Analysis Overview
SHA256
4d3d315c87af193af02eb5489fa7228b9ecc3aef75464325acc38a9a8c232b02
Threat Level: Known bad
The file dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.7z was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (8488) files with added filename extension
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (7371) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-25 14:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 14:13
Reported
2024-07-25 14:16
Platform
win7-20240704-en
Max time kernel
111s
Max time network
123s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (8488) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Brussels | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GreenTea.css | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OUTDR_01.MID | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadox28.tlb | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\it-IT\msoeres.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\EST | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f7841b2.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7841b2.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4441.tmp | C:\Windows\system32\msiexec.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 34032 wrote to memory of 39460 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe
"C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1524A5A420A0DCA14E51B27122CFD7AD
Network
Files
memory/1256-0-0x0000000000360000-0x000000000038C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini
| MD5 | 41f0fa27eaac7cda963571acee935f7a |
| SHA1 | 0637d30871d08df763d2838666cfab59778266a3 |
| SHA256 | a8888cf81062d3770d2888c83541ff243b6778c08daee254c6da80aa6a50b53a |
| SHA512 | 926cb897423a9ac296c70bef97db9f367b9f1974bb226fc0058b37c1f3fc1d6cead4a708ad021199af0ff611c8f35182ed2b5fade0fab75d17611be4285a1902 |
C:\ReadMe.txt
| MD5 | 16f93ef919291be05531f0b028c4b32a |
| SHA1 | 3d2df3342389bde385feebae59665e71b7a1dfd1 |
| SHA256 | 7f1c1cd11c6c32293dfcabc05fec13a52770676b524c96525120fef03085b2e2 |
| SHA512 | fe0b0765de454d66b2b87e216839178d9df57cbf4573e61497042936330b9d90cf207798a9bfbcc9be5d6588c0b4253663734a15495fd2beffa54cddbd5c59c1 |
\Windows\Installer\MSI4441.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI7C62.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 14:13
Reported
2024-07-25 14:16
Platform
win10v2004-20240709-en
Max time kernel
125s
Max time network
150s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (7371) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\meBoot.min.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlMiddleCircle.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\WebBlendsControl.xaml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Zview.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDRES.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\skin_en-IN_female_TTS.lua | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\release.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_BillPay.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\AppStore_icon.svg | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe
"C:\Users\Admin\AppData\Local\Temp\dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 32900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3792-0-0x0000000002F80000-0x0000000002FAC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini
| MD5 | 87af5e2fdfd6c0de46f567faef775eb2 |
| SHA1 | ceac97209667cfdde1c66cc8e45c01bc08efe0e4 |
| SHA256 | a2ec5e38f75045d53291373eb997fcf689a3d79643dff7e137a5fa9019ed4d29 |
| SHA512 | 30d5d36e6967d9feec180427af99e4042a3ba3648c20984a7b537fd5823b4d54b374fc50ecdffa2634d985d9bf51f5ed6e23d83a7eba5b91376f17a49b868095 |