Analysis Overview
SHA256
3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545
Threat Level: Known bad
The file 3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (7359) files with added filename extension
Renames multiple (8500) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 11:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 11:40
Reported
2024-07-26 11:43
Platform
win7-20240708-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (8500) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\release.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\URBAN_01.MID.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts2.css.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\VSTARemotingServer.tlb.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.VN.XML | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Nipigon.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\Parity.fx | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Bogota | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01468_.WMF.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginLetter.Dotx | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe
"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"
Network
Files
memory/2948-0-0x00000000001D0000-0x00000000001FC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini
| MD5 | 547bcce3d4c703347ccb6a3168f62bfa |
| SHA1 | cb95a4b2558c052aafc9b686166c5c22b8ebed26 |
| SHA256 | 1775dec5d479ba0c0b9b5e821d5665f6e9eb58b11bf3a9c6a64e05b12520a197 |
| SHA512 | f17c16782d9c09714fbfc8f63e6706546764c3ed00cfec4bd54747ef4d3bfadf703b16aefba96f3e5b8962e7c99c18b2bad4e80da9227d891e4ae23ff2b9e934 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 11:40
Reported
2024-07-26 11:42
Platform
win10v2004-20240709-en
Max time kernel
102s
Max time network
154s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (7359) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ProjectedApi.winmd | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-tiny.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-100.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-200.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\WeatherColorIcons.ttf | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2.m4a | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\resources.pri | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\HelpThumbnail.png | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_it.json | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe
"C:\Users\Admin\AppData\Local\Temp\3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/1212-0-0x0000000002430000-0x000000000245C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini
| MD5 | ec857fb4df5b5fb21fd8fb2205e007c0 |
| SHA1 | 7415b8d74dd8634a335c4a6fe82c7b81d9320fef |
| SHA256 | c4b28a2c8a4ec266f540a9364397a815c14d5fb03fbf9fe5bfcea2f4e7caeb21 |
| SHA512 | e122577c40a6588f9ba309679bf1bc5a4949b05157da694147cc111db2e9527a2cfe31064b8e506668163bfc42414d080729d53320c0c6ff2ea9e5413e200ffd |
C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini
| MD5 | 12897605a8ed9fe8d1384e4ab94c0b1f |
| SHA1 | c7dedad9726cc84dfff6022056353a70b5197c7d |
| SHA256 | c6440a9c44ccc387b8b50bf193e8fe00cdc7a93cc2c01adaa342b7c9b288239d |
| SHA512 | e917c488d2932f2c3f3cf4863457004ec3cb6c3fd440c4dfaa0d1a5ffe04fc11c33719fdc3a6e8a195f923419724bfc360fd30f3fe2fed91b0afce3cdb9a4921 |