Malware Analysis Report

2024-10-18 21:36

Sample ID 240627-pp1s4s1fra
Target 2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play
SHA256 bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc381dbeff70b5869fa737860c8cd8a8684cc768981beb55543499efcd32bab7

Threat Level: Known bad

The file 2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

Play family

Play ransomware payload

PLAY Ransomware, PlayCrypt

Renames multiple (7892) files with added filename extension

Renames multiple (7476) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 12:31

Signatures

Play family

play

Play ransomware payload

ransomware
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 12:31

Reported

2024-06-27 12:33

Platform

win10v2004-20240611-en

Max time kernel

127s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7476) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\CamMDL2.2.07.ttf C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionPage.xbf C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\YelpLogo.svg C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX.PLAY C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileWide.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\font\CameraSymbols.ttf C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/924-0-0x0000000002800000-0x000000000282C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini

MD5 417df5e7b38bfc85a02af9a3d82a3d7b
SHA1 0525ac061578213b8f43b50e0180ef12d8fc6609
SHA256 7d06ad77fb4108b7babff25fcdcb835b45e34c4f6e05ccb896080d566e245887
SHA512 52dd07862335ddd88d88a12da6092651c83a8ccdb749c1ece125d239b07f47035421007212008e4cce5e47a84fe401a8538af63081bbcb6f47b9e9b88743933b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 12:31

Reported

2024-06-27 12:33

Platform

win7-20240611-en

Max time kernel

85s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7892) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301 C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\WISC30.DLL C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.REST.IDX_DLL C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_4519a5876b3e77568105da0f1c2ebb4d_play.exe"

Network

N/A

Files

memory/2212-0-0x00000000002F0000-0x000000000031C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini

MD5 08ec069f0e21d9b4043208d96b523145
SHA1 fb23e2453db575f6c0836fc59c17ca7bfe93e86e
SHA256 7e509915104f85c94996fcc3cfb1eff8ac5e73fda64d6e9efcceec349c1550c1
SHA512 9bdd07d0461913dfb9a79cb855f9a82fe6e2702ddc285faf34606fd3537f6d96664e788c78796ef9c801d9da51486c628036e79be5c226fde279e0879d70644f