Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-h6etmstbjp
Target f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18
SHA256 f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18

Threat Level: Likely malicious

The file f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:20

Reported

2024-10-16 07:23

Platform

win7-20240903-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Windows\SysWOW64\sysx32.exe
PID 2788 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Windows\SysWOW64\sysx32.exe
PID 2788 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Windows\SysWOW64\sysx32.exe
PID 2788 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Windows\SysWOW64\sysx32.exe
PID 2788 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe
PID 2788 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe
PID 2788 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe
PID 2788 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

"C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

Network

N/A

Files

memory/2788-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 814c18e76ef35ecbaddb8df4ca8bef03
SHA1 3bbf25d6545d1d0097a266ad71125025583fde53
SHA256 f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18
SHA512 c33fe2623452a46d3a005bd1619f9956c97a75b2b8380ebb0a636e1ae5a943d05b701ce35eee9ea10164c3d39925109ab60ef253c7b01fa94d2a1a5606adb1d6

memory/2788-10-0x0000000000320000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

MD5 60c091c85370e6550dc0dc2148794d16
SHA1 fc4d763eb3064160263d91724909b814d6467597
SHA256 22adffa6ed4313a96a1c6049b380897a732477158d5d21bf830908f8c2cf873d
SHA512 2084df43a9dce7720763de8700f41ceeb0a87d63abe9ba2e0152cce3fdab39976e8975af20430758262cbddef4cf5679597609126150ac8c08515e68d1081a60

memory/2788-17-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1812-18-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:20

Reported

2024-10-16 07:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runas.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fsquirt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mmc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mtstocom.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regini.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\colorcpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dpnsvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\hdwwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sort.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\EhStorAuthn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\quickassist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\timeout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cmdkey.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cttunesvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\iexpress.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mtstocom.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RpcPing.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\resmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sxstrace.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mfpmp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\perfhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\runas.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\psr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\forfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\iexpress.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\odbcad32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TpmTool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\provlaunch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\resmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rekeywiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\unlodctr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WSManHTTPConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\xcopy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\gpupdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasdial.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\OpenWith.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\upnpcont.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SearchFilterHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\chkdsk.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winver.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_d22800313aa7eb5c\regedit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-applaunch_exe_b03f5f7f11d50a3a_4.0.15805.0_none_f04c7dcfd4283324\AppLaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\CustomShellHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\r\FilePicker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.1_none_39d7f735c58f975e\UserOOBEBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\f\wmpnetwk.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_9972edde9b98690c\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\LockAppHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.746_none_5fb37340a423d88f\f\PrintBrmEngine.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rpc-ping_31bf3856ad364e35_10.0.19041.1_none_5dffc5e61476cc4e\RpcPing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\TiFileFetcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\FXSCOVER.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315\f\lpkinstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..ckgroundmediaplayer_31bf3856ad364e35_10.0.19041.1266_none_30abd5bf5f509a14\Windows.Media.BackgroundPlayback.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\MsSense.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_27f9f931a79d1cbe\r\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_10.0.19041.746_none_c939d70420d81ce4\logagent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\relog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_ad0ed54dd130eec3\f\DismHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a7a9eea53631000d\aspnet_state.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.1151_none_15ecde7059d11b7f\r\wslconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\SecureAssessmentBrowser.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.1202_none_05cd606e025d0d96\TrustedInstaller.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\f\CertEnrollCtrl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.0.19041.1_none_239932b75896a716\ieUnatt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\f\SenseCE.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\f\LaunchTM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nt-enrollmenthelper_31bf3856ad364e35_10.0.19041.746_none_18c3ddf7dbfedda0\PinEnrollmentBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1_none_c719fa2e662738e0\WPDShextAutoplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.19041.1_none_8ddc3834fb6f659f\iscsicpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mobsyncexe_31bf3856ad364e35_10.0.19041.1_none_a541e711f3b2a478\mobsync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\Narrator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\sdclt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_0e9691ac6feedc0d\aspnet_wp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\r\XblGameSaveTask.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\mofcomp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_regasm_b03f5f7f11d50a3a_10.0.19041.1_none_d7fcc21ca684dcb4\RegAsm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\r\usocoreworker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-uso-dtuhandler_31bf3856ad364e35_10.0.19041.153_none_c0c4ee134c2535a0\f\DTUHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winresume.exe_85cd1215 C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mpcmdrun.exe_1d1038c2 C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\hh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\lodctr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.746_none_d22800313aa7eb5c\f\regedit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1240cd13c584c1c\XGpuEjectDialog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\f\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\uwfmgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\LaunchTM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-proximityuxhost_31bf3856ad364e35_10.0.19041.746_none_72f50b15ab3c2aeb\ProximityUxHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\r\nltest.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1_none_bf56a5e7532d9c79\licensingdiag.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

"C:\Users\Admin\AppData\Local\Temp\f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/1400-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 814c18e76ef35ecbaddb8df4ca8bef03
SHA1 3bbf25d6545d1d0097a266ad71125025583fde53
SHA256 f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18
SHA512 c33fe2623452a46d3a005bd1619f9956c97a75b2b8380ebb0a636e1ae5a943d05b701ce35eee9ea10164c3d39925109ab60ef253c7b01fa94d2a1a5606adb1d6

C:\Users\Admin\AppData\Local\Temp\_f5265bc5bee2849b58b1f992746914c517a4d450a200a6e43fa97ab9ecad1d18.exe

MD5 60c091c85370e6550dc0dc2148794d16
SHA1 fc4d763eb3064160263d91724909b814d6467597
SHA256 22adffa6ed4313a96a1c6049b380897a732477158d5d21bf830908f8c2cf873d
SHA512 2084df43a9dce7720763de8700f41ceeb0a87d63abe9ba2e0152cce3fdab39976e8975af20430758262cbddef4cf5679597609126150ac8c08515e68d1081a60

memory/1400-11-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 00580972d374a4b15b9d7b59f9ed089b
SHA1 7db62f8ee08a4359f727d53827866f29a6df57f6
SHA256 dc06aabbe6b475a23266c0c1b787b8c3333b8ae17986fff71a439a137ab6fe30
SHA512 f93823e81ce3ee0be7946ac62355b20aabf87ac164ca320476f3dea7fdf5ff6b7f571c4cf1ab77911ba9c1ddb9c5a05f5f9aaa9f2c4d9003b854e29043301169

memory/3680-1278-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3680-1279-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3680-2687-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3680-2688-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3680-2689-0x0000000000400000-0x0000000000411000-memory.dmp