Malware analysis 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe Malicious activity

Add for printing

File name:	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe
Full analysis:	https://app.any.run/tasks/612b2e8a-66a4-422f-b813-ed48f21f8370
Verdict:	Malicious activity
Threats:	Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	June 13, 2025, 07:35:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware play
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	4F80E32425157403E1967BDF67FFA63F
SHA1:	97C5121094CD027D715F97C787E42C810EA155FA
SHA256:	66445D5D398E98ADF08BEA1D34540DA1AF59870EDB4A7085069A8296E236F4FA
SSDEEP:	6144:oV1+pGn6AigJ7kZZVLVTPxQ9zyVPVmGmD:RA6WJ7mVpjxIzOLmD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- RANSOMWARE has been detected
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
- PLAY has been detected
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
SUSPICIOUS
- Write to the desktop.ini file (may be used to cloak folders)
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
- Creates file in the systems drive root
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
INFO
- Creates files or folders in the user directory
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
- Checks supported languages
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
- Reads the computer name
  - 66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe (PID: 7048)
- Checks proxy server information
  - slui.exe (PID: 1208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:10:22 15:57:28+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	401408
InitializedDataSize:	70656
UninitializedDataSize:	-
EntryPoint:	0x577c1
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1208

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7048

"C:\Users\admin\AppData\Local\Temp\66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe"

C:\Users\admin\AppData\Local\Temp\66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcrypt.dll

Add for printing

Total events

687

Read events

687

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.PLAY		binary
		MD5:DAD740F6D9A0B2D577AD002F1C4C3A26	SHA256:DACE3025125FC90A2B4D9AA2AC98F8254CA2E858E13D03BDDB37D3C6FEF763E7
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.PLAY		binary
		MD5:5515A268BD3A267550BB82C2F7CF4188	SHA256:36B329744C46E90F8B620638FC57F2D84603AFA0DD69DD52BAE8C8236772E623
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.PLAY		binary
		MD5:26264E50BA95A9CEFC48D44754B626B5	SHA256:1A2FF3C82AF11C86C57BFFE9762FDE84D977CF62C43AE0DD65EF2677B09E257F
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.PLAY		binary
		MD5:1BDBCA58E9F6CECBB409A71133E4CFAD	SHA256:133DEE3CF6DD6B2F44C4B272C74A8A3F26371D249CE1AB57B90563465DDDA317
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\bootTel.dat		binary
		MD5:07BCE3A5D5D53D6FED24C33192D6D8F1	SHA256:8D6010D48451648FBA6754A7861783C019451BC715DC4E6BB0B0E0385B0EADE4
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.PLAY		binary
		MD5:F2713D4918A9F3C61EE87D890CB635B1	SHA256:35EC7271C8DED99A5B2A37F0637F5B670B648066F5EE38F0EF4D42FA7CA3B1AB
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf		binary
		MD5:5515A268BD3A267550BB82C2F7CF4188	SHA256:36B329744C46E90F8B620638FC57F2D84603AFA0DD69DD52BAE8C8236772E623
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt		binary
		MD5:1BDBCA58E9F6CECBB409A71133E4CFAD	SHA256:133DEE3CF6DD6B2F44C4B272C74A8A3F26371D249CE1AB57B90563465DDDA317
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\vk_swiftshader_icd.json		binary
		MD5:A67BA6C136A1AA4284EC64992459AC4E	SHA256:DDCA1D0769E6F904CABE64E81309B41295E6A43C06D8B304FB270A0442E3C5D9
7048	66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe	C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak		binary
		MD5:43C5127F4EAE748D49EFCEFA12A4A6CA	SHA256:4D25DBAAF267F87D489C74E022CB95E04D0D3098C960E0A45DA70A835FD69A97

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
888	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5944	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6024	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4060	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1208	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	20.42.73.27	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

66445d5d398e98adf08bea1d34540da1af59870edb4a7085069a8296e236f4fa.exe

4F80E32425157403E1967BDF67FFA63F

97C5121094CD027D715F97C787E42C810EA155FA

66445D5D398E98ADF08BEA1D34540DA1AF59870EDB4A7085069A8296E236F4FA

6144:oV1+pGn6AigJ7kZZVLVTPxQ9zyVPVmGmD:RA6WJ7mVpjxIzOLmD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RANSOMWARE has been detected

PLAY has been detected

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Creates file in the systems drive root

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings