» play.exe
Overview
Analysis
File Details
Behaviors (1)

play.exe

The executable play.exe has been detected as malware by 30 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘THERIGHTCLICK’.

File name:

play.exe

Version:

0.4.1.3

MD5:

37b1513e655f2528c5e3d8bfeb03fc13

SHA-1:

44b0199a42b59bbd97a818f6f844ad7eae801d50

SHA-256:

12761aae937cc07176fc623d6863175cf4ad7f6303823a03ef459d663c25c15e

Scanner detections:

30 / 68

Status:

Malware

Explanation:

The software cotains keystroke monitoring/logging capablities which may or may not be installed without the user's knowledge.

Analysis date:

4/26/2024 11:58:10 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.18328

922

AhnLab V3 Security

Spyware/Win32.Carberp

2014.06.14

Avira AntiVirus

TR/Symmi.18328.58

7.11.154.218

avast!

Win32:Malware-gen

2014.9-140728

AVG

Generic34

2015.0.3400

Bitdefender

Gen:Variant.Symmi.18328

1.0.20.1045

Bkav FE

HW32.Keylogger

1.3.0.4959

Dr.Web

Trojan.Siggen6.12756

9.0.1.0209

Emsisoft Anti-Malware

Gen:Variant.Symmi.18328

8.14.07.28.03

ESET NOD32

Win32/CoinMiner.CW

8.9942

Fortinet FortiGate

W32/Carberp.ABXE!tr

7/28/2014

F-Secure

Gen:Variant.Symmi.18328

11.2014-28-07_2

G Data

Gen:Variant.Symmi.18328

14.7.24

IKARUS anti.virus

Trojan.Win32.Sisron

t3scan.1.6.1.0

K7 AntiVirus

Riskware

13.1712403

Kaspersky

Trojan-Spy.Win32.Carberp

14.0.0.3494

McAfee

Artemis!37B1513E655F

5600.7056

Microsoft Security Essentials

Trojan:Win32/Sisron!gmb

1.10600

MicroWorld eScan

Gen:Variant.Symmi.18328

15.0.0.627

NANO AntiVirus

Trojan.Win32.Carberp.cxilbn

0.28.0.60253

Norman

Suspicious_Gen5.AQLNM

11.20140728

Panda Antivirus

Trj/CI.A

14.07.28.03

Qihoo 360 Security

Win32/Trojan.b32

1.0.0.1015

Quick Heal

TrojanSpy.Carberp.g5

7.14.14.00

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_SPNR.11FD14

7.2.209

Trend Micro

TROJ_SPNR.11FD14

10.465.28

Vba32 AntiVirus

TrojanSpy.Carberp

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic

30270

Zillya! Antivirus

Trojan.Carberp.Win32.4288

2.0.0.1822

File size:

8.3 MB (8,655,015 bytes)

Product version:

0.4.1.3

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\play.exe

File PE Metadata

Compilation timestamp:

11/3/2013 4:13:27 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

196608:w4Uhpa9l4827WDJwjSEXY2HTnZLKCnyIEJSnk:Yp248OWefY2znZLKCy5JN

Entry address:

0x50501

Entry point:

E8, D9, 7F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 98, 76, 47, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 9C, 76, 47, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, E5, 0E, 00, 00, 85, C0, 75, 06, B8, 00, 78, 47, 00, C3, 83, C0, 08, C3, E8, D2, 0E, 00, 00, 85, C0, 75, 06, B8, 04, 78, 47, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08... 
[+]

Entropy:

7.9413 (probably packed)

Code size:

369 KB (377,856 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

THERIGHTCLICK

Command:

C:\users\{user}\appdata\roaming\play.exe

Remove play.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.