Malware Analysis Report

2024-10-18 21:36

Sample ID 230925-l9hlgsff62
Target ZYu4eR.exe.zip
SHA256 52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36

Threat Level: Known bad

The file ZYu4eR.exe.zip was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (8292) files with added filename extension

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 10:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 10:13

Reported

2023-09-25 10:21

Platform

win10v2004-20230915-es

Max time kernel

329s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8292) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-125.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Aerial.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1 C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.PLAY C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe

"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4284-0-0x0000000003150000-0x000000000317C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini

MD5 c900c72e3b1fb46c17e681fb43e14e2f
SHA1 8f1bf9c087e4d986652e540015af4146d6ece1b0
SHA256 4d7ce258fd0af4060920600e2804302b10b24603d14a45f5582ebcbaa079750d
SHA512 553418a31e8d0d0868544fbcf548ea3631696b424f0c391128e1078269c642758476b4ed995620dc75f7e818e6fe637a7cab8014dce1dd9ad49f0ad8779281a6

memory/11688-6343-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6389-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6494-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6830-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6845-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6850-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6849-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6848-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6847-0x00000139BED70000-0x00000139BED71000-memory.dmp

memory/11688-6846-0x00000139BED70000-0x00000139BED71000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 12e49ee497e7940586e00b29b953eb4c
SHA1 16138c9a4a7a0b201051df57247cdb76ed3dcc61
SHA256 184308ad683f0525b846403bbce8af87d320790c785d7aabd60375c8fbfb06f2
SHA512 64d6cda56095052ba25463b170638850795aa7c03395ca0d72d34b5b38cff5b0426f527471d6eed1a5e975ba2a8b6a04f610eba66cb7a954767796fa7b5fb78a

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 95b7c9d4a45a7e675d6ab610708ce3b5
SHA1 fabf86788715c75aa473046fcb5edb38aaf7b2b0
SHA256 1a15bc52c52ba35ad2a8264eaec8c9b4173223da75cf7283ab767e934bdbcb80
SHA512 78433579374415ce7cdeaf0a4a33ab5b77e71ed503795c7f7978cd96e9abcb0c09ec2631b705c8fc2b37f22eb8d60286a37f0ad77b42b46e94b603c408b21e0f

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 60c0972a6914a4baf9f8dfd71f03e5aa
SHA1 f4482a3b030c12a8f6728c5f0a1dac5005924fe4
SHA256 20bcaaa91b17979c03a843e143fd7ccdf1ba809865e6b316a4acfc4a759084b1
SHA512 00dfd935d78f7925c8830a443d722534d0641c95714404fc666fb90cc75a67907df5fa326f73ec7f7eb7ce4df7769c57b7bd7086042c2bfe90c1fe6c58f57ae2

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 cdc637e4233f94529f07b061e1a7b505
SHA1 8375954ba02816a13197bbbc5f774847d2eff10b
SHA256 2742bbb9a4cf483357dff6ba8d18ac5783a431bbe4441fa547c902c6551a01d9
SHA512 95347bb3acc42f786f889a30d8178b5a7d16af2c6d11d98c770581dace5260a411475dfc0b1a41225a20b84e2d27b64e653395b2a3035af3071e0e78535bc232

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 7356035f51cc491091de982a590c269c
SHA1 f88678348c4eca56f7448b7b2ce1932dd5e34fbf
SHA256 df64146a2c6670937d7886801e24179b10e6cd634c28e2e137bd7c72f3e97f0a
SHA512 81e006d3d3b3375920f80bb89dc6ffa02f4dd7d42bfc53a79a752c8563d95835fce172bbbc67ccbf4c15cfd642de5a2ace46e7f6fb23561b5caa0577572b2d12

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 d7dad1d06da7969bf856e0da99a943d2
SHA1 2912f7f62fadca4fe84eecdbcfe9936a49ba0ebe
SHA256 db9f4cd8843a3b96c1bf001b7ce8f02ae6ca616a8cfcba46e8ece2448439bcca
SHA512 72e8c0f5fe7f2cca11940753e911956731ff2a827a294b61b5caca951462ed3cefde0e1f14a62840ba7f7ccef08dac740aab8c2b6b2f6f1a8958168a8d145f9b

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 b67ca9066c78d43f1b384788b8cbafba
SHA1 f20155e7594c4224cc5c2b746362b54bbf7a4a3f
SHA256 b456ba62a8bf1b1369dad696b0780bff26dd8e391f0edee176d8600617e96d0c
SHA512 480d7f1b5b9f5e76f65a5162d141746c63f636354fc4d9c445cf84392512ae1ac7128e7d4b8d1586ae592a3d451fddc26bb48f596e1eace7470e7e61d766eb7b

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 797301adc0d1de00336a174897d9ee48
SHA1 83d7da1321ed41fafc8fd003ddd51e3ce1383101
SHA256 112f489973a7688275fbc60795cd08f984f88fdf198ef0bb4d41d9c495e70ce6
SHA512 45264eeff0aae6999564d26f69b45b138cae7c3a885252485112cd036756d8f29e7702f94e9651b721103d4aebee16698f22b34e640a5dc7eb2fe56108fff00f

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 3da7aec7ce70f34267ec87de9c06e0ea
SHA1 d556603f74cd167099461e3ca1c515987def0cc5
SHA256 80e2b8504517f1467de301c8cc5dd696e8d947debc344e126161792b3417e67e
SHA512 1d13d8ca0e12780718b74b84c91259e5b7d025b11ecf94ae373363c5f708b26cbd4e775c8b2be449dc3e1f27b1d1b843727a64abb433fb3e9c3f80de7aa6a402

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 9889adf1555007d4bcf79adfe8d6cb92
SHA1 884236003ab86d2d2d842a4bb4b41a3d553f4282
SHA256 a66ae5683fdc2cb8159347204beafd4acd683546ee61d3b3b9299410ef3f558a
SHA512 c314dde5b192f448fbd2a500b0efc0f165e566331e59a13245602bdcb70beedb018556ef3e1d577e3ee3f8791f27e4b3bfc089c56766c3ee775833f6e7b9f544

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 08f019c965d78338589a5dd7e72e8e7b
SHA1 2c664f7b3a46e85548992f58b794b1882fc6ce11
SHA256 e31f2ffeff6b5b952de58bbb9f717463bb893ddf629c95a1b9d7233b2c4d34b8
SHA512 cd1711982a08f8d2eec37723707360ac13f656609dcd397c0e621e9047147de42573b2a8226822d830f3e9f040ec59cc5475d286bd0d74e731fb134d03658390

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 8dde1e0e6cb7233ff7aa61c0eb87d164
SHA1 2d13a73cb991141f1bff32ae6747443e7fd3bea0
SHA256 63a4f96fdae5451660abc2f5cc1e49eb942a296d306a448a4db93bc9ca7b9ee5
SHA512 9f8545b7bb71b077ff0a89d3f5aab0db42b8d31186d154b5468709d0994a6bc974abad1d34dfee325ffe9680843f006923792596abdb6406c65a0266cdb4048b

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 2c37c21f0782bd01ae343a2ee72c7b41
SHA1 55070d21582af76b3b5b134c513e11739595b5bd
SHA256 28536be60f52fab6509603f1d3aae90e85d3ae5c87b53d624133dea6d6e29531
SHA512 cda5b33a8fd41aaea98f7ea14f25add569a280fe6fc6362474c08f06618448560fe3f57ee60acf5764f84dba6b2c7e4f2919781f343c125f8b15d26af0657cfa

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 71e41216f445124ba23dee067f14f4af
SHA1 00752cac7f332b7e8351ceca5879bd19ff234e69
SHA256 80af441f47d8873982de43cc3811b93f4669f3f0ffd3a6b8f0dbdabdfa015acb
SHA512 4a936e43d01a0f21a64b242b6bf75b0b28389bb2fdec76fb926e1f1a953fb2c5042a7664fa7fd9954271f3f93a71dd8b0ef9b42467a0064500ef2f97633fcf48

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 02323ef1ce03d5ca9b3336d5d75673bb
SHA1 a51f33073b05dc36feb83939485623442a822724
SHA256 467e9d8593dd3c66174b3f3b4638cfb32bc6f771c97d138e209d81faa97e627b
SHA512 916e9248953d13d87013024e82633ad4e695a7bc696d7cdfd92dec75273a2a0327297387c90584d0d3781faa0adbc7512bfb0175923dcbef0dd151f60ed1ce66

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 e6257aada4d4d18a513f2c325b43ea19
SHA1 f05a3fc4709f65ab8acd1dbe99bb091c8f16a74b
SHA256 03e6ef48016301304705bbfa869eb8c183cdf325d16a35eb9084cf6472efdff3
SHA512 80071b8bcebc75c799686436f85bc708a1c22fd1e3f95e2d5df03c2092f80fb11e82d19f49e74dcb2ebb8e94c849e193a6cafb5a34ca8adf093ee3e218821776

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 ea13d470270c6019870e4f79185d1f3a
SHA1 9987b19271ecedbba516428b9c80fa8db38f5bb4
SHA256 eed4e2971c04092f6ce40cfaa221b8f5ef04a4ace3f19d57ac0c0845279ebab5
SHA512 49598b4886cb5d58eb4465cd04288f3658d8280918a8afa4904aec453e3d8db4d198482df2d4d9a219a7bc9c8c11c33715d753f4027629ff77616c29b0873051

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 25f81c73bc0d6d5d82af224a9445fbc8
SHA1 7333b1579d22b429439c0e85e8904fa7a69e643d
SHA256 6f3bb746e30d71542d56b7cb305da6dcb9035961680fdeae6cdd7cf45e255f5e
SHA512 bd8733840e9a0fd12811f5ed6a1d0c9063cec6c46d984d507006038b8d47ebdf525ea42e21a7c1e6cb5c06affb0e34e0af3bbc45ac7f4a67fb02095457e2cb49

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 7c6ea97435ed80fc1d2c68718b34cf66
SHA1 a1bc6da0a05e434d1973a789fdf326cb500161a6
SHA256 3bab55c2f1d4e9f23f6da6157f3f08e5e41d07d60bc69f37b8c026595ed318ec
SHA512 0b88444a8f38da36aa8a10e9a47ac9efc3e45532b00c68d466d6f49d3f7f1d25eb18b53788144c945820e96dcb3b2ff7fce9108502cbfbe9070640d9a851e0c5

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 3bcd000ca89cab2ede956311e19d9b82
SHA1 7c1257abde599cce03e29247a24ad197354b1257
SHA256 75cc516a1dcb21a4f3ed97361f6c605a24083add9d5ebe30dfdd17199191d1b9
SHA512 66c2cd8a4428ec6fe2b7c39458855d317b26c74ad03c4c204b96ea1391848487b28fece11c99fb73df42770825df39a3b3a5454a21e93d3def3171924164fea9

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 c2568414b367211a5f7bb0bbfa562111
SHA1 3ad0e833fb082c9479f5e716285d26a8e6e1925c
SHA256 cd82ba6798ac5a766aa0ef1eb50970a21af18dd01feaf5476e46dc4c4f9fd4d4
SHA512 c3dd45a4f80fa5f0231da0ea05cf0fbe7477004119c8e05d1867b6509ff934b2839adca5c13aad53b78fecd676ad34f033acc703b340b73d113516dd34662ec9

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 39c0efe94c7c54182b005b2bc475ab77
SHA1 aaf1b383ef63a1879f1572a63e271f8245af1ee6
SHA256 0d141ddbafe004da950b25096f2e0be460ff2cb5b2acec3af0db45a9b0166001
SHA512 3542bda395d8f8ee4243ef1ac6494bcd24f8f7c4607f19a3b88a359b8dfacd8bf3e83bf526e14d8c0766804e7333ce58043820188212b3808f416d3370305153

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

MD5 4e2d6a9e39e0b914479ada055dcd0a84
SHA1 fe648923478ddb968399ce0a99bd11a3ba62d08c
SHA256 857d9606c87cb2c450fb9fc7741e727975500e179622dbdae3bbf839fb1b1aab
SHA512 7f92fbba094fbcb05464253e45b9e2ea534fc25f7e4a15cb27481e701e22d95d16fa1a4498ef3826f307465cce7b5153c7f1cccb35752c638a6dcb679fb52c57

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 9e9680aa2eccf4c66cc7d080e7357edd
SHA1 8b9eed477a16c5e48b8ad4814d811f25cf40e54f
SHA256 689795a4aa12946c42c5a72f70f6cbc421c08ce05fc182b173be0838da56e598
SHA512 129f35019a3ffa548048c85cf6dc572ff33367365c26e9968c4a90a5dfea816362abf650dd0e1e2a9285704e51dc48efd19f34787ae05e086dbaae8d76fe62a8

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 f5d005b6f5160f6a62fd3fc9a38fc9c4
SHA1 5dda42cc2a0f02ca4dec5cb8c2dbcda35001501d
SHA256 9e97bae2e0612834339c4b1a06c9bb5b825934eb74471b51b6fdf4fb616f01a6
SHA512 ba434e82645514e95dc90b6df3ddb24a8cfdc6d158c483dfafa358f13e2aaad5050175fdce91cb82ba169b1107b0795b5f9cffba7293613be0a5d3afd24b342a

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 c7898c2c1fa29fab230aa19e175867b3
SHA1 b15120187f22afe2f95a3803f7b95a4573056542
SHA256 5bc6e15681de29602d89ad74e7b4612a1cc5181ca09b75b89bc8419c230e8aa0
SHA512 ea85d9ed39a7ca2601f3c1698c8e30431719f2af56ea1a6b60675c4acd331110a1352554cc5a7fc84a0dd9bfad31914256ff85ca25d30d8d8dd093948422399d

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

MD5 0b70b77d9484c5946af9a49f7f325984
SHA1 2d874bfe06c4c3cec55fa28e401ee912ce6e7468
SHA256 7c096208feaeb587ca4edb6d5c438cd43027067b30854e0f45d76ab9831377e8
SHA512 7e5b2b778372af1463988e4f2c3e0e00f6515901cbaa024e4e1e39f44b1fb8d5ed53a6f15b358f1498371010eef1b7feef96017c355a53ac78e3a9e2e61acce1

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

MD5 059e963965de377fb86dfc9d9a663d08
SHA1 695334f385a42ec01a48a87725e5e3fcda8b8925
SHA256 2be1e794a82ff55a8110fabcbb511c21ce0ba7bf8167057a7e36a29d360a13c2
SHA512 81f8c65362d8278e3f5fe526a286bb81e0a6e26170f2b9c09032c53cc33d057efe76432f1fb3b2072d510d6353d7e69ea92547d29dca423674b155fc70f674c8

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 105778c17e7af4f83a1a6987cf053615
SHA1 f96b4856cf6c03af24d91f23b6e642013234d43b
SHA256 c949145aeb05e1b2f12da3d1f61b2b4d063fc82a0e886810aded76c4e03899c4
SHA512 433791ccff8aa179183b1d54c267f2a0e47cbc5fe6878aa21a4091aa76d54ebb20e9a503c7744ca4e364581efc18070060d7c03a389c3fc33ad4a3cf39d42b92

C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

MD5 ecb3b7a6285ebee741d77ea406cb9e26
SHA1 41fa774c2f50a2dbbffa6223c14dcf1b262ccf34
SHA256 a1f7803437f5021307153d10d923696a3521e26da8f85aed70f35cb8ee24d867
SHA512 67823aaa79c9ca2574440e06a6925c8865c5d05caf2bbae90a51922cd51e9900ed2eaacfa8d7fa14b375ba2d1525bff70e5636d720102743937b765f07425f22

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 e536c410a052a3ee5460e50373ad20ff
SHA1 ea82e9724e56380964f7472a033e952e183e93ee
SHA256 ff5bede8d5da1bea4f3f8eb6e631c243d6f7219eeac2b47fc0077d6e56f8a654
SHA512 e8a91b3d126d28f1af13091aac7666bb3f1a433b0a7706ceadfb65f307f9a6e32fb647883621e3b9dbb179825cba0bbd34a415badd02f51228931a645a58d171