Malware Analysis Report

2024-10-18 21:36

Sample ID 240627-cp45bazgnn
Target play_2.bin.exe
SHA256 bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
Tags
ransomware play spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Threat Level: Known bad

The file play_2.bin.exe was found to be: Known bad.

Malicious Activity Summary

ransomware play spyware stealer

Play family

Play ransomware payload

PLAY Ransomware, PlayCrypt

Renames multiple (8502) files with added filename extension

Renames multiple (7313) files with added filename extension

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 02:16

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 02:16

Reported

2024-06-27 02:18

Platform

win7-20240508-en

Max time kernel

111s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (8502) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSCLT.DLL C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01563_.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.ICO C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\GetExpand.mp4.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_de.properties C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe

"C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe"

Network

N/A

Files

memory/1868-0-0x0000000000220000-0x000000000024C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini

MD5 d61b1dadcd3d80eaa9cedad10634b77c
SHA1 80f267dbde77c315ed1a7db6c7cff8be2dfe9f99
SHA256 9eeb75e4a87d86946d3f0d8536480fa30fa9d98eefd82eaa5e19377183ff5678
SHA512 44bd4e7be6f045fee4f00a8c1963e4f7c5294cf06a29847ca38cb97c42f778fee3660345357e31b8f781f106910996eb02b2eb4309c9cb9083f97c881a27703c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 02:16

Reported

2024-06-27 02:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7313) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\s_agreement_filetype.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Scan_visual.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-100.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\styles.css C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.dtd.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_SM.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\external_extensions.json C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v1.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat.PLAY C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe

"C:\Users\Admin\AppData\Local\Temp\play_2.bin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/3224-0-0x0000000002200000-0x000000000222C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini

MD5 9f35837e66643cb3ad44f947442e44a3
SHA1 838372bdded1de728552732b9dd5e807cee63458
SHA256 95eb560f5f3611c0145f1d2e7c35a84471e067754346d8ee85bc03912fc4c7e2
SHA512 f01a29414e368f6c2955ac964d3e792ac546142632bc067e643ecce64dff799a610c3c83b84764911185f5162d8af9ae3b0e458857ce0ef3d97da18ac80fe722

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\state.rsm.PLAY

MD5 3923de1080d1a134e5d8814cbdf706d7
SHA1 6377f0a2dfe755ef3d678cb6c197f1fa23f2f8a9
SHA256 d89a67e6a0863452547a7c374d0be15c51c2d37f07b450d1991edc011340b97d
SHA512 abfbd30724f7d5bbdf2816a252404d0f219acfcc3bcf532513c018305ad1333a57cdb5e1210cfb1f00f1400e7da974709817f2a739446c392891243df7d0a45a

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY

MD5 9b0a6f2fe263627fd231d2e8092fd7f7
SHA1 52c01f46c30894bab07d37648bae1b410a05cde9
SHA256 dcd9f176abea66b9151097e63f6e2a09c3f19fb31218866ad0bc5c785ae4b5c0
SHA512 13bd739acb712281ab9db49ed3628afda571dadbc509bb5498292ed827f1fc65a16c6612a2ba6e162b5308170f8a73fdf65f28c2dab5f2771cf83741d8ae1341

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY

MD5 187d0d719859d603527753706a35e9fc
SHA1 49045617b1e2c4e9e8955488441dfbbbfe3bd5a3
SHA256 847b9706ab7d4f646bdc7cd6e8016016ce88938482f4c7af1f99a8e02b3c83c3
SHA512 e1619e3b2bb73a20dd955f97e1f7a6bf394baeaacd56316a0fa37a0282042ec39ce54df1494b2e92c3c194feb5ff113eddcda329ef1a1b5390eee4e05afda9fb

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 2e47b947d10bc55a71e31f0ebbb2a10b
SHA1 debe06ed6cf4912b725aa9f0099ff9d2e55e4cc4
SHA256 c1f947ef99bb1400a4005d32ce20b9624c1f634f0c6859824673ab1ee8600305
SHA512 6c8e907967bf6912afa0707d0d5e797e3aedbf00cf604cb0f2703b5ed9fa70068392c837ee389f6d0a787f49f8812f65708922346223021d0c84ed2d1f898028

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY

MD5 82c6916dfb9beba4ffe9e9c64a8c17e6
SHA1 d391b5408d4e0c296f5f88d944855dc78c414de8
SHA256 8c04f1eb24cea92dc663b4b4252def1d9ba68aec6845fb166a1866afb4b66816
SHA512 8dcf6d5fbb9903e6ca5d6e1112cc8ab4902fc07af2c185f2566c163ad34684b36bfde91a10d7f7776dd4ecc168992494eecf1ae46f992d069bd0c9e94033157a

C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 7657cbd391a531155dacc25be22b607a
SHA1 c59b9018d8ed53db48b05b130afae072dbdf20a0
SHA256 2af29436831f639a33e198d97c5a49aa126355f63615a31f90ee9acceea84e92
SHA512 215a2425632ab4756f4be86bd682ff4cc9c23d71430ff995b348a5d15f933f3e3331c00b7b4d2be67849c477330f5d677d92236716abad6125fca5c40212887c

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY

MD5 08958de55b0b26c28bd9ec10af6c69af
SHA1 f37da89e927fd44b876b2ded88b8f548ba082944
SHA256 9ad8e727162f11e2486ceb400b4e6d1eadace50585cc0f7abbd67b5efac82fbd
SHA512 74a319c5405c1640a17bda47d4b317d92f9e0207493637aa7a3b91a49dfa5b1d4dfdf0000380cf1dfd444872524c1c1a96da30740cdba20b6149e471b4698c96

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY

MD5 f5c3c1d59c4a186ccde30c49b560a7d8
SHA1 8a0184ae2b0e6db07ff2c2883c93445f0630dd12
SHA256 673e457eb74fd96ef6d01c622976284d107dd9ed016c338ee4d9ed51b7e8f0f5
SHA512 1253f77cc563c3b7069b6f8f2ff9710edf5a085b64539b904c8f740d0c4c26d8d2eb909c3e17a2a9c99952dc542219f12a4c6b355bd7ea75b0abd11ce5676a59

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY

MD5 f72ae79903d29c3a929ae35a049b84a2
SHA1 c62ee26ae2c04ab4ed503c5c5effb26fdd9350f6
SHA256 fd0b2adf327c88bdc6183ea4aab57d6dc3190191899f79efcd7e7e932bb84fc9
SHA512 6fd584c46667a2f73ecddc734e350b0bc80b1a7d29837ce8704da863d38719821853e23841155ae66c394077efae25b015c13c917626ff53677bb2c2d762cc79

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY

MD5 c132bb777b0946e590f39f42fe313045
SHA1 0d5c46628e160f5c9f0be292af4f5a41c92b9364
SHA256 b3682bd69da851b82555d6c16bf4fd2d43e9eaf7f17d5da54752ee49f97ddaf7
SHA512 bfab9b1a2c39b93b169df07ecef050131b43e977a768647d3ceceff4df4098d691cdb06c4223a21e43844da90fe4f60208c65d24499b536c6a23ae4354ae2a31

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY

MD5 acd8d292ef351aa76638612e0cc39af2
SHA1 404c8b110288e6b94ac5abaf8375f48ffbd12b58
SHA256 a78ef50ed3f27668a5f14a6217942fc2716419941b52688bdbe80e43e3170aac
SHA512 c2bf3ace3f4cef058d58f463b6d907cdee214bacedf8cca32347a1e297bcdd97d15eeb59e697fe98a5f702337676fee5e26adbec4b61fc3953ad8dabf06674b7

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 65fe6d35a58453112faddbe23df6360b
SHA1 5423cb4877568c039b65b1bccf92ad85b8bd7dc1
SHA256 7dced87add10c01b3c4d760b6bddd14b96f930160e06c36aa4be930995689e50
SHA512 1866e7475d7060f7c7ab4b38c2a2daf167b8d19857e62b385e9558bac6d3ff45339f0a39fd52c32a4dc730b64ece753f44a6e768a37587344ec6105be0414901

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY

MD5 76eeea34f149a7da73cbda928cf5f51a
SHA1 40a40048a3a632f5680b66592e28132df6c07f0f
SHA256 5a4754e7808328583dfcc7f90b8346fdde30810c715840dabac0ac4ffc1a6215
SHA512 57acee104f8c3e2c0d213c9f287a4c7675473dc646257679379e51f3b9f4d997b06cd043fd7bc60259bdd1be67410ce1cc3368106a5e04f81aa12c5dfd9632f1

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY

MD5 d83163171426c759e212eb5f2596f364
SHA1 7fd8a6c8c451c641f0f5a855fcfca254b676dd85
SHA256 84a03111970d0a0365638596e56b9c7ea9ff5f6f8953219d5d647b6a20b28760
SHA512 02715e621f5a2fd75788a34370265693a5bcef8f98dac31ba5cd8924c19beaf0a8bff410d8cb927cf1a8a78bfa5d4bc49342964c943e4ebff3b83acedecb0228

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY

MD5 3a78f0700d6e768e484d5323fff939b5
SHA1 bbd02aa8bb4a1dfb76071dc810096437f4c83314
SHA256 99a6918c9a2e3324b07a3528282a33e0b99fe45dd0b81af7e81778cff1dc6435
SHA512 a705dbdac3add216dd2d2ac7e42c3f1ce73e3db456e807efd540185c3ea3897dfe0223bc4d2abfc74170e91109337f14f59b201ee2bb1d43b474ff48b0fedcb1

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY

MD5 1df09bacfe433886589b2f7fe1140edc
SHA1 7157552daeca2193d7f7591c2b2f0ac8ccd2044b
SHA256 4b5accdc836190437cead50193aba0209a3266b3ed1826b304fe6ea88feba9b8
SHA512 20540e440ba513d9656110c14f2978281d4d08968e9490a149e18310c29e17aa40f41ff2504efceaa8f3fdb331ce0b6677dfcb67aeb2da08deb5df8f8d2873ce

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 208df393252022f9b6b010b3c0b17d8d
SHA1 738f65352b603af9abc9d65303645aed1245f10a
SHA256 6eec96c35ee5b0aebad3818e9f3f68a21bfb9a158bce61058a94ce6463c82692
SHA512 c5323313943b7c88f7f6a5faf2a61f1ceeff9962859cda343537d9ca20bcbf3115738518dc9af7c5261167297c78e79f683e8975209c729f0a7e7549b60eaac3

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY

MD5 234afe90380793d0ffc4777dd64abc46
SHA1 d2bde5bc4d2ca9db1639867834f6a2eb24b2a7d2
SHA256 12ded3b15008b685c247de7be7f1d42ef97c9852d2ec833d613488a5b37f9827
SHA512 8fb2f36b4907769e5043e7b3cca5f04fbb2c003e68551a6a6c4cee17e5445c929b8466af570870082deb62f16a8060685ce196c6e82bcf7e60b07495bb14c7ad

C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\state.rsm.PLAY

MD5 ff8c899887511c74b389c76c5f713147
SHA1 abb87263ff30dfecfa753e0ea8ef67b050dd39c6
SHA256 02159a7ce12f5df98784c08992d8347d3be130c1bead379a83e688cf19ac2f30
SHA512 84af0fec27eec23cd7922d7bc271e4cac62dfa6ed7d45f89cf633d340af249398b3a515689d74b9ddb66b9529b1d0c63b7ad2cf778181b755826844a9caa1af4

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 ca89d83bda905193ca88e301d8c783ed
SHA1 3cfc4d88c22debc12edadb1b0813d2603fcd99c4
SHA256 9f1a02b1fbf6ed819be9dea8e7028e3f4488fb9bcea51ea1aa5dce2a57bb040e
SHA512 b751872baef71f5eebd0e03ecb97f620008a61de37d98f55b7ae03deb91855cfdf3a5f1f2901fbdd4a266266bde8e9679829fe04cf24e8943e45aab06bb60a08

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\state.rsm.PLAY

MD5 57a0d921ebddf9b0c8f16d64bf931b8c
SHA1 38c93fbdb74966728e20dad3440a4b51b835a2ee
SHA256 e81b21874d70b9b29112c3bcad96d1cc9145905b4ef81ef6ffdd092a07b20648
SHA512 cb7daeb75a07b3b79ef7f51a9b85b86b29340d3586cd7a3bf45802d34f466017c850147d19454c858f6d3eb2c59719521cceb18544589ac4c6c9769858ca2c46

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 d8004389ba04681d139ba2597cfc4cb5
SHA1 a2027b30cc1be89ee2cd8de675e1854ba360c9f7
SHA256 75e3c7402707fb4d3d65cc093db506f6cec6ce3d67304ef41c1a4a07fa85fd7a
SHA512 2c33bb7649e0f7d59006779fc0283b8bc22a459d221a589ef89bf28c8aba415bec578acaf7853c406e0d8b808340ab0c299e8731cc62718ca60c9addd8142ab2

C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY

MD5 300d2667c6ff3a49ec1ef2ef50e91040
SHA1 ad314b2ba5e7d95ad8c4cb8493774e39280df6c7
SHA256 f44d58db18423abd4cc32ed7263687e5183585cea0e07088bceef71dd03571af
SHA512 df10771e96aae0e67446a1bbbbaf852a987a2085b72230b2d6dae7b663b807e81d36e2bf5f15fdaee5398acfa7cd1e4e695ee809fa7a466c1275e0812f8da7b6

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY

MD5 f7c0e544b3fd157f13cf89d6c9fbca16
SHA1 a9a90ac897f8c8a59ff3014440d365588d4eb25e
SHA256 3bbb0031d756b16bf420535bf963ce711a8b427fcde512bffaa5187a27ecc2e1
SHA512 4c1d5aeb54d2694af34396dc30540cb3be180b4877482eb56a9414fe1857c594c2e7f6780fecc1993586e08835446d373dc8fca8bc1c08086017f3cd3a080f4d

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 563b3d11ecd15a2f68a5f4b0013232ae
SHA1 e5d29032d6d238ce14562dc4583ec015a18481f7
SHA256 1fbf7e9a8f15f7c0bdb11cf0587e8063788ad64fd2aafbf69bf405b426058127
SHA512 5ee992405358805d0c8c1378013e1c48d11ec7f5c1b1aaeb498d744ef6c6a7b8c4a60f59c5dab48987cc9f8433db999d5a69917438a595a8de16c106824573ab

C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY

MD5 4aecd02ac7886d386c0b71a392daee9d
SHA1 03b4343389884ac491beb1be3baed6347234cb86
SHA256 1a5ea5dcea09904c7390a3ddaa0411b37205bc177ec49a9679d53c307e1baf83
SHA512 cb2e6fe750f32dcade0f92653b21465f89a59c0a104002aa44ca94fb6149d444a45b511f614bd831adf63d6b5e9c7a862d1f45e2e8e732029037357e6744b281

C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 aa0b27fdefc5f4608faa85eb889277c7
SHA1 f90845484ace6bb38a0f8ecc7781f14d86577207
SHA256 289f28fc457e2a8dc5cafb1dcedbbfd830768d81b6dbe947422b41d0f025c9e4
SHA512 320be277f1c5190c430b51856cda5856247e539c8aea021fe4930f5401da8638c41ff3f43211c55462f68f9e276cc0b3bafbaf440ed954bb068f7f8e420d85fe

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY

MD5 f223a43c524c7ff317612bf58564e7b5
SHA1 e128b09fda262cf59cc8c06599ab08136d249602
SHA256 355b30104493b7400e29a5cfea5bb473fb953654f0f4dc033cf4c15e2bef8da0
SHA512 b97df081fb3d6179527d83941762df2fe8fc98e2979888980608564178e27e75f11646ad400887c17442f1c097099a7286a11c4b41e84149f62fa4c495a518eb

C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY

MD5 ac6a3199fc4dcdaf6e3be91f8a6365e7
SHA1 33e7b5b7fcb4fcb4a2609164c7439dc551ddddcf
SHA256 133a7399e2dde3e505d48a2d0da392599d3fdcb0379158727cf9dfe8e0ff6018
SHA512 c9f44116290bf2204077b94267369f73ca2328afaa0f806e413813ef12dbe6ee8fdd5326d555f00308ef35356dad2bce5f7d79a0926f9abc8d281d6037d29364