Analysis Overview
SHA256
52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36
Threat Level: Known bad
The file ZYu4eR.exe.zip was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (8292) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-25 10:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-25 10:13
Reported
2023-09-25 10:21
Platform
win10v2004-20230915-es
Max time kernel
329s
Max time network
298s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (8292) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Aerial.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1 | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\bing.ico | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe
"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4284-0-0x0000000003150000-0x000000000317C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini
| MD5 | c900c72e3b1fb46c17e681fb43e14e2f |
| SHA1 | 8f1bf9c087e4d986652e540015af4146d6ece1b0 |
| SHA256 | 4d7ce258fd0af4060920600e2804302b10b24603d14a45f5582ebcbaa079750d |
| SHA512 | 553418a31e8d0d0868544fbcf548ea3631696b424f0c391128e1078269c642758476b4ed995620dc75f7e818e6fe637a7cab8014dce1dd9ad49f0ad8779281a6 |
memory/11688-6343-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6389-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6494-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6830-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6845-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6850-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6849-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6848-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6847-0x00000139BED70000-0x00000139BED71000-memory.dmp
memory/11688-6846-0x00000139BED70000-0x00000139BED71000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | 12e49ee497e7940586e00b29b953eb4c |
| SHA1 | 16138c9a4a7a0b201051df57247cdb76ed3dcc61 |
| SHA256 | 184308ad683f0525b846403bbce8af87d320790c785d7aabd60375c8fbfb06f2 |
| SHA512 | 64d6cda56095052ba25463b170638850795aa7c03395ca0d72d34b5b38cff5b0426f527471d6eed1a5e975ba2a8b6a04f610eba66cb7a954767796fa7b5fb78a |
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 95b7c9d4a45a7e675d6ab610708ce3b5 |
| SHA1 | fabf86788715c75aa473046fcb5edb38aaf7b2b0 |
| SHA256 | 1a15bc52c52ba35ad2a8264eaec8c9b4173223da75cf7283ab767e934bdbcb80 |
| SHA512 | 78433579374415ce7cdeaf0a4a33ab5b77e71ed503795c7f7978cd96e9abcb0c09ec2631b705c8fc2b37f22eb8d60286a37f0ad77b42b46e94b603c408b21e0f |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY
| MD5 | 60c0972a6914a4baf9f8dfd71f03e5aa |
| SHA1 | f4482a3b030c12a8f6728c5f0a1dac5005924fe4 |
| SHA256 | 20bcaaa91b17979c03a843e143fd7ccdf1ba809865e6b316a4acfc4a759084b1 |
| SHA512 | 00dfd935d78f7925c8830a443d722534d0641c95714404fc666fb90cc75a67907df5fa326f73ec7f7eb7ce4df7769c57b7bd7086042c2bfe90c1fe6c58f57ae2 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY
| MD5 | cdc637e4233f94529f07b061e1a7b505 |
| SHA1 | 8375954ba02816a13197bbbc5f774847d2eff10b |
| SHA256 | 2742bbb9a4cf483357dff6ba8d18ac5783a431bbe4441fa547c902c6551a01d9 |
| SHA512 | 95347bb3acc42f786f889a30d8178b5a7d16af2c6d11d98c770581dace5260a411475dfc0b1a41225a20b84e2d27b64e653395b2a3035af3071e0e78535bc232 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY
| MD5 | 7356035f51cc491091de982a590c269c |
| SHA1 | f88678348c4eca56f7448b7b2ce1932dd5e34fbf |
| SHA256 | df64146a2c6670937d7886801e24179b10e6cd634c28e2e137bd7c72f3e97f0a |
| SHA512 | 81e006d3d3b3375920f80bb89dc6ffa02f4dd7d42bfc53a79a752c8563d95835fce172bbbc67ccbf4c15cfd642de5a2ace46e7f6fb23561b5caa0577572b2d12 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY
| MD5 | d7dad1d06da7969bf856e0da99a943d2 |
| SHA1 | 2912f7f62fadca4fe84eecdbcfe9936a49ba0ebe |
| SHA256 | db9f4cd8843a3b96c1bf001b7ce8f02ae6ca616a8cfcba46e8ece2448439bcca |
| SHA512 | 72e8c0f5fe7f2cca11940753e911956731ff2a827a294b61b5caca951462ed3cefde0e1f14a62840ba7f7ccef08dac740aab8c2b6b2f6f1a8958168a8d145f9b |
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | b67ca9066c78d43f1b384788b8cbafba |
| SHA1 | f20155e7594c4224cc5c2b746362b54bbf7a4a3f |
| SHA256 | b456ba62a8bf1b1369dad696b0780bff26dd8e391f0edee176d8600617e96d0c |
| SHA512 | 480d7f1b5b9f5e76f65a5162d141746c63f636354fc4d9c445cf84392512ae1ac7128e7d4b8d1586ae592a3d451fddc26bb48f596e1eace7470e7e61d766eb7b |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
| MD5 | 797301adc0d1de00336a174897d9ee48 |
| SHA1 | 83d7da1321ed41fafc8fd003ddd51e3ce1383101 |
| SHA256 | 112f489973a7688275fbc60795cd08f984f88fdf198ef0bb4d41d9c495e70ce6 |
| SHA512 | 45264eeff0aae6999564d26f69b45b138cae7c3a885252485112cd036756d8f29e7702f94e9651b721103d4aebee16698f22b34e640a5dc7eb2fe56108fff00f |
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 3da7aec7ce70f34267ec87de9c06e0ea |
| SHA1 | d556603f74cd167099461e3ca1c515987def0cc5 |
| SHA256 | 80e2b8504517f1467de301c8cc5dd696e8d947debc344e126161792b3417e67e |
| SHA512 | 1d13d8ca0e12780718b74b84c91259e5b7d025b11ecf94ae373363c5f708b26cbd4e775c8b2be449dc3e1f27b1d1b843727a64abb433fb3e9c3f80de7aa6a402 |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 9889adf1555007d4bcf79adfe8d6cb92 |
| SHA1 | 884236003ab86d2d2d842a4bb4b41a3d553f4282 |
| SHA256 | a66ae5683fdc2cb8159347204beafd4acd683546ee61d3b3b9299410ef3f558a |
| SHA512 | c314dde5b192f448fbd2a500b0efc0f165e566331e59a13245602bdcb70beedb018556ef3e1d577e3ee3f8791f27e4b3bfc089c56766c3ee775833f6e7b9f544 |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 08f019c965d78338589a5dd7e72e8e7b |
| SHA1 | 2c664f7b3a46e85548992f58b794b1882fc6ce11 |
| SHA256 | e31f2ffeff6b5b952de58bbb9f717463bb893ddf629c95a1b9d7233b2c4d34b8 |
| SHA512 | cd1711982a08f8d2eec37723707360ac13f656609dcd397c0e621e9047147de42573b2a8226822d830f3e9f040ec59cc5475d286bd0d74e731fb134d03658390 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
| MD5 | 8dde1e0e6cb7233ff7aa61c0eb87d164 |
| SHA1 | 2d13a73cb991141f1bff32ae6747443e7fd3bea0 |
| SHA256 | 63a4f96fdae5451660abc2f5cc1e49eb942a296d306a448a4db93bc9ca7b9ee5 |
| SHA512 | 9f8545b7bb71b077ff0a89d3f5aab0db42b8d31186d154b5468709d0994a6bc974abad1d34dfee325ffe9680843f006923792596abdb6406c65a0266cdb4048b |
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 2c37c21f0782bd01ae343a2ee72c7b41 |
| SHA1 | 55070d21582af76b3b5b134c513e11739595b5bd |
| SHA256 | 28536be60f52fab6509603f1d3aae90e85d3ae5c87b53d624133dea6d6e29531 |
| SHA512 | cda5b33a8fd41aaea98f7ea14f25add569a280fe6fc6362474c08f06618448560fe3f57ee60acf5764f84dba6b2c7e4f2919781f343c125f8b15d26af0657cfa |
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 71e41216f445124ba23dee067f14f4af |
| SHA1 | 00752cac7f332b7e8351ceca5879bd19ff234e69 |
| SHA256 | 80af441f47d8873982de43cc3811b93f4669f3f0ffd3a6b8f0dbdabdfa015acb |
| SHA512 | 4a936e43d01a0f21a64b242b6bf75b0b28389bb2fdec76fb926e1f1a953fb2c5042a7664fa7fd9954271f3f93a71dd8b0ef9b42467a0064500ef2f97633fcf48 |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 02323ef1ce03d5ca9b3336d5d75673bb |
| SHA1 | a51f33073b05dc36feb83939485623442a822724 |
| SHA256 | 467e9d8593dd3c66174b3f3b4638cfb32bc6f771c97d138e209d81faa97e627b |
| SHA512 | 916e9248953d13d87013024e82633ad4e695a7bc696d7cdfd92dec75273a2a0327297387c90584d0d3781faa0adbc7512bfb0175923dcbef0dd151f60ed1ce66 |
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | e6257aada4d4d18a513f2c325b43ea19 |
| SHA1 | f05a3fc4709f65ab8acd1dbe99bb091c8f16a74b |
| SHA256 | 03e6ef48016301304705bbfa869eb8c183cdf325d16a35eb9084cf6472efdff3 |
| SHA512 | 80071b8bcebc75c799686436f85bc708a1c22fd1e3f95e2d5df03c2092f80fb11e82d19f49e74dcb2ebb8e94c849e193a6cafb5a34ca8adf093ee3e218821776 |
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | ea13d470270c6019870e4f79185d1f3a |
| SHA1 | 9987b19271ecedbba516428b9c80fa8db38f5bb4 |
| SHA256 | eed4e2971c04092f6ce40cfaa221b8f5ef04a4ace3f19d57ac0c0845279ebab5 |
| SHA512 | 49598b4886cb5d58eb4465cd04288f3658d8280918a8afa4904aec453e3d8db4d198482df2d4d9a219a7bc9c8c11c33715d753f4027629ff77616c29b0873051 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
| MD5 | 25f81c73bc0d6d5d82af224a9445fbc8 |
| SHA1 | 7333b1579d22b429439c0e85e8904fa7a69e643d |
| SHA256 | 6f3bb746e30d71542d56b7cb305da6dcb9035961680fdeae6cdd7cf45e255f5e |
| SHA512 | bd8733840e9a0fd12811f5ed6a1d0c9063cec6c46d984d507006038b8d47ebdf525ea42e21a7c1e6cb5c06affb0e34e0af3bbc45ac7f4a67fb02095457e2cb49 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
| MD5 | 7c6ea97435ed80fc1d2c68718b34cf66 |
| SHA1 | a1bc6da0a05e434d1973a789fdf326cb500161a6 |
| SHA256 | 3bab55c2f1d4e9f23f6da6157f3f08e5e41d07d60bc69f37b8c026595ed318ec |
| SHA512 | 0b88444a8f38da36aa8a10e9a47ac9efc3e45532b00c68d466d6f49d3f7f1d25eb18b53788144c945820e96dcb3b2ff7fce9108502cbfbe9070640d9a851e0c5 |
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 3bcd000ca89cab2ede956311e19d9b82 |
| SHA1 | 7c1257abde599cce03e29247a24ad197354b1257 |
| SHA256 | 75cc516a1dcb21a4f3ed97361f6c605a24083add9d5ebe30dfdd17199191d1b9 |
| SHA512 | 66c2cd8a4428ec6fe2b7c39458855d317b26c74ad03c4c204b96ea1391848487b28fece11c99fb73df42770825df39a3b3a5454a21e93d3def3171924164fea9 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
| MD5 | c2568414b367211a5f7bb0bbfa562111 |
| SHA1 | 3ad0e833fb082c9479f5e716285d26a8e6e1925c |
| SHA256 | cd82ba6798ac5a766aa0ef1eb50970a21af18dd01feaf5476e46dc4c4f9fd4d4 |
| SHA512 | c3dd45a4f80fa5f0231da0ea05cf0fbe7477004119c8e05d1867b6509ff934b2839adca5c13aad53b78fecd676ad34f033acc703b340b73d113516dd34662ec9 |
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 39c0efe94c7c54182b005b2bc475ab77 |
| SHA1 | aaf1b383ef63a1879f1572a63e271f8245af1ee6 |
| SHA256 | 0d141ddbafe004da950b25096f2e0be460ff2cb5b2acec3af0db45a9b0166001 |
| SHA512 | 3542bda395d8f8ee4243ef1ac6494bcd24f8f7c4607f19a3b88a359b8dfacd8bf3e83bf526e14d8c0766804e7333ce58043820188212b3808f416d3370305153 |
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY
| MD5 | 4e2d6a9e39e0b914479ada055dcd0a84 |
| SHA1 | fe648923478ddb968399ce0a99bd11a3ba62d08c |
| SHA256 | 857d9606c87cb2c450fb9fc7741e727975500e179622dbdae3bbf839fb1b1aab |
| SHA512 | 7f92fbba094fbcb05464253e45b9e2ea534fc25f7e4a15cb27481e701e22d95d16fa1a4498ef3826f307465cce7b5153c7f1cccb35752c638a6dcb679fb52c57 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
| MD5 | 9e9680aa2eccf4c66cc7d080e7357edd |
| SHA1 | 8b9eed477a16c5e48b8ad4814d811f25cf40e54f |
| SHA256 | 689795a4aa12946c42c5a72f70f6cbc421c08ce05fc182b173be0838da56e598 |
| SHA512 | 129f35019a3ffa548048c85cf6dc572ff33367365c26e9968c4a90a5dfea816362abf650dd0e1e2a9285704e51dc48efd19f34787ae05e086dbaae8d76fe62a8 |
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY
| MD5 | f5d005b6f5160f6a62fd3fc9a38fc9c4 |
| SHA1 | 5dda42cc2a0f02ca4dec5cb8c2dbcda35001501d |
| SHA256 | 9e97bae2e0612834339c4b1a06c9bb5b825934eb74471b51b6fdf4fb616f01a6 |
| SHA512 | ba434e82645514e95dc90b6df3ddb24a8cfdc6d158c483dfafa358f13e2aaad5050175fdce91cb82ba169b1107b0795b5f9cffba7293613be0a5d3afd24b342a |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY
| MD5 | c7898c2c1fa29fab230aa19e175867b3 |
| SHA1 | b15120187f22afe2f95a3803f7b95a4573056542 |
| SHA256 | 5bc6e15681de29602d89ad74e7b4612a1cc5181ca09b75b89bc8419c230e8aa0 |
| SHA512 | ea85d9ed39a7ca2601f3c1698c8e30431719f2af56ea1a6b60675c4acd331110a1352554cc5a7fc84a0dd9bfad31914256ff85ca25d30d8d8dd093948422399d |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY
| MD5 | 0b70b77d9484c5946af9a49f7f325984 |
| SHA1 | 2d874bfe06c4c3cec55fa28e401ee912ce6e7468 |
| SHA256 | 7c096208feaeb587ca4edb6d5c438cd43027067b30854e0f45d76ab9831377e8 |
| SHA512 | 7e5b2b778372af1463988e4f2c3e0e00f6515901cbaa024e4e1e39f44b1fb8d5ed53a6f15b358f1498371010eef1b7feef96017c355a53ac78e3a9e2e61acce1 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY
| MD5 | 059e963965de377fb86dfc9d9a663d08 |
| SHA1 | 695334f385a42ec01a48a87725e5e3fcda8b8925 |
| SHA256 | 2be1e794a82ff55a8110fabcbb511c21ce0ba7bf8167057a7e36a29d360a13c2 |
| SHA512 | 81f8c65362d8278e3f5fe526a286bb81e0a6e26170f2b9c09032c53cc33d057efe76432f1fb3b2072d510d6353d7e69ea92547d29dca423674b155fc70f674c8 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
| MD5 | 105778c17e7af4f83a1a6987cf053615 |
| SHA1 | f96b4856cf6c03af24d91f23b6e642013234d43b |
| SHA256 | c949145aeb05e1b2f12da3d1f61b2b4d063fc82a0e886810aded76c4e03899c4 |
| SHA512 | 433791ccff8aa179183b1d54c267f2a0e47cbc5fe6878aa21a4091aa76d54ebb20e9a503c7744ca4e364581efc18070060d7c03a389c3fc33ad4a3cf39d42b92 |
C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY
| MD5 | ecb3b7a6285ebee741d77ea406cb9e26 |
| SHA1 | 41fa774c2f50a2dbbffa6223c14dcf1b262ccf34 |
| SHA256 | a1f7803437f5021307153d10d923696a3521e26da8f85aed70f35cb8ee24d867 |
| SHA512 | 67823aaa79c9ca2574440e06a6925c8865c5d05caf2bbae90a51922cd51e9900ed2eaacfa8d7fa14b375ba2d1525bff70e5636d720102743937b765f07425f22 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY
| MD5 | e536c410a052a3ee5460e50373ad20ff |
| SHA1 | ea82e9724e56380964f7472a033e952e183e93ee |
| SHA256 | ff5bede8d5da1bea4f3f8eb6e631c243d6f7219eeac2b47fc0077d6e56f8a654 |
| SHA512 | e8a91b3d126d28f1af13091aac7666bb3f1a433b0a7706ceadfb65f307f9a6e32fb647883621e3b9dbb179825cba0bbd34a415badd02f51228931a645a58d171 |