Analysis Overview
SHA256
7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
Threat Level: Known bad
The file 2TXt7S.exe was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (7850) files with added filename extension
Renames multiple (7315) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:14
Reported
2024-05-29 21:17
Platform
win7-20240221-en
Max time kernel
107s
Max time network
123s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (7850) files with added filename extension
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\msado20.tlb | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianResume.Dotx | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\Timeline.cpu.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DenyRegister.ps1 | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18204_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\TOOLICON.ICO | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\defaultagent.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\CST6CDT | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
Network
Files
memory/2756-0-0x0000000000160000-0x000000000018C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini
| MD5 | e50ad40000468f91d3b1c7f6c3974225 |
| SHA1 | 57249af591fc18c490c8457f35f0ed6d1eaacbec |
| SHA256 | b3167d56c2f0f78ff2a79d3870cadb30a54395cc48948110edf37065a04456b3 |
| SHA512 | 606e7c94b80c77e9ec33aa03d1f4554b6e8346268702b0f8450bbdb0f8f9d61280ede0c6a3dd27165b6fd46d05d44eb36e1b9c9a7ade5ad5401685a1d369ee4b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:14
Reported
2024-05-29 21:17
Platform
win10v2004-20240508-en
Max time kernel
129s
Max time network
150s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (7315) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sun.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SpherePixelShader.cso | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\BackupResolve.php.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected] | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
memory/4676-0-0x0000000000A70000-0x0000000000A9C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini
| MD5 | 2c45614dc40e0c491dc80d78fed39678 |
| SHA1 | 522b8e4d10f8fdb88924bd525f019308b802eacd |
| SHA256 | 95c4c77332a9036fea9828dec779288a9716d2bc512b85d3cd11c47a0d8575f3 |
| SHA512 | ca8552b544fde0c58ec5acf747f95883844bd3f28fbd73b519b4b4b40797d9c188f959c350a52118badc3bfc10b9db1d4e21ef25d3a65b3ac7cc8219624ed373 |