Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-jerjsstfkj
Target faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd
SHA256 faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd

Threat Level: Likely malicious

The file faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:35

Reported

2024-10-16 07:37

Platform

win7-20240903-en

Max time kernel

141s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

"C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

Network

N/A

Files

memory/2092-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 08eff421c5bddd2eab60ac2ceb509ad3
SHA1 fbfd03c783256e7f46ec2d1413e0eeeb7238ae78
SHA256 faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd
SHA512 e4f8d30e552c092dc5940768cca4468930cd0ad7ddc7a55e6d2a241809d585735e4fc00659d8d4a709b0e6247e3124a084ed415a565a4e8e123b898a8d90268d

memory/2092-11-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2092-10-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2092-18-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

MD5 5ce70be64947af7b33a39508e97760f2
SHA1 44d82b6c0ef660e001aa47ef77704ff98b7a813a
SHA256 1492f5fcef95fb7a79c50fecc8a02c80669ee5e5233629ddb58eda06bf0b1542
SHA512 9b6db1b24dea4c9d239853cddd5f4272467c2a1224e944174376242b200b49ce934821c52dec981f4991c02096438c4da9f877ecc78b1081a729df71d9e0ecea

memory/1780-20-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:35

Reported

2024-10-16 07:37

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\systeminfo.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\forfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SearchIndexer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\eventcreate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\schtasks.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\takeown.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msfeedssync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\iscsicli.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PickerHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sethc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mtstocom.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\psr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\credwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cmstp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\where.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winrshost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\makecab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\typeperf.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SecEdit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dfrgui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\gpupdate.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmTool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\tzutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\iexpress.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\verclsid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\OpenWith.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\xwizard.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\certreq.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\isoburn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\autochk.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dialer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mfpmp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CertEnrollCtrl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cipher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PresentationHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Media Player\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.153_none_b4f0bd83cfc7701e\f\AxInstUI.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.1_none_c5cb0c3a04b0a5de\rasautou.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde_fontdrvhost.exe_94bdc76d.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_10.0.19041.1237_none_9ad73d125ac89655\bfsvc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.789_none_9beee4eb02a5f8c7\Narrator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\r\ntoskrnl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1151_none_71aa7fdbb41824a0\r\ShellExperienceHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-es-authentication_31bf3856ad364e35_10.0.19041.1_none_02027476ea57232f\EhStorAuthn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-csp_31bf3856ad364e35_10.0.19041.844_none_c606f47e6aa94b5b\r\hvsievaluator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0\iscsicli.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.1_none_4721ab47285172c4\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1_none_a353adcda7cf69e6\convertvhd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.1_none_47f8a965309a7ee6\CloudNotifications.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicecensus_31bf3856ad364e35_10.0.19041.1202_none_24329c73afbd2316\r\DeviceCensus.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_b84e385529c68af9\unlodctr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_6f27e9e1e7c4fb87\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\GameBarPresenceWriter.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.19041.1_none_83ab1c56c187ef65\Windows.WARP.JITService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.746_none_56f2f7338735a9a6\f\FXSCOVER.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1240cd13c584c1c\XGpuEjectDialog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\r\agentactivationruntimestarter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb\iscsicli.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Boot\PCAT\memtest.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\nvspinfo.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-r..pdate-oob-component_31bf3856ad364e35_10.0.19041.84_none_e539abe3d27f675f\r\rdvgm.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e\f\winlogon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\servicing\TrustedInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315\r\lpkinstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\wmpconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3_csrss.exe_06529458 C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVStreamingUX.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_10.0.19041.1_none_8a1c4327a89528e3\help.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\nltest.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1_none_45334ed1c0264cf2\wkspbroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_a89196e695076787\InputSwitchToastHandler.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.153_none_59d1094dec9b8480\Spectrum.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\r\SenseSampleUploader.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_10.0.19041.1_none_da504d0e6afd0a49\TsWpfWrp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_583d67d6d00b6b6a\f\WerFaultSecure.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-browser-brokers_31bf3856ad364e35_11.0.19041.746_none_581ccf386ba57d51\browserexport.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.1_none_da5b9e6604736fbe\IEChooser.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\wmplayer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_72c6a00123f43c47\r\quickassist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe\NisSrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ddodiag_31bf3856ad364e35_10.0.19041.1_none_f69c49e870acf520\ddodiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-edp-notify_31bf3856ad364e35_10.0.19041.1_none_e112f07513949221\edpnotify.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_3062feae2a702d0a\cliconfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.19041.1_none_2ace380757b108f3\provlaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1266_none_90436a82b05bca89\WPDShextAutoplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\f\autoconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.19041.1202_none_a5a4c3f2637b55fa\r\aitstatic.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

"C:\Users\Admin\AppData\Local\Temp\faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/1080-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 08eff421c5bddd2eab60ac2ceb509ad3
SHA1 fbfd03c783256e7f46ec2d1413e0eeeb7238ae78
SHA256 faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd
SHA512 e4f8d30e552c092dc5940768cca4468930cd0ad7ddc7a55e6d2a241809d585735e4fc00659d8d4a709b0e6247e3124a084ed415a565a4e8e123b898a8d90268d

C:\Users\Admin\AppData\Local\Temp\_faea931e287a5549dbdaf64a0c21e83003f9ff4d5af2024cfa2443d45a0f6afd.exe

MD5 5ce70be64947af7b33a39508e97760f2
SHA1 44d82b6c0ef660e001aa47ef77704ff98b7a813a
SHA256 1492f5fcef95fb7a79c50fecc8a02c80669ee5e5233629ddb58eda06bf0b1542
SHA512 9b6db1b24dea4c9d239853cddd5f4272467c2a1224e944174376242b200b49ce934821c52dec981f4991c02096438c4da9f877ecc78b1081a729df71d9e0ecea

C:\Program Files\7-Zip\7z.exe

MD5 fd97e598d27823df9104e939fd0550c2
SHA1 c2345fbe3a077b2701a54a581613a9c82885b493
SHA256 0b6db05f074af3485e96a29dfbc3c0e428f4dc36455705cec29670b4b5bfd692
SHA512 9adc5c291bb44b14c16a32c32226dce326b53b51ad83f8fe609e17c6829fe561f9116168b87c64a1a82c4deed24c95e4e3529f2cefac8f37b1099c08387525d5

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 adbd8353954edbe5e0620c5bdcad4363
SHA1 aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA256 64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA512 87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 c2fd5664e148a4abeb3fb60a5fba2e50
SHA1 7e77fdf21b23c767e274ae6bd705d022935b7640
SHA256 0f97055b613817c4cb55b672e68a08fa535dd775ff5bdfc289adffc9c7f29bf6
SHA512 9e6b91895383b3be389acfa904a2f49dc1cb467668351313382ed8ffd48fa248c46bcecf6c44a911ffd1f1181e124dddb34112d00ae0cdbae4983849c6df8db9

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 444002cdffb544224bd04c76ad3b7a18
SHA1 def2bd24a981d859aa0c332b5bf619ad3c7814ac
SHA256 5e444ee8cd85091f9397146b625ca5097875613b96783f37ce87a84084d5cc71
SHA512 47905c5c42d158b51951c5e59b36cad6e25bbad6b95953b88892e02ae296ac97df86e2dd2c0f9f9cfb18d84bca8b29f5947f5c7169f1796731e840c13c3eb3aa

memory/4240-862-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-863-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-865-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-868-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-867-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-866-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-869-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-870-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-874-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-873-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-872-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-871-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-875-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-876-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-877-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-879-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-880-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-881-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-882-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-883-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-885-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-884-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-886-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-887-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-888-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-889-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-891-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-890-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-892-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-893-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-894-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-896-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-897-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-899-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-900-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-901-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-903-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-902-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-905-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-907-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-906-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-909-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-910-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-908-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-911-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-912-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-913-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-915-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-916-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-917-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-918-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-920-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-921-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-919-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-922-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-923-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-924-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-925-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-927-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-926-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-928-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-929-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-930-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/4240-932-0x000002B230B70000-0x000002B230B80000-memory.dmp

memory/1080-977-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3272-1166-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3272-4828-0x0000000000400000-0x0000000000411000-memory.dmp