??\E:	952fec5f9e7137951700d7e42.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_tr.json	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-36_altform-unplated.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-unplated.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-200.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Msg_Received.m4a	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-400.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\ui-strings.js.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\TimeAppService.winmd	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\ui-strings.js.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-125.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-80_contrast-white.png	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.PLAY	952fec5f9e7137951700d7e42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.PLAY	952fec5f9e7137951700d7e42.exe

C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe
"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e42.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini

Filesize
1KB

MD5
ce13c95caa03187f72e0d3b91dc91d9e

SHA1
aca6aa7a4d692774971c7e85a65f90cd19b81889

SHA256
6f8ef342c46d6b37e9ef01bd4d488f8fff14d5548a09117dcdc80447dd7ae494

SHA512
aa1d3eacbae65c49238d6e46cde056bb18663b3e44e1ccb8340d6d892efbe54f127c3bdb683a25d2b15fe780eb4bcb283a8a11574c67123e69a4200518cf3859

Download Submit
C:\$Recycle.Bin\S-1-5-21-4025927695-1301755775-2607443251-1000\desktop.ini

Filesize
1KB

MD5
215db2a90dae256bb6971e886affba09

SHA1
4a3a16c63e3a40dc7f89ed0d6f5f7cc3ec020db0

SHA256
5abf842a32a837d146d17b7d42338143ac0d291184e836789048217f82a9f38b

SHA512
7d73dd05dc6935fc4965ec54a354564a63079b7dba1f79717d36a4abace173dc9a990a36fd4605dbc4333bf75cab74a9a76c1a2e2794d05b8daed746e8ba91b6

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

Filesize
218.2MB

MD5
82a80d21cca0f194acfe03ac69434e5a

SHA1
facf12230bef008bf7c0c2e0cf54e492c2ee9821

SHA256
2253ba1ffac0f84bb0e2a4ca00666e983c2705deff67c538d47d532242c72ed5

SHA512
60fcc127bcdbedede1969f126a63511f17377a37e6c4678f47ec22b5d10c9d6be70af927a1c8fef19ba452b1af593b7ac13be2f6b5eb5ff84872c9a8676154cb

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

Filesize
167.0MB

MD5
5265d0f8bbb07467b768ff0f1477c170

SHA1
d890a3b4ef9afc59e2848ac918fa13d1d8735e7f

SHA256
c40402460361f7b82e8c5e9cc7f7b9ad2f27ec34a73e1969d1720bc7ec34da6e

SHA512
9e5d378620a3adbe33c503622c79fe8216d6ac3bf95158a5c0f203cd060581a753130b68fc71482137bd348722ef9a1547746abe1136ea1684d112524840483d

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

Filesize
1KB

MD5
59b00e9bbffdde9da54d3b68448d2654

SHA1
e35ee90ee7571215682973f68e574eeb6e85d357

SHA256
48c304ebdb58b305d5fd7399ec8e7b4575668755a650b749be85f5df00179282

SHA512
1de69275332e8648c588bf172b8f2899b9f449fba403b61871a564f20280af829d12bbdb59699d60c29c4520a4573ae164b41a14fc2feff44a1e41e4e04248d6

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

Filesize
1KB

MD5
2ed2493fab7d81158114dbbb269161a6

SHA1
3cc85b2e120a04fb3535407bc3e347dc1e04481b

SHA256
4a2eb32527f38f212b75774db7accbe640ecb8461c2bf439ba793db1f0c1b6b2

SHA512
cc734b05d70b4438849a2030b023c6b5793577f3d8371b8107fb23cfc30cda54ee0d39ce9e04d5e8acc7cb0aa1eb38b4cb027ecf04fe161f6edb887aff33b6ac

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

Filesize
1KB

MD5
f935abcf27cf843aeb5bc113ba38983e

SHA1
0f61fc1b95c423d9bd965fa1fbe3c8c5a9239fc2

SHA256
eb4a54e168c75930a5f12aae7e6586c22feff5116efabe4a107d18c909ea344f

SHA512
2809712747f5534cfe36ef60363dccac428dea3608d9cc9eaa5de8504210274f69f5558e6e477316c251a5988313acd6519e828e624d23be8ea7487e4e52edcb

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

Filesize
1KB

MD5
d20b4b911cc19dafc0793dc8361ef86c

SHA1
ef5cc93418224774db8e6c9879d06def27c91d8d

SHA256
25159c908a0fc5e3b49bcff5c64537b6a5d36891f03a7ad7e35c444411a5493c

SHA512
80c94fd763b46b82d2d63217a435d6928f0ff588f5d3a6cf3d331b1412315d4406b023b8810fdf41da10ad801aa227074237f4d509ad85810bff9e3dcffd1912

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

Filesize
78.7MB

MD5
d6a0cbcef1dd1aa068e0da3c2ad48189

SHA1
ddf6bde3e69ae7922814d4b770de5085f576686c

SHA256
f117406392391850fc06f0594da2bde5b61239af86688af0bace9656dd4c773b

SHA512
72de9390daee5e0181733bb87e26a08d287590f7e1f8806582c0b7bc31b13eb501839d72d30d72f0c49995cd96089acbbc0dacd43902125385fd17ce22515987

Download Submit
C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

Filesize
1KB

MD5
26ebdfcf2fab21592bddd96fa9b6dd1f

SHA1
b1f41170725ec28b10b7f58f7d3cfefe6488a3e7

SHA256
56de84e8330d2b9aa8ce727b88d63866836bcab389479a5025c15a8cb2e06d0c

SHA512
bdbf04052ece0158b5fe9664afefe6928c222295feb8f656d29dd5fd29892e943cff0eb6c1bcc8242cf3f89f0e4899c467f025635baef798f3b7800d1e095914

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

Filesize
1KB

MD5
a097c585e6e310caf537b59dc8366bac

SHA1
e1e425988e14db88e2d2fce4c7d64ffef702c8da

SHA256
f432519c73b086a991733f96996046337c88fc94c9cc609d974ba229ee010925

SHA512
a682f2ffd0ac8e0de553ca055763db119f71d921e46f8e9133903f441f57192d1f9862a08060bb1f836fcfcb016b3724eb5f5798609c097b6401bb539f2b5bc6

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.5MB

MD5
b888f61892c180bbffd907431e5bb4ea

SHA1
fbb0ac5c07afd4c01b5466587eae4412bd18652d

SHA256
d441c8beecb58b123268197d3d26ed97710c4fac5fc026826407b0767b480bbf

SHA512
80bd06e68a01c1677a537e0c232b15f41a55196b23b3ce5963326817bd65bec489b98a05cf9982debcd59b890d8dcdb6c1c1ac2fcb44d70bc2568228b35e58d6

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

Filesize
1KB

MD5
6c9851f32e93a6fa210a303026b9afdb

SHA1
84000f1191463253067c217d3ff7fb66253ab6c4

SHA256
1830f455d9b0b9faf3347db4da0a716140e9dbcdd3892d149c34a84db87baa16

SHA512
0f924da65946a9996ce9ef790ce8051e7c48186cbfe866ffea89b6daa21c43b429ad10773c9c06f8558b70ae82ea4536cab20d1ebd4a5a29e33ade246efff2c1

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.3MB

MD5
11caa3bbdc16911e3034831ac58835b1

SHA1
c877f12d8d1f1ce41bdd4d61830064df7ea3e600

SHA256
623aae6d6242b94100db5932897456bb8acdf33739668dda4d74e93b88d9c563

SHA512
21e9da6650bf741ea4fa35155493879b03456b56e193900f48c75605d0879627c3d48fef2537e0ae913b6dc66ed0a70f780408a34790a07000ea25ea6d5ccc2b

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

Filesize
1KB

MD5
b25d5d6d28277626593185692be03889

SHA1
fed797d2b994dbc896a581dbf854f77bd568b470

SHA256
015dc08f8ba0e5e83563b559ca4f3ec3c7cf0affcedef0d00914d068ef661bec

SHA512
6480a67ed89489646f4713bd814c590b8a8c9b62cc1580f3958416214a52282eae3f3cc36c211caa2461876504261afc6fef0fecc97cef5f4505ac297d5f32db

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

Filesize
1KB

MD5
e741ed6797947adf6577b7163f0515ff

SHA1
8d440f0f5250264fbdbb852664df26dde4d74297

SHA256
104a96cdd9b32d1b55aa61f800c7407c16ea444cec51ed57c2c4cca4669e75af

SHA512
c75187f27bf20f4644bdcc9a847c25718053582437a5ddf8976ca783a25024e8bcd5044d6403b750c70e71989f6c7646f23df242c26f120aac21f2bd0e8351d3

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
870KB

MD5
300058a52ea7bc92d9a7726203c8b058

SHA1
a2b96a698311931e7edacc6bafdfdc145b4458c1

SHA256
331979e70159e29536641ed9692de2aee163bca57da5769203e8b1ca4707ff6a

SHA512
4edce46e2a749992a69530e0b163ad67946b313db2124d269460ebafba7df5f4be5fbeeb200e66aa2b9723478ebdf576d00054479bdacaa97d7010f2f8917aac

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.4MB

MD5
e071708a33263c3afc1ecf18f914936c

SHA1
f4388294929fc51983352e4ec10ad1e0b4034b40

SHA256
e261fc717fd7c1d98554120cdca7ed62d8f9c4ad7880766ce75f8ac207e27a4a

SHA512
778d4504f1af049d3f9155570b4b5ccb7ce691c431775f75c9b4a6056690e6eef747db603b931f21bdb11d6a2fd844bfafd1d041d86eb1dd384099afab5d38e1

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.7MB

MD5
f2390d89c87535e5bc4631727c8cefbe

SHA1
30f633a2849d4ea33d6a75d99902c6f1d8a6e394

SHA256
f87060c92a58a158cf58227ef7c2cebb95d91723e9087cae0212331a3e54c649

SHA512
4f1d89a142c8fb1b04792a905f52e31c01bc2cef0074190a77d310b0f6a905a996c568847d1fdbd2b89ab864ce31c6bc9e690f15462e16e7dba072ca363255cd

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
b3f9aa59b775e9adae84b7e74455e128

SHA1
27aee0c66fa47ba4a28d9b02c0c9ea8a987db78c

SHA256
b453380d4b1b407076004bf628170daf75c557f6a4df873e3cda5a66cf12fc31

SHA512
b27109dff05ab4a04733f43c21ec95dcc9e9195f09881d1233ab028abad8619ca6b24a0c6130e947fe6dd8089bba0eeb3fab68d8f560c330e60c9a3a9ec4bf1a

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
803KB

MD5
fe634c95db90da594bc4f07671b03e5c

SHA1
6f55d91bb16a134d2f17209b379f2fde330ed833

SHA256
87476a1668ded5e9e5ee8d7ec9c056af255dbea439334e4ae7a9c49f200c6b6c

SHA512
ec2ab0a237e8f791e1c5bd52aebed3c1546442d87acbcdebcf0dd55f95d7281c81a59770a8687d27185decdf33872841c5ebb858632a33be5771f56e4984f398

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
22265796b7f68c897d2dd269d70ba67d

SHA1
35d3a90bb8b6c30ff8cbd6b8594dbd2d7dc9b564

SHA256
c2b9bc00fb1857536ee5f4937180c33ea007eebedb1be4d0e5bba8f7623e99d0

SHA512
aa7c7af7c0e0b5d535734248bb58bbaba3bec0e9a5e00c335b813080a526bd309e06615f47ad1b61fc221efcff069bd420ae87f7d9bca35a3f663297834cdc78

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
1011KB

MD5
d9f8379eefd0537908b3c28161850e99

SHA1
e422f977009f928a936d825e6ab7804b4880d3ea

SHA256
9dac9f27daf7fc81b71b5a27dc3cac0208475fbfff5129fa357ab0abf67d1974

SHA512
fd97ec69ca671088350b13ecffaf35951f6f8fb1e93709d70133ecf309508ecc9107083ebf4d9b4bc4b24cab519940faf8fb1fede2f64bde27cba8c6e87424d4

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
791KB

MD5
f12562d5351336fb3d36976da9755b66

SHA1
bdd6fb9e16ebdde02fbcd9f48fe2219cb9e728fb

SHA256
9edf3b28e101b1cf66d7f0a31398f423592c4595cc1329bc3628566dcbd1c3c7

SHA512
f3ac9db5453cd3438e62eb8aa5509163de074871af6b4747e33b145b73e56823df68ec499925863d52469e2367c296ca7dc4508d24a0fc1056501873a78906eb

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
974KB

MD5
6c9f656005589dbfec85e6794d8f9b67

SHA1
d60b6c75ff6100036bd1c9146b0b1fb7c177cc84

SHA256
9df16a39c932628622e388c310b363429f42d2fd963588fca3126114fdbf5ac7

SHA512
de93183482ca395b84e68614f7bed8f4bf4d76550c97fc16a709e4a04d3f20462af35fa6379da0c3565eda1fc090a61a501d7cae3057c865995d71bbf9ae5014

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
742KB

MD5
865a50164965aa47159ef294b5063138

SHA1
67cd9ac484486ab2b2ed71f6f916f0f4d8558c47

SHA256
b9820b5840e0bd2f2a12deebf3cb1941c8b50dcd73c7b875211ea9a16cc85661

SHA512
c443ddbd6ce2cc13a2fcdc9625c10566c06317f6d3a2cd4a511ed8499704ad38dddc965eb963e8675f8484370ad54a147abebacb9d00938b6c3981455a48a938

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

Filesize
1KB

MD5
fb74be71bb34bd57aaaf5be20fb7e19a

SHA1
2732929b65048bcb92c81fcbca51bae62442827a

SHA256
7a404c9cf9bf67f776240189595171a37f63eda82b25ffe3014da2c592361c5a

SHA512
08361f83ab35bfb3b020e272cb9d9e743f02b3feff9f9c6e99cd5bc176bdce3ac5174a5bd98b1f260aefcfa92465f972c574484aef079279e99ead79f420a1f1

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

Filesize
1KB

MD5
9634713f25b06b15762f8013aced05a1

SHA1
f80d46e24e44399ac6bed1bd19269da35c922fd5

SHA256
18a4e6f288973a09febb00e3d03944f2cefe8dbd97d9b3e9395cb6e2a3dffa2c

SHA512
48d082263a621de06aa8c8f0246f241472b328aa78e35516eec1121b828cb9614227f3d310793394a233f1c41e937a34f803f2afb86b316b7ccdc02c9ba44d4c

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

Filesize
2KB

MD5
c772a885d843745d7bd54be24215b7a8

SHA1
82d94a0c98d51f949c99eb41a0be3d46abde13c6

SHA256
631cf8d04a6f4716dc64c6d72d91c4a29b072ee9fc7a507255d995b514772210

SHA512
2e1de296f4d2cbaea4347a8053fb2c419949cec06e3bb9ba087ace4bdaa815a6645c1fc7eb407c4d6850c3cec784504b486797f280ff08ee3384d367f64a00f7

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

Filesize
2KB

MD5
da652dde5bb95a916a6823afaed79041

SHA1
953075e2f609c6e4c42f26caff900883975655dc

SHA256
ed91e860e42d6b91a30a70bd4e17de4e4adcc97fc6d2a9910eea5b2a25461887

SHA512
380a6ed64e4aac728c9b728e8e8c5ea10a2e8d23bcef4c684ae60c7ab771fbe1963b6318617e23d55071d140872eecd204d8f9110baf27f6dd17566130df781f

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

Filesize
2KB

MD5
2d92ea152fc45a8f98d2bad829bc0f53

SHA1
bca0473de4c92dd80da29391f663962887655fce

SHA256
bcc67d3b142695ebd4a5e47208b0a53baab01dd8e6c992d497115fef301a59a4

SHA512
14499d91670e43f9d540fec98c571b8594f514c32a1aecaada4a1c61c894d23fe19896a02164dda85633579c4a438b3683aa22eb03eeb07bf23348cc92ee69e2

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

Filesize
2KB

MD5
ddf2f3963219d0327bb640b3b0a7f66f

SHA1
0bb7e1bdeb5a508c9fba7cb42cfbd52e0e1c93bd

SHA256
c21e6bd47c7112398ce904c809e2babf98eb49114d3e52094408f9281bab2b57

SHA512
0e37337186b30806851765e81bb726fb1fdf98f59cae2d3b3c6c6b7df0ed4ec8d90f79546a78edc756d28c90771089127dba1c9f3a7f48e4b1ac369175debfa7

Download Submit
memory/5036-133-0x00000000026E0000-0x000000000270C000-memory.dmp

Filesize
176KB

Download