play | 52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36

Analysis

max time kernel
329s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/09/2023, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZYu4eR.exe
Size

458KB
MD5

a7220cc1827fca75b6e74efe59a8ea77
SHA1

836c066fff10ad423134f863528f4ec3d3e95962
SHA256

731457e4704d299b353e802b72a6908dfa2124cbb5130b8cb9a943c6be6bcdc6
SHA512

90cda9290fbc28187da837c4829fa1cd0084a58c87e58b6ddb0e70340b334507233bc0ab2c858462824e21babaaf2118dee68513e5c87fa7126d46bce5d38b21
SSDEEP

6144:4/MZO4aLcwC0IEVvO2UcxnwMSKY3m5MzrTV/yqUKmLzmZhbVPcK7lKWp+:4XiwC0pVvOwxSCirEXKPZh+Kdp+

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (8292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Program Files\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ZYu4eR.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ZYu4eR.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	ZYu4eR.exe
File opened (read-only)	\??\R:	ZYu4eR.exe
File opened (read-only)	\??\S:	ZYu4eR.exe
File opened (read-only)	\??\W:	ZYu4eR.exe
File opened (read-only)	\??\A:	ZYu4eR.exe
File opened (read-only)	\??\I:	ZYu4eR.exe
File opened (read-only)	\??\M:	ZYu4eR.exe
File opened (read-only)	\??\N:	ZYu4eR.exe
File opened (read-only)	\??\V:	ZYu4eR.exe
File opened (read-only)	\??\Y:	ZYu4eR.exe
File opened (read-only)	\??\K:	ZYu4eR.exe
File opened (read-only)	\??\L:	ZYu4eR.exe
File opened (read-only)	\??\P:	ZYu4eR.exe
File opened (read-only)	\??\T:	ZYu4eR.exe
File opened (read-only)	\??\B:	ZYu4eR.exe
File opened (read-only)	\??\G:	ZYu4eR.exe
File opened (read-only)	\??\O:	ZYu4eR.exe
File opened (read-only)	\??\X:	ZYu4eR.exe
File opened (read-only)	\??\Z:	ZYu4eR.exe
File opened (read-only)	\??\E:	ZYu4eR.exe
File opened (read-only)	\??\H:	ZYu4eR.exe
File opened (read-only)	\??\J:	ZYu4eR.exe
File opened (read-only)	\??\U:	ZYu4eR.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Aerial.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-lightunplated.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	ZYu4eR.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg	ZYu4eR.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
11688	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	11688	taskmgr.exe
Token: SeSystemProfilePrivilege	11688	taskmgr.exe
Token: SeCreateGlobalPrivilege	11688	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe
11688	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
71668	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe
"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:11688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:71668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini

Filesize
1KB

MD5
c900c72e3b1fb46c17e681fb43e14e2f

SHA1
8f1bf9c087e4d986652e540015af4146d6ece1b0

SHA256
4d7ce258fd0af4060920600e2804302b10b24603d14a45f5582ebcbaa079750d

SHA512
553418a31e8d0d0868544fbcf548ea3631696b424f0c391128e1078269c642758476b4ed995620dc75f7e818e6fe637a7cab8014dce1dd9ad49f0ad8779281a6

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

Filesize
218.2MB

MD5
059e963965de377fb86dfc9d9a663d08

SHA1
695334f385a42ec01a48a87725e5e3fcda8b8925

SHA256
2be1e794a82ff55a8110fabcbb511c21ce0ba7bf8167057a7e36a29d360a13c2

SHA512
81f8c65362d8278e3f5fe526a286bb81e0a6e26170f2b9c09032c53cc33d057efe76432f1fb3b2072d510d6353d7e69ea92547d29dca423674b155fc70f674c8

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

Filesize
167.0MB

MD5
0b70b77d9484c5946af9a49f7f325984

SHA1
2d874bfe06c4c3cec55fa28e401ee912ce6e7468

SHA256
7c096208feaeb587ca4edb6d5c438cd43027067b30854e0f45d76ab9831377e8

SHA512
7e5b2b778372af1463988e4f2c3e0e00f6515901cbaa024e4e1e39f44b1fb8d5ed53a6f15b358f1498371010eef1b7feef96017c355a53ac78e3a9e2e61acce1

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

Filesize
1KB

MD5
e536c410a052a3ee5460e50373ad20ff

SHA1
ea82e9724e56380964f7472a033e952e183e93ee

SHA256
ff5bede8d5da1bea4f3f8eb6e631c243d6f7219eeac2b47fc0077d6e56f8a654

SHA512
e8a91b3d126d28f1af13091aac7666bb3f1a433b0a7706ceadfb65f307f9a6e32fb647883621e3b9dbb179825cba0bbd34a415badd02f51228931a645a58d171

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

Filesize
1KB

MD5
c7898c2c1fa29fab230aa19e175867b3

SHA1
b15120187f22afe2f95a3803f7b95a4573056542

SHA256
5bc6e15681de29602d89ad74e7b4612a1cc5181ca09b75b89bc8419c230e8aa0

SHA512
ea85d9ed39a7ca2601f3c1698c8e30431719f2af56ea1a6b60675c4acd331110a1352554cc5a7fc84a0dd9bfad31914256ff85ca25d30d8d8dd093948422399d

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

Filesize
1KB

MD5
f5d005b6f5160f6a62fd3fc9a38fc9c4

SHA1
5dda42cc2a0f02ca4dec5cb8c2dbcda35001501d

SHA256
9e97bae2e0612834339c4b1a06c9bb5b825934eb74471b51b6fdf4fb616f01a6

SHA512
ba434e82645514e95dc90b6df3ddb24a8cfdc6d158c483dfafa358f13e2aaad5050175fdce91cb82ba169b1107b0795b5f9cffba7293613be0a5d3afd24b342a

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

Filesize
1KB

MD5
9e9680aa2eccf4c66cc7d080e7357edd

SHA1
8b9eed477a16c5e48b8ad4814d811f25cf40e54f

SHA256
689795a4aa12946c42c5a72f70f6cbc421c08ce05fc182b173be0838da56e598

SHA512
129f35019a3ffa548048c85cf6dc572ff33367365c26e9968c4a90a5dfea816362abf650dd0e1e2a9285704e51dc48efd19f34787ae05e086dbaae8d76fe62a8

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

Filesize
78.7MB

MD5
4e2d6a9e39e0b914479ada055dcd0a84

SHA1
fe648923478ddb968399ce0a99bd11a3ba62d08c

SHA256
857d9606c87cb2c450fb9fc7741e727975500e179622dbdae3bbf839fb1b1aab

SHA512
7f92fbba094fbcb05464253e45b9e2ea534fc25f7e4a15cb27481e701e22d95d16fa1a4498ef3826f307465cce7b5153c7f1cccb35752c638a6dcb679fb52c57

Download Submit
C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

Filesize
1KB

MD5
ecb3b7a6285ebee741d77ea406cb9e26

SHA1
41fa774c2f50a2dbbffa6223c14dcf1b262ccf34

SHA256
a1f7803437f5021307153d10d923696a3521e26da8f85aed70f35cb8ee24d867

SHA512
67823aaa79c9ca2574440e06a6925c8865c5d05caf2bbae90a51922cd51e9900ed2eaacfa8d7fa14b375ba2d1525bff70e5636d720102743937b765f07425f22

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

Filesize
1KB

MD5
105778c17e7af4f83a1a6987cf053615

SHA1
f96b4856cf6c03af24d91f23b6e642013234d43b

SHA256
c949145aeb05e1b2f12da3d1f61b2b4d063fc82a0e886810aded76c4e03899c4

SHA512
433791ccff8aa179183b1d54c267f2a0e47cbc5fe6878aa21a4091aa76d54ebb20e9a503c7744ca4e364581efc18070060d7c03a389c3fc33ad4a3cf39d42b92

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.5MB

MD5
39c0efe94c7c54182b005b2bc475ab77

SHA1
aaf1b383ef63a1879f1572a63e271f8245af1ee6

SHA256
0d141ddbafe004da950b25096f2e0be460ff2cb5b2acec3af0db45a9b0166001

SHA512
3542bda395d8f8ee4243ef1ac6494bcd24f8f7c4607f19a3b88a359b8dfacd8bf3e83bf526e14d8c0766804e7333ce58043820188212b3808f416d3370305153

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

Filesize
1KB

MD5
c2568414b367211a5f7bb0bbfa562111

SHA1
3ad0e833fb082c9479f5e716285d26a8e6e1925c

SHA256
cd82ba6798ac5a766aa0ef1eb50970a21af18dd01feaf5476e46dc4c4f9fd4d4

SHA512
c3dd45a4f80fa5f0231da0ea05cf0fbe7477004119c8e05d1867b6509ff934b2839adca5c13aad53b78fecd676ad34f033acc703b340b73d113516dd34662ec9

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.3MB

MD5
3bcd000ca89cab2ede956311e19d9b82

SHA1
7c1257abde599cce03e29247a24ad197354b1257

SHA256
75cc516a1dcb21a4f3ed97361f6c605a24083add9d5ebe30dfdd17199191d1b9

SHA512
66c2cd8a4428ec6fe2b7c39458855d317b26c74ad03c4c204b96ea1391848487b28fece11c99fb73df42770825df39a3b3a5454a21e93d3def3171924164fea9

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

Filesize
1KB

MD5
7c6ea97435ed80fc1d2c68718b34cf66

SHA1
a1bc6da0a05e434d1973a789fdf326cb500161a6

SHA256
3bab55c2f1d4e9f23f6da6157f3f08e5e41d07d60bc69f37b8c026595ed318ec

SHA512
0b88444a8f38da36aa8a10e9a47ac9efc3e45532b00c68d466d6f49d3f7f1d25eb18b53788144c945820e96dcb3b2ff7fce9108502cbfbe9070640d9a851e0c5

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

Filesize
1KB

MD5
25f81c73bc0d6d5d82af224a9445fbc8

SHA1
7333b1579d22b429439c0e85e8904fa7a69e643d

SHA256
6f3bb746e30d71542d56b7cb305da6dcb9035961680fdeae6cdd7cf45e255f5e

SHA512
bd8733840e9a0fd12811f5ed6a1d0c9063cec6c46d984d507006038b8d47ebdf525ea42e21a7c1e6cb5c06affb0e34e0af3bbc45ac7f4a67fb02095457e2cb49

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
870KB

MD5
ea13d470270c6019870e4f79185d1f3a

SHA1
9987b19271ecedbba516428b9c80fa8db38f5bb4

SHA256
eed4e2971c04092f6ce40cfaa221b8f5ef04a4ace3f19d57ac0c0845279ebab5

SHA512
49598b4886cb5d58eb4465cd04288f3658d8280918a8afa4904aec453e3d8db4d198482df2d4d9a219a7bc9c8c11c33715d753f4027629ff77616c29b0873051

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.4MB

MD5
e6257aada4d4d18a513f2c325b43ea19

SHA1
f05a3fc4709f65ab8acd1dbe99bb091c8f16a74b

SHA256
03e6ef48016301304705bbfa869eb8c183cdf325d16a35eb9084cf6472efdff3

SHA512
80071b8bcebc75c799686436f85bc708a1c22fd1e3f95e2d5df03c2092f80fb11e82d19f49e74dcb2ebb8e94c849e193a6cafb5a34ca8adf093ee3e218821776

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.7MB

MD5
02323ef1ce03d5ca9b3336d5d75673bb

SHA1
a51f33073b05dc36feb83939485623442a822724

SHA256
467e9d8593dd3c66174b3f3b4638cfb32bc6f771c97d138e209d81faa97e627b

SHA512
916e9248953d13d87013024e82633ad4e695a7bc696d7cdfd92dec75273a2a0327297387c90584d0d3781faa0adbc7512bfb0175923dcbef0dd151f60ed1ce66

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
95b7c9d4a45a7e675d6ab610708ce3b5

SHA1
fabf86788715c75aa473046fcb5edb38aaf7b2b0

SHA256
1a15bc52c52ba35ad2a8264eaec8c9b4173223da75cf7283ab767e934bdbcb80

SHA512
78433579374415ce7cdeaf0a4a33ab5b77e71ed503795c7f7978cd96e9abcb0c09ec2631b705c8fc2b37f22eb8d60286a37f0ad77b42b46e94b603c408b21e0f

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
803KB

MD5
71e41216f445124ba23dee067f14f4af

SHA1
00752cac7f332b7e8351ceca5879bd19ff234e69

SHA256
80af441f47d8873982de43cc3811b93f4669f3f0ffd3a6b8f0dbdabdfa015acb

SHA512
4a936e43d01a0f21a64b242b6bf75b0b28389bb2fdec76fb926e1f1a953fb2c5042a7664fa7fd9954271f3f93a71dd8b0ef9b42467a0064500ef2f97633fcf48

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
2c37c21f0782bd01ae343a2ee72c7b41

SHA1
55070d21582af76b3b5b134c513e11739595b5bd

SHA256
28536be60f52fab6509603f1d3aae90e85d3ae5c87b53d624133dea6d6e29531

SHA512
cda5b33a8fd41aaea98f7ea14f25add569a280fe6fc6362474c08f06618448560fe3f57ee60acf5764f84dba6b2c7e4f2919781f343c125f8b15d26af0657cfa

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
1011KB

MD5
08f019c965d78338589a5dd7e72e8e7b

SHA1
2c664f7b3a46e85548992f58b794b1882fc6ce11

SHA256
e31f2ffeff6b5b952de58bbb9f717463bb893ddf629c95a1b9d7233b2c4d34b8

SHA512
cd1711982a08f8d2eec37723707360ac13f656609dcd397c0e621e9047147de42573b2a8226822d830f3e9f040ec59cc5475d286bd0d74e731fb134d03658390

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
791KB

MD5
9889adf1555007d4bcf79adfe8d6cb92

SHA1
884236003ab86d2d2d842a4bb4b41a3d553f4282

SHA256
a66ae5683fdc2cb8159347204beafd4acd683546ee61d3b3b9299410ef3f558a

SHA512
c314dde5b192f448fbd2a500b0efc0f165e566331e59a13245602bdcb70beedb018556ef3e1d577e3ee3f8791f27e4b3bfc089c56766c3ee775833f6e7b9f544

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
974KB

MD5
3da7aec7ce70f34267ec87de9c06e0ea

SHA1
d556603f74cd167099461e3ca1c515987def0cc5

SHA256
80e2b8504517f1467de301c8cc5dd696e8d947debc344e126161792b3417e67e

SHA512
1d13d8ca0e12780718b74b84c91259e5b7d025b11ecf94ae373363c5f708b26cbd4e775c8b2be449dc3e1f27b1d1b843727a64abb433fb3e9c3f80de7aa6a402

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
742KB

MD5
b67ca9066c78d43f1b384788b8cbafba

SHA1
f20155e7594c4224cc5c2b746362b54bbf7a4a3f

SHA256
b456ba62a8bf1b1369dad696b0780bff26dd8e391f0edee176d8600617e96d0c

SHA512
480d7f1b5b9f5e76f65a5162d141746c63f636354fc4d9c445cf84392512ae1ac7128e7d4b8d1586ae592a3d451fddc26bb48f596e1eace7470e7e61d766eb7b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

Filesize
1KB

MD5
8dde1e0e6cb7233ff7aa61c0eb87d164

SHA1
2d13a73cb991141f1bff32ae6747443e7fd3bea0

SHA256
63a4f96fdae5451660abc2f5cc1e49eb942a296d306a448a4db93bc9ca7b9ee5

SHA512
9f8545b7bb71b077ff0a89d3f5aab0db42b8d31186d154b5468709d0994a6bc974abad1d34dfee325ffe9680843f006923792596abdb6406c65a0266cdb4048b

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

Filesize
1KB

MD5
797301adc0d1de00336a174897d9ee48

SHA1
83d7da1321ed41fafc8fd003ddd51e3ce1383101

SHA256
112f489973a7688275fbc60795cd08f984f88fdf198ef0bb4d41d9c495e70ce6

SHA512
45264eeff0aae6999564d26f69b45b138cae7c3a885252485112cd036756d8f29e7702f94e9651b721103d4aebee16698f22b34e640a5dc7eb2fe56108fff00f

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

Filesize
2KB

MD5
d7dad1d06da7969bf856e0da99a943d2

SHA1
2912f7f62fadca4fe84eecdbcfe9936a49ba0ebe

SHA256
db9f4cd8843a3b96c1bf001b7ce8f02ae6ca616a8cfcba46e8ece2448439bcca

SHA512
72e8c0f5fe7f2cca11940753e911956731ff2a827a294b61b5caca951462ed3cefde0e1f14a62840ba7f7ccef08dac740aab8c2b6b2f6f1a8958168a8d145f9b

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

Filesize
2KB

MD5
7356035f51cc491091de982a590c269c

SHA1
f88678348c4eca56f7448b7b2ce1932dd5e34fbf

SHA256
df64146a2c6670937d7886801e24179b10e6cd634c28e2e137bd7c72f3e97f0a

SHA512
81e006d3d3b3375920f80bb89dc6ffa02f4dd7d42bfc53a79a752c8563d95835fce172bbbc67ccbf4c15cfd642de5a2ace46e7f6fb23561b5caa0577572b2d12

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

Filesize
2KB

MD5
cdc637e4233f94529f07b061e1a7b505

SHA1
8375954ba02816a13197bbbc5f774847d2eff10b

SHA256
2742bbb9a4cf483357dff6ba8d18ac5783a431bbe4441fa547c902c6551a01d9

SHA512
95347bb3acc42f786f889a30d8178b5a7d16af2c6d11d98c770581dace5260a411475dfc0b1a41225a20b84e2d27b64e653395b2a3035af3071e0e78535bc232

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

Filesize
2KB

MD5
60c0972a6914a4baf9f8dfd71f03e5aa

SHA1
f4482a3b030c12a8f6728c5f0a1dac5005924fe4

SHA256
20bcaaa91b17979c03a843e143fd7ccdf1ba809865e6b316a4acfc4a759084b1

SHA512
00dfd935d78f7925c8830a443d722534d0641c95714404fc666fb90cc75a67907df5fa326f73ec7f7eb7ce4df7769c57b7bd7086042c2bfe90c1fe6c58f57ae2

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
65KB

MD5
12e49ee497e7940586e00b29b953eb4c

SHA1
16138c9a4a7a0b201051df57247cdb76ed3dcc61

SHA256
184308ad683f0525b846403bbce8af87d320790c785d7aabd60375c8fbfb06f2

SHA512
64d6cda56095052ba25463b170638850795aa7c03395ca0d72d34b5b38cff5b0426f527471d6eed1a5e975ba2a8b6a04f610eba66cb7a954767796fa7b5fb78a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
memory/4284-0-0x0000000003150000-0x000000000317C000-memory.dmp

Filesize
176KB

Download
memory/11688-6846-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6847-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6848-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6849-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6850-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6845-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6830-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6494-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6389-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download
memory/11688-6343-0x00000139BED70000-0x00000139BED71000-memory.dmp

Filesize
4KB

Download