play | 52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36

Analysis

max time kernel
193s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
25/09/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZYu4eR.exe
Size

458KB
MD5

a7220cc1827fca75b6e74efe59a8ea77
SHA1

836c066fff10ad423134f863528f4ec3d3e95962
SHA256

731457e4704d299b353e802b72a6908dfa2124cbb5130b8cb9a943c6be6bcdc6
SHA512

90cda9290fbc28187da837c4829fa1cd0084a58c87e58b6ddb0e70340b334507233bc0ab2c858462824e21babaaf2118dee68513e5c87fa7126d46bce5d38b21
SSDEEP

6144:4/MZO4aLcwC0IEVvO2UcxnwMSKY3m5MzrTV/yqUKmLzmZhbVPcK7lKWp+:4XiwC0pVvOwxSCirEXKPZh+Kdp+

Score

10^/10

play ransomware spyware stealer

Malware Config

Signatures

PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
ransomware play
Renames multiple (8319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ZYu4eR.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Program Files\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ZYu4eR.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ZYu4eR.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ZYu4eR.exe
File opened (read-only)	\??\O:	ZYu4eR.exe
File opened (read-only)	\??\R:	ZYu4eR.exe
File opened (read-only)	\??\T:	ZYu4eR.exe
File opened (read-only)	\??\Z:	ZYu4eR.exe
File opened (read-only)	\??\B:	ZYu4eR.exe
File opened (read-only)	\??\G:	ZYu4eR.exe
File opened (read-only)	\??\M:	ZYu4eR.exe
File opened (read-only)	\??\P:	ZYu4eR.exe
File opened (read-only)	\??\S:	ZYu4eR.exe
File opened (read-only)	\??\Q:	ZYu4eR.exe
File opened (read-only)	\??\U:	ZYu4eR.exe
File opened (read-only)	\??\V:	ZYu4eR.exe
File opened (read-only)	\??\I:	ZYu4eR.exe
File opened (read-only)	\??\J:	ZYu4eR.exe
File opened (read-only)	\??\K:	ZYu4eR.exe
File opened (read-only)	\??\L:	ZYu4eR.exe
File opened (read-only)	\??\N:	ZYu4eR.exe
File opened (read-only)	\??\W:	ZYu4eR.exe
File opened (read-only)	\??\Y:	ZYu4eR.exe
File opened (read-only)	\??\A:	ZYu4eR.exe
File opened (read-only)	\??\H:	ZYu4eR.exe
File opened (read-only)	\??\X:	ZYu4eR.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalMedTile.scale-200.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF	ZYu4eR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GooglePromoTile.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-100.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\Validator.Tests.ps1	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-48_altform-unplated.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\empty.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\ui-strings.js.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-125_contrast-black.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCBlack.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\ui-strings.js	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js.PLAY	ZYu4eR.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	ZYu4eR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png	ZYu4eR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png	ZYu4eR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.PLAY	ZYu4eR.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
70844	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	taskmgr.exe
Token: SeSystemProfilePrivilege	2796	taskmgr.exe
Token: SeCreateGlobalPrivilege	2796	taskmgr.exe
Token: 33	2796	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2796	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe
"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:3636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:70844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini

Filesize
1KB

MD5
00acde2b0ecbbd957346e8c29e82eb88

SHA1
01b9cbab9ed41b86d6e4dda9aaf158f640ab6bdf

SHA256
55e99e35aa169acfbba3cb3dbfcbc5735faa23e2b3edb304e59d77b4b7d58dee

SHA512
27f9c944127b11eb64654a40e43c7f03d623c57bc628f45735ac0d732a772aa78d878849c6943d5aeb738e96e0c38f2dc8d8ef051eda97f612a5b019a03d7baa

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY

Filesize
218.2MB

MD5
41017fd87a4c17c842f05589f18c5196

SHA1
0e939590a971553831c06a72238a2bb1eebe0c1c

SHA256
6757936abe533e6bffbd59efb566756c47cf80c74213b1343af0728cf336ab03

SHA512
3b8918430e3c15e605205deeb0f9fa8b632b82361c3be16e404d8a46e1b7526aace62b1a948aaaaf0b42467be0b7a33e0ee11f5f0f27539f4bf4c867286dd9a6

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY

Filesize
167.0MB

MD5
93e6ce5c22cc13d7a4e156c67b2fd38b

SHA1
be7f5c7f37885634bc1a1d78ae6da472bcc31049

SHA256
bf078ac812bda644b8ac3bf26c6adc6fe0b6e0613ad9e5e3097751eaf877bdf9

SHA512
4b8d02a2ed8ea2d1d454a10bc7e392aad0fbcdae03dee75a53ad29b0f2c5bcaf133f2f835a165c342e2cbb2c77f6c79d99e992c53cb079025421bd958fd81c1d

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

Filesize
1KB

MD5
33d017e908f614dc6e6e977d35dae62e

SHA1
ffac5dc457a460bbc9bfb569ac9a2bb18fbce956

SHA256
003212842448b307a67b3f5912a60d9b05457258b5a91a2ae26ecbb3a7c29794

SHA512
409a13accc944527e3d36d296726f67e3b1f66153dcdad493789233605045446002f010dc58d89ebb4a2c2f2dc87b2dec637ad9915e01d79933bec18dabdf65c

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

Filesize
1KB

MD5
ac787261fe0891de45a239b28dc92780

SHA1
587799cbf59ef80bade9cd159ee3ea8d498a5ca0

SHA256
28a95377a91895bf8058e25ec0697d0ffb5659a6d0d2f404a0b47cda2baa2fe3

SHA512
e4d7be8a5fb5e33d98dc7bee81626a220de25c617c8601a8bc2725a84a4d07283fa63781821ad833135cadeb73ccf5c11fa1f575a211c969434f11ac0757f77e

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

Filesize
1KB

MD5
ff39817697efbcf489f070f9f63d32e7

SHA1
63c79355c040e44594d1ea763e8f8e13a1bae85e

SHA256
6f16705ab4780aee1d90fd16f03f2a7fd5ef359e6b648188e1d49bad5ae01da2

SHA512
73e3e9566d3ad7fd2aa8cf31c95cf7638d43378dfe5b2025e8180421de93126e91c74dba0c112f5d6cc188aedfb56f4b4dd5408b1fe3bec27aace2c13af0292c

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

Filesize
1KB

MD5
3b9c764846f0d428188f24387732c028

SHA1
d7afb0d2732a8fddbd11163746a2ec35d9b515f9

SHA256
ce229bba9b8e21dcdfe30a390d2cb5c604ee07c48bbbb5bc3248e9c4b95ba438

SHA512
9c0b83502d8483ee0ae41a68811f26b87b13700bb4c71bf234045de06248bdc9f429a56cd4c8777b5e0b509cef9a9142e6efdfb7858e949f28f00e070c3e3ea2

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY

Filesize
78.7MB

MD5
b4e454698601c14bc03e6e823d191ee9

SHA1
c7553f461d200de0a289e5864d622005f68f675e

SHA256
6ae440a783028e373ad13a569075ae75a5773ed29ff9fa8bb6633990f897798c

SHA512
78c513be6d97812da901ab37ceae18f351cbdfb35a9e6264115a806db51e267f1e65762f85b294eb03fc821de2f1c7250c9fa0cc821751ed33a6208a14ec52f8

Download Submit
C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY

Filesize
1KB

MD5
ad2668ebe6e654b7f69a7a0fb35668fc

SHA1
b0b03631bb2ba830e26526bfb7be68f755c34b18

SHA256
6a43c6929066f432af0e3f46df2a2d0555bf18a9e39d1f3552ea4175294ceffc

SHA512
1bdd3589535895a11ceeecde7f58c7c83f68caf80c5447bfc96f40df3c724344b6dd444386ffb3461b4e9a6c40150b666223291d51340af77d6cf84d7df9d42f

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

Filesize
1KB

MD5
883b6e4394648aa5fe25687b05529ca9

SHA1
d87c460059d9c26ecad2f97f90b6f37430bbdb02

SHA256
8cade6876d0eef2109018905adc16f254665bd07c65a2631357e9b8d415b9a33

SHA512
7f67d76295cc1635961d8d77c9dad2ff8b697c4389a97ada2476517c3ce14715266f9d6837abd5c408e41daba080e704133e1f9b83bc152f644f19c9979be638

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.5MB

MD5
9f1a3836d07448a2025b8b67f8128d78

SHA1
1cf23ae1ea0d94fa05a5002b708663417d4b2be0

SHA256
6a7d49678d0ee472a7cfbb6a91be040704e9962d53be8f54b9e311084f0861d2

SHA512
62dd426edb4eda296949b14eb32de5cc6ae4e9b0857af197dc862bc9b9a456b05d6054843709690b415166a31485d43802d7bfe2a62dd035ac1e1f08bc4325e0

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

Filesize
1KB

MD5
66590e896449d4cf6d80240c568e00a8

SHA1
1d2bf1e524a70a1a5baa6d3fc1e940813ce94565

SHA256
bd202d622d6c7c143a56269040e12a861930097bfa370117230d4bcc1ec9b62a

SHA512
30711417242e26dd345a34e90202149a5187463ca779f3ae8e5644909c0dc54a40954dfa0201f5ed78ffa7384acb310ee4b265d4fdfca83f97243a03f674aaac

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.3MB

MD5
e292c71d5e1d626a00beaf961006f548

SHA1
fc0bf89478e6aba43b32f2b224eceebfab00d793

SHA256
26f0ab36cbbe7429615986c5f23eed0c39b21a6a69ad2e5577a6433e406a541b

SHA512
ca49b7ff2acde82c6fe49a150961932684dc7f5b1bed8b8e4b694ed99f50cdc3c96d5f2434bca504a28ffd8cf5a96b7503c2e3283bc30c657eb9d01de24a77b0

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

Filesize
1KB

MD5
45677d3f440064f2b73a224d0f9daba5

SHA1
f6c3e8bb657a05c6c0fcb105c623f9f822fb4589

SHA256
6488f0831ba3bc941fdbfecfec0d61e54aff5b56e94e3c64d4b48ad297a1092f

SHA512
c85ed8fa2044187a17d935aebb99ca2f658111c12d25bb2f329b68f5b85f3bd8949efc6d29a7d7991fa184f14beebd054935cff7af50849dd7486f0da954c0f1

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

Filesize
1KB

MD5
9bcafcfc95d128537332fe11d620bb7f

SHA1
5fb0cfbc7423ae088c596443018008e27852ab66

SHA256
c0b4a87392f5d88c3360761fc78293b752481ec3309bbc2bdcaec146ac935e91

SHA512
419c138bc34113448230803279a1b58dc9bdc4cb1c998578fe3c4312d5f3765cf3103b5b0be9a86d467d00b53418985939d313c3cf8cdb9e1c899843cffcc86e

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
870KB

MD5
fe0e8ad4ccec8af52392da9ea0be4779

SHA1
0ff71e72e6d84bfd53695932212bfd385ffdbcaf

SHA256
89b114ae76dbf2503a4d8599bb3dca45224ba1fa5e661a308bdc75126ed008a8

SHA512
3cb60bf37b812ad087c0349c5478302c9ed14ecf07154dcde54efba0b976b6b7830f7c9a8dfbb9991a9eb5afc87bd5e06856e5da1a15fcaa256572461379ee71

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

Filesize
5.4MB

MD5
a16ba6fc14aaa62ee05dc9d6d81c4473

SHA1
4e869dc63c98482ec66653dd5fefce8da3d7ca72

SHA256
ed0336147cfa7d4136ddeed6fc2248c4d22e14b5a61da88eb24c02d4353e6f58

SHA512
a6cfc8f7152b721bd2fda46971d0409d591c39953c85ecfb09381d34ab01b5933a4bc20490ea008e14e084af0d3587fe31ee3545111e65f118693fb34dd7e316

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.7MB

MD5
63b1b5443a7dcdb2c4c8ab4c3ee54dc4

SHA1
57b90f8dbe115b95f974ea0115ffc3e24cfc6f94

SHA256
a289e473ba228005f6ae4b8b3984a954aec7d0deb7d20933263b08e519a4e887

SHA512
aa6a2be5b78f7199ad687edb796cba8268550fbd05f67ec625a71331a18fa1c314cb2902ccecb5e9550c02ed3a691c14a761df1db4dda1b6589de01c6e03ddbd

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
a80035bc4c5094c69e06fa9e8349ff96

SHA1
e6c2f7fa8dbb7cbe63f9d87db3217f7e4d9a33e3

SHA256
074d0c117531ba9ffef6e45f621e682dac605259b29356a1bdcb570f401734d8

SHA512
2674b54cedd937cd7d6a952b09342082b95706ad0296b6753a8947b405a60f988890514c526a907652a3de4dc14bf5d879dbd2f1f1ae865359038547753fc02c

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
803KB

MD5
540b09a093d01807e98d8d51c9ddcb3b

SHA1
5c1e08e7fd2f75b94afe4db97d7c39cbd2a3f978

SHA256
45a71786fbe3b81fd101d1377f6928cdd666623c2709b00b4f83fc56ec81d806

SHA512
e8ce533419b5cf9142d819b11f058449557dffcf7c91275e22e2a6a7e45c5f17e6a8e34c6b5f7d051c24d58b5cee7f055ac25295088a3a93db2d3f46a981bbb3

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

Filesize
4.9MB

MD5
efe791ef7f55bfcd512d4aa57f19f317

SHA1
557b5a508758842e077a89619afa781dd528ff30

SHA256
c1cf1eb63430975560a374126982a45f578c84025f6c83423b99d87c063bb3b3

SHA512
3760b859d6e7c5e7a6e507ab1af61004b875b48a3f0bf972f9e34880332bdc3a5638dec6864317b4335e31de914092ec3b0eaf0501258b15853f1e8561d844ab

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
1011KB

MD5
817e1bd5ccdc91acd0d570fe34711fb5

SHA1
2bda95facff65af45fe0f55b3a135b01f69efd9f

SHA256
deb231e8175b6d1e2281c19d2d9de2379b0ca9db9764be3d49d92f825f1a76f7

SHA512
b39a92710dcc5ed29bf8d7c22467c17abab5890b65d2e7c41645430f304a3c77718ff9ee785c8990c61c3c9a4f6ebaa878aab1a567b78f052b91e04c470a7f72

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

Filesize
791KB

MD5
81b4d59d2a9eb0f6c86838ac3c7ff695

SHA1
38885507972d1fc9dbed6f5e1153e8936131649c

SHA256
431d6115d99b426f5c0f114b5f464a15c464f5a086ecfbd0322985def181efde

SHA512
a3879b72e1bcfc0a68208e0236e3ffa0a8211e4067a0144eb29f078d2ea7c979c81122212ec2d8bf0bc722049b32722f551ceb33f54534af514b132be46dc011

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
974KB

MD5
e085d52282ac974bf3b618a1b997ec3e

SHA1
ae8015d15bc488a270cafe83a0777db3c42f4d62

SHA256
ba6fe0d8f25f56ba7c8784bc4cc9269a002173cd91eeb4e326eb90ebe87a49f3

SHA512
890a82d7b3c28f086c671894b8e3eb3841165f2fb3f650a8afbbb8496b256a78601529dd47e63f7ca2bfb5a4cfac6425be22606dd84a58c19c3b839a6218239f

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

Filesize
742KB

MD5
8c2919a0a4fd324bd1c6d7c8f214cbc3

SHA1
8a07357b8dedf86adc6856045e849ee33fc9efd6

SHA256
3307bfd2aba89a89eae6fea6d89333fe9d3a826c591e17a80d1a9ae8ee12340d

SHA512
65baf3981aad307dca035f18e28f181f156608fd99d61ae6c8536eaa8e51ddf6bb1b13aa6a1d485a8f34f1594bbaef3bea0f6f9fb44350e92d55083333e6d098

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

Filesize
1KB

MD5
7d99249c478ea2174b511caeead422a5

SHA1
f4b7d921405852b76fc1f3de4c0b7c6cc8c5b9aa

SHA256
faf0efb5b052b9b99ce4019f00bb35b81add99190bfeb6caa2a601906bb1c9d3

SHA512
a59039c64424cbd7a09787fa626d8611e4cdb706aee5ac43d1917d8aa2671bbf14d5cda141ccd1ac4539e5bb55f239d4e6375141a9ccfbd58434427f26ce7e91

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

Filesize
1KB

MD5
ea62cac5634e33402fd950bdc570a667

SHA1
326c9539f98cbd8f390261ffcbe649a1d4042a0e

SHA256
6307cf162ae934e781839f1bff68893aadabed5a5419d7003d10e6abcc06accb

SHA512
49062e22fd7ba6f49a687f7938cabc41e023ccef92d020815d44c0f308c83181b5c62e0010f22ea2f2a4cd7a0250d09858821edbba9a183f2bee75cd31265794

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

Filesize
2KB

MD5
14ef8f4a0fcb1c01280755e1b371fc88

SHA1
1c410c634a970597155b35eefdad9f1326f38431

SHA256
23a95da89daf94e42b28b835f5ace55d2213bed6ccf6da92854a2dcaa059afc4

SHA512
a32ba511364dbd1fde361c0bf24cc58cd30873fc667eafbcebef78bb7c95dc1c913b7821596e2a6dfa55bd9bc8c2e072b32a372f62561e700ef04b51f34cf639

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

Filesize
2KB

MD5
2a31f094448d8d7cca1ecfad616b82f5

SHA1
09f5b1e05bdd9bf74fb5fafa96941e50f6d9534b

SHA256
69d2251be2853af5c338c9d34c56ca0976a64397a1d0beb80ed13e5a8f621a39

SHA512
47f2161139dd5fe867ae8c3c6f9feaeeb911f85561e3427eb25dfb57d6ded5e2d973afa48e6a8a1ba03597fee172607f6536dba2eb6c296ddceec127cdd2a310

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

Filesize
2KB

MD5
54ad41a04d3a7e450170a5007dfa86cc

SHA1
d6052f1a21de59399a1e4c0e25018ce1ba785759

SHA256
f57c7ff208b42402ec19e0b4a8dbbb8df27d63651f1b859531af737583da43bd

SHA512
0110ba4ca70433ac5ab7547d5b5734d2e26f1729a349f2ea10dbeb781bdfdd893d6f38419e3e9c4f9374167b2319dd103418f5b0b1b78beb3f945171718053a4

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

Filesize
2KB

MD5
28ba2d31554a694746fb20b2fe0ccb1e

SHA1
a21fae51ebb1eca1e6c4c428154fe7a24f08d31b

SHA256
9683676c7185890904aef0005bc0a2717a6401f806bbb1569214ee39275244a6

SHA512
390e4722f72647d09f5f90f0fbf9052ebd92b0801fc84540590a9401741b7c4eadf65e0d973a1e268014d82c9fda739f79581b3effa2bcfb4da3f6e5c35429aa

Download Submit
C:\ReadMe.txt

Filesize
188B

MD5
d68c3663b6249972448b5b0301e956ef

SHA1
6e67f24b05ff97fd18db7cadc41bbd0560177c01

SHA256
93358da4757f6653ed513d9362f2ac44def6615a3a9b6c3a79f82faa81d89d3a

SHA512
ce4ce796cfcce192ca38ed96f69a8ca40a5d5ac738decbeccd56d30235cb0b5e6057b27a37b1ec65ba21924ada685206687363e353bd7c265663c87bc843dca0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
memory/2796-250-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-252-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-251-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-249-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-238-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-237-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-236-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-160-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-35-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/2796-10-0x0000027188580000-0x0000027188581000-memory.dmp

Filesize
4KB

Download
memory/3636-0-0x0000000001020000-0x000000000104C000-memory.dmp

Filesize
176KB

Download