Analysis
-
max time kernel
86s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230621-en -
resource tags
arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system -
submitted
28-06-2023 12:38
Static task
static1
Behavioral task
behavioral1
Sample
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
Resource
win10-20230621-en
Behavioral task
behavioral2
Sample
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
Resource
win10v2004-20230621-en
General
-
Target
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
-
Size
673KB
-
MD5
2e8897ef38d4abe4861360a4b6e895d5
-
SHA1
f668b1110d8a6b1a3f638fd8a6276a7a1efe18db
-
SHA256
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
-
SHA512
02d7fe9141b25c74fb4721fa5cba6030cae671ec159987e1e0c95eee65fd5185586b0101af63e36f788cf8b7fc7044018e059301b17e5e63e68564d31f3610b8
-
SSDEEP
12288:fjVr5+jJNj0H5zPYXADL1vpQ/ywpll/nh:fjB5WJOH5DYXAlvMyUJn
Malware Config
Signatures
-
PLAY Ransomware, PlayCrypt
Ransomware family first seen in mid 2022.
-
Renames multiple (8059) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressInitialize.crw => C:\Users\Admin\Pictures\CompressInitialize.crw.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File renamed C:\Users\Admin\Pictures\StepResolve.raw => C:\Users\Admin\Pictures\StepResolve.raw.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Music\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Links\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Videos\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Documents\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Music\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3592352177-2971570228-3741369827-1000\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened (read-only) \??\A: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\K: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\N: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\R: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\T: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\V: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\L: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\P: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\U: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\X: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Z: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\G: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\I: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\J: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\M: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\O: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Q: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\Y: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\B: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\E: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\H: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\S: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened (read-only) \??\W: 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\CalculatorApp.winmd 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_48x48x32.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeTile.scale-200_contrast-white.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-100.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sleepy.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fk_16x11.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Awards_cup.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1h.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1d.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\PlayButton.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\newsprnt.jpg 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-up.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\Email.ot 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.small.scale-150.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pw_16x11.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10911_40x40x32.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-200.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-125.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_20x20x32.png 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg.PLAY 952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"C:\Users\Admin\AppData\Local\Temp\952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:4040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c748b0076d358975b54c173e48e085af
SHA1bf5009efd38170a1f217438f71e223dafa3e658d
SHA25692df5d9970caba79f232758722a383ed1864eb8eaadb367b6bf534382e47240c
SHA5124502c337493a977705ca11c7d5f34982e2c68e7fe465f12a841e93da8e40d7a45fa117831da97b482a7e2d988fa11c990abac1eb9a0c7b071006f11818bfb9b8