play | bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
Size

178KB
MD5

4519a5876b3e77568105da0f1c2ebb4d
SHA1

78823aed1ec75b00214dccd654f5ea5dd38cfd58
SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
SHA512

f4a106b983a3c330983a6bce311cff54241c9a9b7aac31116a1ee0ebca9f20126d9e584f4b6b8fbbd3498fbb4632d1fe6373e08fd7dc3f0819fe9ebd8d9c69f9
SSDEEP

3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (7339) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\E:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\K:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\N:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\Q:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\W:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\Y:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\B:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\I:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\P:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\X:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\H:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\L:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\M:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\O:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\S:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\U:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\V:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\G:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\J:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\R:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\T:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened (read-only)	\??\Z:	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVertically.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\ui-strings.js	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\ui-strings.js	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\3DViewerProductDescription-universal.xml	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-white.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-black.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\android-call-monitor-perm-illustration.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-white.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.ot	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-100.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\PackageManagementDscUtilities.strings.psd1.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-black.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js.PLAY	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\wmpnssui.dll.mui	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-fullcolor.png	bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe

C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe
"C:\Users\Admin\AppData\Local\Temp\bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini

Filesize
1KB

MD5
49b93cbd8274090aea495c0481d16bb5

SHA1
559e793e2ce11203e33d6f0d7610c132c53be8e3

SHA256
6253ea25d501b57c4129087e632af3796b02ece22034a1feddd4df62559226cd

SHA512
fddea59708b504b2aa446d2e4002333270ca12a3d72f8e440a2f3371f1aea31299be76c4cf0ed7add349d9edc429f7326b613cb9ffdd971afcf25582d5e35976

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

Filesize
1KB

MD5
0fb53651a13708f87a9a64d785eeeabe

SHA1
5be227d73c6db438cf45c37380d1a00c7336e041

SHA256
26f913cc6dffe6809a57ffe5e77b7895821a7d4eb73b2d15323adeda1dace1c6

SHA512
538913210497031563afb8fb98c9802c81701355cad498fb35234397f3036b1fc0807f73f672af177740e0d1ab7b41dfd0078a569fd063e3815135ef76b1cbf7

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

Filesize
1KB

MD5
72b54ad011042053689c7ecc52a2738b

SHA1
eb2715214590d735b3af577d0d63af4a4a430f95

SHA256
1ceac5a9fe936e047f9e09fb14ef7794e6104181eb086a1c9d41391c16178454

SHA512
ab967258be1090c61226c6dd3e415ba1dbd0bdaa3719f9bad0c4c91cf068ebe446fdb864993b451b0daff37bb0ef706255136aa237297503092a0c13f550b504

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

Filesize
1KB

MD5
8536f74534323848e6aa9575d86462ba

SHA1
6f7926a18da6c3ffdb017d276787ae648ade96a5

SHA256
a656c1780ee137fb69820c72f9a2ba49b1d5231e84c299ffedc18ad855057b7a

SHA512
9e3367e83f7662e1b7cd8f044cdf9a8f5792dd7e054f3154a8c20048b8eee0ba11dce0570db0cf3373e2fac68597a8e97e1c817bfb1d912d5e818138f75f9be0

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

Filesize
1KB

MD5
2b9b481c518a145bcc4eaa17621ae6d7

SHA1
6de3e6b8303995e58a260eeaacb01de4759658a2

SHA256
ed05a80b053980ba163115f0fd7e710d27a43c08db506345b29642bbdda474df

SHA512
712294af810769ebea87c8be7a6dbadd6ce0271aef80a8906f3219460667551720e00123cbb8c16243ee736a8be9e4c344d5c938b866cf0c940657bbd8bdd534

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

Filesize
1KB

MD5
adabdc424a0c75ebe1dc76a15f8f2db4

SHA1
1274fa4400567a3fe83106a74ad67651d00e2a34

SHA256
01067f3d39a9796b8d61ad1bfb0b42cbec5c0eea887bcc18fe89abc02546fce3

SHA512
3b12d3c554cf64ce593118c349230d4f53336d01648a863dcbf8d4c10cd5daacb1b2e20effb284c5c547cf02a6d44ba54f526eb7426d3069bed8c6a53258f95e

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.5MB

MD5
df0e49eaf896a0969b5606352f53dc8e

SHA1
3ba80f2c6112d98cace2f716cd22139624401cf2

SHA256
d0492bbd4f4af7a39786f906af351a31f4ddac307d14d5b7a4fbf6f5f96c43ed

SHA512
c698886eb0a6bd992022c9151bcfd4e533bc3928975f6c0a3db45af06963a7f50cf069814516bb6f0a7d4d8493972dea8005c5a980b168a352e4dd4ed8cffdcd

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

Filesize
1KB

MD5
c117efe2cef81d76a7fd5a8fa0498b17

SHA1
4fef1658600549f056ab9571f906505998488fa5

SHA256
e36b89244d97971ce7e2aa5cb6c4aa374b137afd737e26d280be547b179840c6

SHA512
274e5280930cf8bc9ee665449b24eed88715c177a6d813a5aafebadfc126b6551ee27059422919dc6797cc0ff56195479917f2fdda10ece962580fe17e4648e1

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.3MB

MD5
c4bcc72aa49f15c0c829742669ef51d5

SHA1
22de6f62a5f3d813cd2406b867d3013da25ab41c

SHA256
3335c8f0236d5eb1b52b3df592b41838abf799729365116913caa142c77de529

SHA512
9a257a54b3a534c92c350b8bccadce8858706ece8598f7575085992764902bffef84d5aeb8cda4f30f75725eae5c2e1c95d0a2f9bf7ff376bca02256de643990

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

Filesize
1KB

MD5
7278b9e8f08e3bec1b8a284c1dcd4f16

SHA1
7ff52ac1199387cfa78e03d4aa5d1a14342f7ca1

SHA256
36677a9a88cf7ba4f426b4d3faf1d6a754a8f659f048a8556753fa46c69ca033

SHA512
2949fd7ca79a5ddd4529de3660740f31646c7834d6f299eae5a769d803511577b6a15097de3b70758fc814e01092254f66c777ea44b01964ef322028ef36cccc

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

Filesize
1KB

MD5
c4ee19395b0dd8c884c8afed15d930e5

SHA1
0f4566ac0bc5a9a2130784cf9dde3001021a214a

SHA256
5f14ceab5cf95af3d74b7514884bba9bbd2409b1aace1d8887882f3e13cf96a9

SHA512
06911850e2034b78fe26b80c1678bb11658b64736590fef0694efa0a7c7d672a0361dc334e3e5facf20c7eaf2c7fc7b04e31b3c8d2b5181f94ff1f514a4fd520

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm.PLAY

Filesize
1KB

MD5
2640890536213ca3e89ce82d124a9d77

SHA1
2b21925b559f336c3bd96369c24bb4ce41b4908e

SHA256
957243df4473df3cdda37541fbc769e287bab0c630c7e1db48525f49d4a91672

SHA512
8d6d244bb8276a244c6bef18375d7573c30f182de7fdba492bf004f7b603564923a93123bb260a2b41794aa674a6638b19f411193a255157b1c816963d1c09b9

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
870KB

MD5
82f3f39d2f4d367c11b31098f2594a28

SHA1
952e719d515a024f35e08c5ab44dd61a606e28a6

SHA256
cdb2635ffcf8f6aabfe20f4e1a4d2f6c69e216e37993a30b2244f76d1c4d0dcb

SHA512
b30e63a85f0f24ffc62e0282d79d00923ed9fc531d9bf168fafcf396b1283f69e15db8fcd92955418effdcc9963ec6f6a338b4c734def2df0009556326dc66fe

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.4MB

MD5
0f58030ffb4643f6465a049939eaefb4

SHA1
ff5cd422c6a85a3951df3ba6eac97bac97e2fc55

SHA256
c91b116101ad213ad41d998b26a49c0b76affc1effa21e6c3ac8016f910bccc6

SHA512
ad8fc8e758fdab640a433173368691895657f70add068b778cd2160e2f7a5034751d981d898d3f05a06ce8badc8b0a5060b2554b153dd6c7a99ec79bba9f8e2a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.7MB

MD5
f2cbc3dd35de889cf0a5b926f61d8294

SHA1
442e33c89239357100a6f19f98dc066705d4273b

SHA256
132f48507ccfea83dd7bb91475876e2cfdd1bad4a172969f222c3d5338d892b2

SHA512
43cf4b75ad3d615126224eda0f40dd24cde26f9a236c4a2fc55e4b3d5a72e30bb42a393a25a0dbc438a8010d2937f401f0175dad5e7a59f3f6799a73c69778db

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
da13ed573a25dc6d9adaead8585612c0

SHA1
b04fdec6c9e8fa6b671d71a50e7c9531a3c70ac7

SHA256
097a0171e72b2feace0f3d2cf06247de072f2104f4a6617c6b21b6c8bb63fe67

SHA512
1a39f42b15a895ccbcc80198eddc4e10fe7ab3bf930fa8e74ebaaaa5097ddfde86c0f3bd7619cbe6f2863a61dfeef220a872c254765c2f755e14a4f7b8062d89

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
803KB

MD5
8253aad0346fb67b1c58d94cb82350a8

SHA1
235b282155cb5b50b013057aa01bf3a42747098e

SHA256
954468cfd5c4e9940e3553554afc977c0c95ef4ee9a8f471bca5d54e8b59da31

SHA512
480d37558c6857c240817f680de9c4f4685a9a76595a09cc3bcb7157b11dbe6ed7239572622bf66cd1b32effb3095e50e66e81581b5cb37a04258f2c79a042ba

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
f17e892c675b7a278dd7017e352072db

SHA1
1cdce4988233810440d6dc10add927cab7b25c83

SHA256
45b8d86342b86f8ad2b6d92715df2c1b7733523986d62d3b6d43a7cf582178b5

SHA512
e0edf4fdc492605946540ed58c31ddadf16cce92f6e18c4e244bd61412321b4d8a16154590d16cc427761a5de53a69c407a7108903ac6bc9a88f401eee6a20c5

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
1011KB

MD5
a4ea3d876f3bdfd689dedb11b8413415

SHA1
c8a76b2ed3f358eb93869a78ed62918629c1d31a

SHA256
efb30013bb47de10184ea6c9d09e64b6bf48d48b4c9af4c784fe341822895039

SHA512
4f12145193d8e324b86fd657a66c23372409baf37618adf995d639796201341285cdddd7994ba6219b979d2c8e785ca943fa2343e56f427892517ade2860b040

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
791KB

MD5
68b58723693d6a15fe32dd9d66f41f7d

SHA1
a3e880150469e478f3071262da5abd8d767d9104

SHA256
33f16540c9fb60eaf6c9d2e2d0f11e42a306c922da1a1d8b18b681fff48238b0

SHA512
99e674d6703765dac2e593c684a72ba9fbea3bdb7d9c7d52fa039ff3611d21f204163a9546f9c1a708ac917fe391ef1c27d6eb668fe92c88f1e6b534bc05673e

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
974KB

MD5
b166d1558344c6ea0123432019b181c8

SHA1
6954d432689c7ebb4db3c6852a40f91fcf2c6487

SHA256
a805dc79905014e68f390d372604a185a5bfb44f3700581154fe1a8b96b66f9a

SHA512
d9aace2ffa29598287d5a2c7b90d1b583f6a46e69ad11fd0c9a3b979c2a5965d780e93d932658bace9910d7a895d0e12b68d9720c9f07aea51e7196432bd3d39

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
742KB

MD5
523579e75541b9e45644285b944d414d

SHA1
7ea798f997bf4694c7d01a5191a839deea511373

SHA256
4fe879bfd5a379bc10afcf852a76819b370ca050281debd98607055ab2d37c83

SHA512
a6ef296fcbc8f5b378387b645541a4e1eab2ef51dd08e2bb7d109a98ae74c65f0399b3d019d715321b210e311c5ed637aa4409cb08ceb5cc4e194b65a0416c9e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

Filesize
1KB

MD5
7994468e41c654fba840c6983a7d4333

SHA1
619e94ac2e76b39ce5316a827adef3292812cfe0

SHA256
9aaca708a5f156b9f77970b09002a17456a4b8e7af09b87274ef432ec1047814

SHA512
b2564480901ab3305f8666227dd1d419b4636cb1d01514f902bb214225496087d54aeef48fa1d69baca3a642291798f8e14dd67913ca0f25a1f29c2ad47ebd23

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.PLAY

Filesize
1KB

MD5
5b3bf7aac6fb9edbeb4342627b1ace6e

SHA1
02a29f5c74af71bccece14e446cde75d3c671aa8

SHA256
7c750b5b67373aad08cfc110b69730615ed98aaa5b04a529e2a0fb674158a8ec

SHA512
ef76cfbc6c0a8ce0904dc88733615882a243354911bc6f7f5bdb58dadd94fbc3fb8be65b14dc343dd3d6333cd7caea273218ff9f6689ef2c56e26869c6e93a68

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm.PLAY

Filesize
1KB

MD5
71d08abc7a8249e1c8c7c53ae64bfbc4

SHA1
d7ed2fb843a093b58192e6f3f2af273a86b588e3

SHA256
773d712aac475c7c8806deff04ae793552c2b87f7cafa8d733ac47b3dd9b0d8c

SHA512
7e29577de4e15b86cceacf84e9b4d79ced35e29eec5a287dda8f145ddac8b635d429125fa7dd4fb70032c30d038ffdf1298d89337f3fae952b34fd66ce9e4511

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

Filesize
1KB

MD5
2f8dc80da4bcc81c81e2bc393d8a2ba5

SHA1
c084ba917e1c021c21c8799c630f07950dcd3c3d

SHA256
b9f2440581d20327cda8d8aa66f6eb302c4d05768cb8766db78bd968cf4d6a41

SHA512
61b06ace1ffdd730acba1f8e8fbfb9653f5e53ab7e384fc6327d13bd84431eb3c0b6b8d399c7aebed34aa6e7acf0e7fe08a72353f27d0e36854831ee484d04a0

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

Filesize
2KB

MD5
7b66394771f11ad6dcb8de84398fe374

SHA1
b3779060bd4d5ec126aa6552818c9de4f2bb53a4

SHA256
c68e91245b098b511f3cce414e8d0b7ec06f44cbf3d04560dddc1bfe6a6b0864

SHA512
e8119befe10671a09ca1affbd0465f3c803521b4dcbb4ca3f627635278b40e987266c7ac368a720eeb275d832a7c14d550bc9673f5bf7c6a74b031bc18def54e

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

Filesize
2KB

MD5
1fd81c1b40b729ba222349d67d4c16b8

SHA1
9b4031b9ce94bb2ec344438550da3ed0f70cd707

SHA256
2d64586c8e6e352881fce5ab3e2be5359d7b800841fd642719cc6b5266ca309b

SHA512
e90aeecc3ed3f769416a1318caa82a238ee024ba0e514444d1e3469670805ef9007a2053f33160719ed1b111aa8d48d4666cc05bd297f2f7e04465f5924b9bcf

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

Filesize
2KB

MD5
5f53eaad1289397040d43f82bc746bf6

SHA1
a649eb6e88dcf4959d96b30b09e58bfdde726eda

SHA256
bdf5773a82fc846e65f70ac99112796549fc2f9f0b157474d8f8237e3f47d124

SHA512
c9cf8ca7d4405d91b4dd39f874523efe5a67c1040e2e1bf8c6e20abe9c2aabac22e7916b7c11d8f76df0417414e52dbbf7ebc225bc4db0ed88e4107eb1ba3af4

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

Filesize
2KB

MD5
448db654cc871e230e02539f565466cd

SHA1
6912f6bb1a9bcdd9b24f11362470660cfedfb367

SHA256
7a5966021ac36096095b5ceda279e3173157b760f753b086a3eea38a2ae66941

SHA512
a92885acec481b77ece63818dc4446b916fd1601fd5896601861ad94e8b0502d7243494aa29e81a40af2c83a8718249f4ed46a662e3639fc19a78840be0057c2

Download Submit
memory/536-0-0x0000000002A60000-0x0000000002A8C000-memory.dmp

Filesize
176KB

Download