Malware Analysis Report

2024-10-18 21:36

Sample ID 240529-z3mhraaa7x
Target 2TXt7S.exe
SHA256 7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8

Threat Level: Known bad

The file 2TXt7S.exe was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (7850) files with added filename extension

Renames multiple (7315) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:14

Reported

2024-05-29 21:17

Platform

win7-20240221-en

Max time kernel

107s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7850) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME44.CSS C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado20.tlb C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianResume.Dotx C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01173_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DenyRegister.ps1 C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18204_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\TOOLICON.ICO C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\CST6CDT C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00299_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCRD98.POC C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Network

N/A

Files

memory/2756-0-0x0000000000160000-0x000000000018C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 e50ad40000468f91d3b1c7f6c3974225
SHA1 57249af591fc18c490c8457f35f0ed6d1eaacbec
SHA256 b3167d56c2f0f78ff2a79d3870cadb30a54395cc48948110edf37065a04456b3
SHA512 606e7c94b80c77e9ec33aa03d1f4554b6e8346268702b0f8450bbdb0f8f9d61280ede0c6a3dd27165b6fd46d05d44eb36e1b9c9a7ade5ad5401685a1d369ee4b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:14

Reported

2024-05-29 21:17

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7315) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-100.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-150.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-180.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sun.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SpherePixelShader.cso C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\BackupResolve.php.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

memory/4676-0-0x0000000000A70000-0x0000000000A9C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini

MD5 2c45614dc40e0c491dc80d78fed39678
SHA1 522b8e4d10f8fdb88924bd525f019308b802eacd
SHA256 95c4c77332a9036fea9828dec779288a9716d2bc512b85d3cd11c47a0d8575f3
SHA512 ca8552b544fde0c58ec5acf747f95883844bd3f28fbd73b519b4b4b40797d9c188f959c350a52118badc3bfc10b9db1d4e21ef25d3a65b3ac7cc8219624ed373