Malware Analysis Report

2024-10-18 21:36

Sample ID 240528-qn2jpagc45
Target 762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.7z
SHA256 19f287ad3d83ee5798284481bb30fbb4eb9dc0c1ceb5f66682a8a83ffda5e1c0
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19f287ad3d83ee5798284481bb30fbb4eb9dc0c1ceb5f66682a8a83ffda5e1c0

Threat Level: Known bad

The file 762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.7z was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (7279) files with added filename extension

Renames multiple (7924) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 13:25

Reported

2024-05-28 13:27

Platform

win7-20240508-en

Max time kernel

97s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7924) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.INF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00297_.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00941_.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106124.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bogota C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\EET C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NBOOK_01.MID C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ADO210.CHM C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe

"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"

Network

N/A

Files

memory/2860-0-0x0000000000160000-0x000000000018C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini

MD5 4f8d70a4a4fcc5322e0b5fc8dab06cbe
SHA1 a0b2d6baa323481519805778846a803d28e4a767
SHA256 3aaa2854954f8c7bad09186c42beeadcd5ca94a251e8f71c9bcdf4838fe4c5ff
SHA512 0e0b1d2edb8823c6072743520c6aeb2342605015ece34b0a9614dbb89c58242614e91312d8364bf61c3d5a3388c624ecc6f474fd7033c4f9013d36ce2e6146ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 13:25

Reported

2024-05-28 13:28

Platform

win10v2004-20240508-en

Max time kernel

210s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7279) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Notification.m4a C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.ot C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hu.pak C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Microsoft.BigPark.UI.Common.winmd C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_tw_135x40.svg.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\StandardLighting.hlsl C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureImageControl.xaml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.schema.mfl C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.PLAY C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe

"C:\Users\Admin\AppData\Local\Temp\762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1040-0-0x00000000003A0000-0x00000000003CC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini

MD5 f9d973429b8efdfcca3eff1878c62967
SHA1 5a87c1c3a200fc16e337514686613cd063a83cce
SHA256 891bcd69b7223a3774073d8369d767b0a7fd34a64fa9f6cf55d23ba7212d3830
SHA512 78fd4f419efab7cbb8cafff88c1b0af355b27024b2dd6ab59dbd58e5badabe0b0fb5c7e91aa93e8021f992be482076819ffb43568adf34f8e9d23a4b364fafeb

C:\ReadMe.txt

MD5 c44d1cf9cbdc314753b340ae0e4c25d4
SHA1 285b3c7a25ca4a9ed0267a11060b7593713c5b9f
SHA256 c8e4bdb9fc766ed8d9ac215bd3c7703db3276da5bc1b0f27aa956fbdb122bcce
SHA512 06b403cabb9d5e68c621c9fa211910489f53c66c1625857cfadda1702615e1a3db4a681cd2c21f712458269e57027be76b74611d8bcfc43b0d0fad56476cca73

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini

MD5 52944699384f99e8965516fadbe58c54
SHA1 e439822abd75d087f8c08acfa123db28c095a406
SHA256 ae75fae5de110c24599bfe25747aa7de907ca991893fa0912992a8f895d813d4
SHA512 34a0c289e4a060e85d5fd62ca0cd40009c92802a62a7b645021b7046363df33eac78b4dd18830f24a8c4b37072da650b114be27bc0b8fcab918468385e73880a