Analysis Overview
SHA256
7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
Threat Level: Known bad
The file 2TXt7S.exe was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (7347) files with added filename extension
Renames multiple (7897) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:58
Reported
2024-06-06 19:02
Platform
win7-20240508-en
Max time kernel
104s
Max time network
120s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (7897) files with added filename extension
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7 | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f77a5a2.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77a5a2.mst | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91E9033CD024C029AA03CFF8C0857649
Network
Files
memory/2296-0-0x0000000000170000-0x000000000019C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini
| MD5 | 29325c0d439dd82d85a757a442ed88f1 |
| SHA1 | f6d0b8a79c89f7bd38d0bf99a999671d2ca6fc71 |
| SHA256 | 7d614b5ffdde7721792710e0172c3d70d7c52533c900cf528b76bcd419465210 |
| SHA512 | 8e3abe3a319a9d59583ca1ee4e8c51da8930697bc1f4569493c9f965c34cdda158ac7b8a046cfb131d4e3f379d6fdb99690ba5a04a76a1b65ac30a9395f17f28 |
C:\Windows\Installer\MSIA718.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSID606.tmp
| MD5 | 9cadbfa797783ff9e7fc60301de9e1ff |
| SHA1 | 83bde6d6b75dfc88d3418ec1a2e935872b8864bb |
| SHA256 | c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141 |
| SHA512 | 095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:58
Reported
2024-06-06 19:02
Platform
win10v2004-20240426-en
Max time kernel
128s
Max time network
106s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (7347) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1 | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe.config | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-540404634-651139247-2967210625-1000-MergedResources-0.pri | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\locale.ini.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.PLAY | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\160.png | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe
"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
Files
memory/3012-0-0x0000000002840000-0x000000000286C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini
| MD5 | b05abf0a3b769e4d83d6401c060b2a04 |
| SHA1 | 4e2c4920119a55699d8a7688763c9890283c6840 |
| SHA256 | 02905641a84e3b2990d64fc7c801d334cc9c5aefea87fd0228382e1b72b59f73 |
| SHA512 | 2ff586090fe01b5073506c59efa92ff223087d94c6435d04906f18423fa8c9535157c38d677f83be4d88294bb6a48a538b09fd32f5f8d6b191f8c932336a3623 |