Windows Analysis Report
PLAY.mal_.exe

Overview

General Information

Sample Name: PLAY.mal_.exe
Analysis ID: 695797
MD5: 223eff1610b432a1f1aa06c60bd7b9a6
SHA1: 14177730443c65aefeeda3162b324fdedf9cf9e0
SHA256: 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Tags: exePLAYransomware
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Checks if the current process is being debugged
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PLAY.mal_.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: PLAY.mal_.exe ReversingLabs: Detection: 80%
Source: PLAY.mal_.exe Virustotal: Detection: 71% Perma Link
Source: PLAY.mal_.exe Metadefender: Detection: 45% Perma Link
Uses 32bit PE files
Source: PLAY.mal_.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: A:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: B:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ReadMe.txt Jump to behavior
Source: PLAY.mal_.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000001.00000003.344381653.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbHm source: baseimagefam8.1.dr
Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb source: baseimagefam8.1.dr
Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: baseimagefam8.1.dr
Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb8n source: baseimagefam8.1.dr
Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File opened: [: Jump to behavior
Source: baseimagefam8.1.dr String found in binary or memory: http://bugreport.sun.com/bugreport/crash.jsp
Source: baseimagefam8.1.dr String found in binary or memory: http://bugreport.sun.com/bugreport/crash.jspVM
Source: baseimagefam8.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: baseimagefam8.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: baseimagefam8.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: baseimagefam8.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: baseimagefam8.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: baseimagefam8.1.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: baseimagefam8.1.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: baseimagefam8.1.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: baseimagefam8.1.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: baseimagefam8.1.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Creates a DirectInput object (often for capturing keystrokes)
Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DirectDrawCreateEx Callout.
Installs a raw input device (often for capturing keystrokes)
Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData
Yara detected Keylogger Generic
Source: Yara match File source: 1.3.PLAY.mal_.exe.2c60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PLAY.mal_.exe PID: 5460, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl entropy: 7.99656322156 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99978678633 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.99995051911 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99821840766 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99978509938 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99987915975 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99838036504 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99982797302 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\cab1.cab entropy: 7.99858193912 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99996639862 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99974695504 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab entropy: 7.99975561316 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab entropy: 7.99987985198 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.9999664123 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab entropy: 7.99995338894 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl entropy: 7.99023685191 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.007.etl entropy: 7.99170038916 Jump to dropped file
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: A:\Recovery\WindowsRE\boot.sdi.PLAY (copy) entropy: 7.99995051911 Jump to dropped file
Uses 32bit PE files
Source: PLAY.mal_.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: PLAY.mal_.exe, 00000001.00000003.325887834.0000000002D76000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePROFAPI.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesechost.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameiphlpapi.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSRVCLI.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebcrypt.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHLWAPI.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHELL32.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCFGMGR32.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel.appcore.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameadvapi32.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePOWRPROF.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamews2_32.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDuserHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_user_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
Source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApphelpj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNETUTILS.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecryptbase.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameimm32j% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdi32j% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.344802829.0000000002D12000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcrt.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHCORE.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerpcrt4.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWin32u.DLLj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesecurity.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilterLib.dllj% vs PLAY.mal_.exe
Source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempr.dllj% vs PLAY.mal_.exe
One or more processes crash
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PLAY.mal_.exe Section loaded: ext-ms-win-gdi-desktop-l1-1-0.dll Jump to behavior
Source: PLAY.mal_.exe ReversingLabs: Detection: 80%
Source: PLAY.mal_.exe Virustotal: Detection: 71%
Source: PLAY.mal_.exe Metadefender: Detection: 45%
Source: PLAY.mal_.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PLAY.mal_.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PLAY.mal_.exe "C:\Users\user\Desktop\PLAY.mal_.exe"
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2796
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5460
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8ACC.tmp Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File written: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini Jump to behavior
Source: classification engine Classification label: mal60.rans.winEXE@6/139@0/100
Source: C:\Users\user\Desktop\PLAY.mal_.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PLAY.mal_.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: PLAY.mal_.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: netutils.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdb source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: PLAY.mal_.exe, 00000001.00000003.344381653.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbHm source: baseimagefam8.1.dr
Source: Binary string: wntdll.pdb source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdb source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdb source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdb source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331489688.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352185893.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdb source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdb source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wwin32u.pdb source: PLAY.mal_.exe, 00000001.00000003.355075498.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsspicli.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331828067.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331097584.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdb source: PLAY.mal_.exe, 00000001.00000003.331438294.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wimm32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355492365.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: fltLib.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.355458870.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdb source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: PLAY.mal_.exe, 00000001.00000003.352754344.0000000002CDB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mpr.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355639216.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: iphlpapi.pdb source: PLAY.mal_.exe, 00000001.00000003.332176901.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.323602432.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: powrprof.pdb source: PLAY.mal_.exe, 00000001.00000003.355262879.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: apphelp.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332059802.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.329138105.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: PLAY.mal_.exe, 00000001.00000003.355140276.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: bcrypt.pdbGCTL source: PLAY.mal_.exe, 00000001.00000003.331001757.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.353571169.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.351524816.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptbase.pdb source: PLAY.mal_.exe, 00000001.00000003.331923171.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb source: baseimagefam8.1.dr
Source: Binary string: bcryptprimitives.pdb source: PLAY.mal_.exe, 00000001.00000003.331947513.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cfgmgr32.pdb source: PLAY.mal_.exe, 00000001.00000003.344869652.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: PLAY.mal_.exe, 00000001.00000003.345484798.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.355198404.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: baseimagefam8.1.dr
Source: Binary string: apphelp.pdb source: PLAY.mal_.exe, 00000001.00000003.330686142.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\build\windows-i586\jdk\objs\libawt\awt.pdb8n source: baseimagefam8.1.dr
Source: Binary string: ws2_32.pdbUGP source: PLAY.mal_.exe, 00000001.00000003.332252050.0000000002C60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netutils.pdb source: PLAY.mal_.exe, 00000001.00000003.331029539.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: A:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: B:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File created: C:\ReadMe.txt Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PLAY.mal_.exe TID: 5936 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: PLAY.mal_.exe, 00000001.00000000.472458165.000000000B82A000.00000004.00000800.00020000.00000000.sdmp, PLAY.mal_.exe, 00000001.00000003.410275281.000000000B81B000.00000004.00000800.00020000.00000000.sdmp, PLAY.mal_.exe, 00000001.00000003.411693718.000000000B829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: baseimagefam8.1.dr Binary or memory string: java/lang/VirtualMachineError
Source: baseimagefam8.1.dr Binary or memory string: Unable to link/verify VirtualMachineError class
Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: baseimagefam8.1.dr Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: PLAY.mal_.exe, 00000001.00000003.329816153.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: baseimagefam8.1.dr Binary or memory string: m{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this callA constant pool lock<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u20\791\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PLAY.mal_.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1540 Jump to behavior
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: PLAY.mal_.exe, 00000001.00000003.347091112.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: PLAY.mal_.exe, 00000001.00000003.332534336.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
Source: PLAY.mal_.exe, 00000001.00000003.345076301.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
Source: PLAY.mal_.exe, 00000001.00000003.353945577.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: PLAY.mal_.exe, 00000001.00000003.351926868.0000000002C60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 695797 Sample: PLAY.mal_.exe Startdate: 01/09/2022 Architecture: WINDOWS Score: 60 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 6 PLAY.mal_.exe 3 2->6         started        process3 dnsIp4 30 192.168.2.100 unknown unknown 6->30 32 192.168.2.101 unknown unknown 6->32 34 98 other IPs or domains 6->34 18 C:\Recovery\WindowsRE\boot.sdi, data 6->18 dropped 20 C:\Recovery\WindowsRE\Winre.wim, data 6->20 dropped 22 C:\ProgramData\...\UpdateUx_Temp.1.etl, data 6->22 dropped 24 17 other files (15 malicious) 6->24 dropped 40 Writes many files with high entropy 6->40 11 WerFault.exe 23 9 6->11         started        14 WerFault.exe 2 9 6->14         started        16 WerFault.exe 6->16         started        file5 signatures6 process7 file8 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->28 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222
192.168.2.220
192.168.2.115
192.168.2.236
192.168.2.116
192.168.2.237
192.168.2.113
192.168.2.234
192.168.2.114
192.168.2.235
192.168.2.119
192.168.2.117
192.168.2.238
192.168.2.118
192.168.2.239
192.168.2.111
192.168.2.232