Malware Analysis Report

2024-10-18 21:36

Sample ID 240606-xmnprsbd78
Target 2TXt7S.exe
SHA256 7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
Tags
play ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8

Threat Level: Known bad

The file 2TXt7S.exe was found to be: Known bad.

Malicious Activity Summary

play ransomware spyware stealer

PLAY Ransomware, PlayCrypt

Renames multiple (7347) files with added filename extension

Renames multiple (7897) files with added filename extension

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:58

Reported

2024-06-06 19:02

Platform

win7-20240508-en

Max time kernel

104s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7897) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240719.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\Wks9Pxy.cnv C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7 C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00256_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77a5a2.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77a5a2.mst C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91E9033CD024C029AA03CFF8C0857649

Network

N/A

Files

memory/2296-0-0x0000000000170000-0x000000000019C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini

MD5 29325c0d439dd82d85a757a442ed88f1
SHA1 f6d0b8a79c89f7bd38d0bf99a999671d2ca6fc71
SHA256 7d614b5ffdde7721792710e0172c3d70d7c52533c900cf528b76bcd419465210
SHA512 8e3abe3a319a9d59583ca1ee4e8c51da8930697bc1f4569493c9f965c34cdda158ac7b8a046cfb131d4e3f379d6fdb99690ba5a04a76a1b65ac30a9395f17f28

C:\Windows\Installer\MSIA718.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

C:\Windows\Installer\MSID606.tmp

MD5 9cadbfa797783ff9e7fc60301de9e1ff
SHA1 83bde6d6b75dfc88d3418ec1a2e935872b8864bb
SHA256 c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141
SHA512 095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:58

Reported

2024-06-06 19:02

Platform

win10v2004-20240426-en

Max time kernel

128s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Signatures

PLAY Ransomware, PlayCrypt

ransomware play

Renames multiple (7347) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe.config C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\adovbs.inc C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-540404634-651139247-2967210625-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\locale.ini.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.PLAY C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\160.png C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe

"C:\Users\Admin\AppData\Local\Temp\2TXt7S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp

Files

memory/3012-0-0x0000000002840000-0x000000000286C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini

MD5 b05abf0a3b769e4d83d6401c060b2a04
SHA1 4e2c4920119a55699d8a7688763c9890283c6840
SHA256 02905641a84e3b2990d64fc7c801d334cc9c5aefea87fd0228382e1b72b59f73
SHA512 2ff586090fe01b5073506c59efa92ff223087d94c6435d04906f18423fa8c9535157c38d677f83be4d88294bb6a48a538b09fd32f5f8d6b191f8c932336a3623