Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-gasvyszarn
Target d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400
SHA256 d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400

Threat Level: Likely malicious

The file d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (318) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:36

Reported

2024-10-16 05:39

Platform

win7-20240729-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\GrantCompare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\GrantCompare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Windows\SysWOW64\sysx32.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Windows\SysWOW64\sysx32.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Windows\SysWOW64\sysx32.exe
PID 2240 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Windows\SysWOW64\sysx32.exe
PID 2240 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe
PID 2240 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe
PID 2240 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe
PID 2240 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

"C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 a046d88f620fb1752cc7b10d640b4036
SHA1 7a92f4bd109b959d8b4d6f16eb6e8e09c7188460
SHA256 d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400
SHA512 7192628c85bc521bcb6ef427a65e21f03c45f0fb5500f0510560bc7f7ce9c423e8984a734fa6eb9e00a6172fd08d565032fb6ec63b8c0a8f9287db267035444c

memory/2240-11-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2240-10-0x0000000000220000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

MD5 bc88eed5f6a2e02785405bc2932f86b3
SHA1 0cff3479483c6d0ac6606f06a9f1c316219034db
SHA256 b5551d35211e2a54a057ff5f1601e931708bd143b341d3ee00331f9eadb1f2a7
SHA512 728006227cbd35edfb945f0f04b97e25243b7dafca0099b8ccb6d3e40b301500a4e2d048d47dfa5fc2187a92d37375c248642565cbf764db6873b9d5888f3681

memory/2240-22-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2656-24-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:36

Reported

2024-10-16 05:39

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe"

Signatures

Renames multiple (318) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\certutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ktmutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runas.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wscadminui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ntprint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wusa.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ftp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msinfo32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\psr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\openfiles.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\bootcfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dvdplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\net.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mobsync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\takeown.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sethc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\secinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ddodiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\iscsicpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mfpmp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\subst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\regedit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A
File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\EhStorAuthn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\iscsicli.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dcomcnfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fsquirt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\setupugc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\convert.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\netsh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TCPSVCS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\AtBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ComputerDefaults.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\gpupdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\odbcconf.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\reg.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmprph.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\convert.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\r\spoolsv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\f\sppsvc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ktmutil_31bf3856ad364e35_10.0.19041.1_none_48cfaff3d4e720e6\ktmutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_27f9f931a79d1cbe\f\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\eshell.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\r\gpupdate.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.746_none_b0a3ebd117ec81d4\hh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\CExecSvc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.746_none_f0e6f722ec2403d4\r\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.746_none_3ed4d566b640ef5b\f\WmsUserAgent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\r\GameBarPresenceWriter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.117_none_610933d42d963a44\r\wsl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsicli.exe_20e14d4f.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-forfiles_31bf3856ad364e35_10.0.19041.1_none_15692775b14712c0\forfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\r\DiagnosticsHub.StandardCollector.Service.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\f\wpnpinst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\immersivetpmvscmgrsvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\f\SecurityHealthService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4ecd10b107da65f7\AtBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-icacls_31bf3856ad364e35_10.0.19041.1_none_f2fa56e679b879d1\icacls.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_c991318e4b11e4cf\RMActivate_ssp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_5aba1063745f6e01\r\autofmt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\r\LegacyNetUXHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5\rasautou.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.1_none_20aa8037cb026fdb\netbtugc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\f\ShellLauncherConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.1_none_51b7888297a3c04e\LocationNotificationWindows.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_a347c249afbf6f97\Netplwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\UsoClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e\r\winlogon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\r\SearchProtocolHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_10.0.19041.1_none_da504d0e6afd0a49\TsWpfWrp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\poqexec.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\winhlp32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.153_none_c283d2cf01b0b7d8\f\EoAExperiences.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\appidtel.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.19041.844_none_de5d9fe254d9f8c4\r\BioEnrollmentHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_579ae2e26c347896\WMIC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\wbadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_1d907c422e447b14\f\dsdbutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\r\dfrgui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\wslconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiFileFetcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\usocoreworker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-cttune_31bf3856ad364e35_10.0.19041.1_none_73ca4447924360c1\cttune.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_10.0.19041.1_none_59f3ce100425ffb0\SMConfigInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.19041.1023_none_4478665ed379a3fc\r\AtBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_ed5986fc58f1b817\SystemUWPLauncher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_a892faef80a943dc\MuiUnattend.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1_none_2f8c879e7c6f8b16\rasphone.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winver_31bf3856ad364e35_10.0.19041.1_none_7697361270372205\winver.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1_none_76c543231c2d8e03\wevtutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

"C:\Users\Admin\AppData\Local\Temp\d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4256-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 a046d88f620fb1752cc7b10d640b4036
SHA1 7a92f4bd109b959d8b4d6f16eb6e8e09c7188460
SHA256 d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400
SHA512 7192628c85bc521bcb6ef427a65e21f03c45f0fb5500f0510560bc7f7ce9c423e8984a734fa6eb9e00a6172fd08d565032fb6ec63b8c0a8f9287db267035444c

C:\Users\Admin\AppData\Local\Temp\_d080c86d7cdc2077a5ee7af04f8f1551f9cb5c3ddc5ec9e0aebf3000e80f9400.exe

MD5 bc88eed5f6a2e02785405bc2932f86b3
SHA1 0cff3479483c6d0ac6606f06a9f1c316219034db
SHA256 b5551d35211e2a54a057ff5f1601e931708bd143b341d3ee00331f9eadb1f2a7
SHA512 728006227cbd35edfb945f0f04b97e25243b7dafca0099b8ccb6d3e40b301500a4e2d048d47dfa5fc2187a92d37375c248642565cbf764db6873b9d5888f3681

C:\Program Files\7-Zip\7z.exe

MD5 bed79f222c10a509136789998e4e3113
SHA1 441597c08915869b63480acac41790b7b88119db
SHA256 d4d6e88e3dfeb378a18c6fbd54ab5e1ec27093036d048e7d09eebd51519791c5
SHA512 5802afdfe6d3dbd8b106e0bf99a67598412a482904c5a27e4e7fbe90bf0111badc2b83cb7d32f8aad7f6342620e058baf0e720af39f4b1f2f8e599557aa26e0d

memory/4256-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3548-1428-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3548-1431-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3548-2693-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3548-2694-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3548-2695-0x0000000000400000-0x0000000000411000-memory.dmp