Malware Analysis Report

2025-06-16 00:03

Sample ID 241105-1tzbmaynbv
Target 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
SHA256 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d

Threat Level: Likely malicious

The file 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (317) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 21:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 21:57

Reported

2024-11-05 21:59

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2464 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 2464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 2464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 2464 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 2508 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2508 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2508 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 2508 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

"C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

Network

N/A

Files

memory/2464-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 7b7d04d2c0bd8ac1f4923b0655baae6c
SHA1 e731959a1dde67ad20a3b86774d7592ed7241d49
SHA256 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
SHA512 a91eb78116db32e2cc23195545adc4976ee4b2f2e3361949a661396bb1a8b7b2f9060f3f29f43cd4256e8b763ab61a6f21781a8778bed9c8903c575435b13e39

memory/2464-4-0x0000000000230000-0x0000000000241000-memory.dmp

memory/2464-9-0x0000000000230000-0x0000000000241000-memory.dmp

memory/2508-24-0x0000000000220000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

MD5 7c710979c9aa73050d5aceee902d52ba
SHA1 4b194e0bddede5b3f8f5f2c15c4f3964b61d8189
SHA256 4619008405e01c106be3f8f145bd21cf449401b901ee1ba01d1541af45f675ab
SHA512 0e8657ad437e9042119829da3bd3e1cf604ddba10619847700f3cd5cde91637280a356a0c559b047a7a38e2984fb7aafb7cb794d56760c01ca0ebb73f9cac36a

memory/2464-26-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2480-27-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2464-28-0x0000000000230000-0x0000000000241000-memory.dmp

memory/2508-29-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2508-32-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2004-35-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 21:57

Reported

2024-11-05 21:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"

Signatures

Renames multiple (317) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\finger.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\timeout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dpnsvr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\getmac.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\LaunchWinApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SecEdit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dfrgui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\hh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RmClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dvdplay.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\perfmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PING.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sort.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Utilman.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\certreq.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Magnify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasautou.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SearchFilterHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\attrib.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\clip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\convert.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\logman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\verifiergui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\DpiScaling.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WWAHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\shrpubw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmTool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\upnpcont.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\xcopy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cipher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mspaint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\netbtugc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\print.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ReAgentc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\psr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\eventcreate.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\isoburn.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\diskpart.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\doskey.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ntprint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Media Player\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\finger.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\MusNotifyIcon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_f4a55c2c3386ed90\r\UserAccountBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.1_none_28564b59eb268cda\certreq.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\omadmclient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\r\UserOOBEBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\typeperf.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\r\XBox.TCUI.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.1_none_6b92f924ed7df79b\fixmapi.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\r\SystemUWPLauncher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\winresume.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\r\ndadmin.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.117_none_7879d5035b0edfac\r\nltest.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_22d9ddcd4b2b9d68\CameraSettingsUIHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.19041.746_none_6e05a6bb2291b4c6\f\IMESEARCH.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1_none_8119ed75508e4ffe\wevtutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\unregmp2.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_10.0.19041.1_none_bddbb800ab3565d0\rekeywiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\f\FXSUNATD.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tionsnonwinpeplugin_31bf3856ad364e35_10.0.19041.1_none_5c82be53abe61670\PnPUnattend.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.264_none_39a33f9dfdb389ae\slui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\f\wpr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\LockAppHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.1_none_bddafe5ea5731fa2\bridgeunattend.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.746_none_48b2bd808a742e25\f\netbtugc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-o..onalfeatures-fondue_31bf3856ad364e35_10.0.19041.1_none_09fac50a5fe3aec5\Fondue.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.1_none_4c44763647728882\RuntimeBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\f\UpdateNotificationMgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\convert.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1266_none_92496ac84272f5f1\f\LegacyNetUXHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1_none_64d9c601341de377\UsoClient.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\bootim.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\wdagtool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.1_none_d7372edf29e45655\LanguageComponentsInstallerComHandler.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_9556bb9420781f39\sdbinst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-ngen_exe_b03f5f7f11d50a3a_10.0.19041.1_none_38a57ff5dba3c9f4\ngen.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-timezone-sync_31bf3856ad364e35_10.0.19041.1_none_4521fd67bfb25b6a\tzsync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\CertEnrollCtrl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_vmconnect_31bf3856ad364e35_10.0.19041.1_none_462739ece97bd4ed\vmconnect.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\DataExchangeHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_556ba5d1df8130ac\f\printui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1_none_b6a6a2ae8b1ec7b0\vfpctrl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315\lpkinstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-coredpussvr_31bf3856ad364e35_10.0.19041.746_none_7946fb11bf19dc87\r\coredpussvr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\f\FileExplorer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.19041.1_none_f0b8ea270ffc4674\SystemPropertiesComputerName.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_2e15548db03a22c8\CheckNetIsolation.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\f\SpatialAudioLicenseSrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\f\SecureAssessmentBrowser.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_6f2ce5f0857cd61a\SecEdit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_6f27e9e1e7c4fb87\f\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-office-csp_31bf3856ad364e35_10.0.19041.844_none_9b62a70f9278f2cd\ofdeploy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.1151_none_23c0aa3b7bd960cd\f\CheckNetIsolation.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 4768 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 4768 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 4768 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 4768 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 4768 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe
PID 3616 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 3616 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe
PID 3616 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe C:\Windows\SysWOW64\sysx32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

"C:\Users\Admin\AppData\Local\Temp\452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4768-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 7b7d04d2c0bd8ac1f4923b0655baae6c
SHA1 e731959a1dde67ad20a3b86774d7592ed7241d49
SHA256 452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d
SHA512 a91eb78116db32e2cc23195545adc4976ee4b2f2e3361949a661396bb1a8b7b2f9060f3f29f43cd4256e8b763ab61a6f21781a8778bed9c8903c575435b13e39

C:\Users\Admin\AppData\Local\Temp\_452d403f1deb8d49e91d37929616e2b7b377764ed11648df6bd5a6e2c8740c7d.exe

MD5 7c710979c9aa73050d5aceee902d52ba
SHA1 4b194e0bddede5b3f8f5f2c15c4f3964b61d8189
SHA256 4619008405e01c106be3f8f145bd21cf449401b901ee1ba01d1541af45f675ab
SHA512 0e8657ad437e9042119829da3bd3e1cf604ddba10619847700f3cd5cde91637280a356a0c559b047a7a38e2984fb7aafb7cb794d56760c01ca0ebb73f9cac36a

C:\Program Files\7-Zip\Uninstall.exe

MD5 e85bf8e93a36929d8b11f7a9236fe19a
SHA1 b5ad2f1ad06a7f7beb0300e46b81a6270688ed25
SHA256 2868893b6dc27dabab363789c43d4606a2cd15af4f93541ae1d6c6990e5313b9
SHA512 3f39db32b39daa7e723ead3da796bf5495417fc9d016449242af43bfa046af31a7f6480b5d7e26e0f7211580cb4bc887cf59421ff8a1e21f829e2b3ceb90004a

C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp

MD5 0a8b559bcee551b10a22311f4bf4c599
SHA1 69f986cb2a99ecbaabc3d28d78a2e4c40b681dc3
SHA256 3d9bfb081e97e3fb62539835e7b3082dac4d706f0bb727586b950194b013cde7
SHA512 b34d86f8ccd83aa13a543997b38395817bbadb3c1acb91755f8681af59022d2ee6b4da32f984a2ba2426ce1c4e19851c15ab915b44f830c9f30644ed92ce70c3

C:\Program Files\dotnet\dotnet.exe

MD5 f6851e0958f937a72dbcfb5ccfbbe7af
SHA1 c548c2af452a0cb36054843ecb8d1db1d72a6b8c
SHA256 a76d554f30e83da33b2db3d5bea3af449e5633a7c23cbc7b2fe2704e38ecde2f
SHA512 e73d33e2759715541fd873b894f0ee96231a5fc684234c2a9bf42dd5a483e3acfaa2e71cc773de580882d214bcc286e61fbbbb219d8eb45f1434b659db9e092d

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 4178bfecf05579e133a820f0871b30a6
SHA1 823f7a71bf90f46235d66c0cd9a18bdf886bc7a5
SHA256 c8a578de8e36061b67935cbdade6dbf7cc45bd87ec619396e982d47cb9f8f3fa
SHA512 7a0067128ecb6fab0ee89bfee92f6ce86e02e29d8ef6e12d7a8cd6b822b83952dcc1f15386b8e8a4bb4626e2048fc4d315fd467ea3923a21e3c38b71996bb864

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 3f66287db1ecb997f6ae6eb00e3799d1
SHA1 2090b1a2c00ba97fcf8647a17c5a93e80ba576ed
SHA256 81c3ad7ea8ff1d421d0c712d6c39f926742c7baa8e9baf1b0a6360eced2b6445
SHA512 d4e56715600a2f368c2d651ecc4c50ac23fc598955d8cbb2e48fae2f59bc302d5a524e367b55306662340fc33c611166b9e0095d246be076d3b2b2580bdf713d

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe

MD5 6f236fca580f38e3be2e62bcc372ccbe
SHA1 38c3d7f236ba8d2ce8d5c57e1d75db454418ddb1
SHA256 3d82998d744c868463c8778f16a71698bfe68b4626bebdde26507942851d9543
SHA512 0585fdf31e6f99f1914538fab6d79becf9b90d629348b550497aaaf1a219928953eaafb584d0f338ae87c640052a0177b55067c0baa641d89b349e8406cf142d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 ad7201af23f40feb4b13a9d957297388
SHA1 845bbfe77922864211d39827ca2532bd78a6b179
SHA256 eee0805240ac4d2a8e0d380fa9602c5bb0372e356d9e4900269b5dcd439b05a6
SHA512 c351b161f31aae00462a78156a9ead1e2d639ee4f3116fbdae4cb36c97b9eba8b48423485504b91827369d96a6ec879b68f048d2dfee8f00b7b309ddf109182d

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp

MD5 e47e48aa717f984ca22491abca524e73
SHA1 8da3d3684cb01a8d8f41424bc0abfd7fffb29f60
SHA256 bad8f7f83ee3c963974f5cee9c373cb7392b8e25a234192c37e9d8c4598ba787
SHA512 123a11d0d7deb26656f2cd3606e6ee3a4538c80071126159d9b417d8622f7b7b244e0df0c8b92f35b9265f6c4a359b352f8a2299c756f03c7ebce81bb3745fe5

C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp

MD5 49eb90d38e5382385cb897a3c341bd0c
SHA1 cc005739ab56431c2d77cbbccbc0b0391fa4b086
SHA256 77c4d80a885721f0a4ab4e4edf6368ef5d3b5345b3100f4fd5ffa4180a92fd3f
SHA512 7b5305219bcab3dbbe771b7d64a21e5185539e810adb74d0273bb8921df4e861e3e27e014120ee4230cdc0a0a7a7962e04957a8ff0014fc03d7cdb1353699229

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp

MD5 6bf929213a7c5e0593c2eea66f529039
SHA1 e4baa6e57ec12d29ed4c8abe86f6f5fbe2575f5f
SHA256 cba0d5811503a62d1e6e80559aae2961d77d360b9251863818b6ef0993274ac4
SHA512 47b7ac26a514a477ba1f4d7b7fd4a7bee4ed58741b870c55c655381b953fa71c4507e73c2f267ae296364eb7834fcfc8662f982d1162d1bcd97f33cc4875a2b3

C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp

MD5 7066cbca007ea260a7300e31d770bff2
SHA1 6be68d3c1c6471cf68c5e4d553d03e0311bd21f9
SHA256 af3eb2cb513724dc653c0ecfce77bf9813e9f958becc06f0343e9b924c3a86f6
SHA512 5312917a6a090430328b6bc6ee0c6f0d39bf523377d1b65a44c26521158d09b42166ffd6018172849ed4918dcf0fabfce7c593d1eddcbdeefcc90c32e40d2cc2

C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp

MD5 d333f2a914b23c2a6eed27a695f51482
SHA1 1c38ff2009f4946b226a0fe4aa4b0a0d4c2ea700
SHA256 e78d4aeefbc8b8edac6bdb1bd282592400f3c6bd50403f375f68040daa85ba91
SHA512 81e530b1902b9908f3e55e2dfdd895172911cc152220adb157434b180a27a3dbe516df89ab7b70923ccacfbe22ec2784b5bb843f92b14d0b7fd819d9252bb735

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp

MD5 339fd0b215eee9d3c92dd1b84f848d18
SHA1 a7bcfe63ada3d39e81953d87ebb3834a80ead18a
SHA256 c6441f9ffde183f759de7bbb7b7470ea9eaac1843ddf57953eb2151dd209d732
SHA512 cfe505a8044c0394af9b95edae7f1a851b1970eca5da596ae8f702aab937a5f21e5c8a00cb6be2d81259aea1641094c4c76867b0f651b4a6d69119e29470c5b3

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 4a164f1c54e83dcbd2ea887be2606a05
SHA1 2b0b0e905bbb47d7f99b48bc9e15c4e116c834ad
SHA256 3e9075c12acb9a870212f62eb39b49f4bcd157353f6579e40afc27f54c0097d4
SHA512 add263526835637de6315b3664ceddb74c5087e4f50094933d8aa87fd0defae1df1cb7772b6444f97e82c284973220fa72d0e7f2ae4a377d60076449fc9c1d1f

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 b49efa65c097ca7a6bfd2c8cd36d6ac5
SHA1 0ae93b44d008aa4917d570b22110e7cef3eb05a0
SHA256 e7b66279e52d96e9536f4d25af590b7310bfcc05d97f9ea4b9c80dcbe9f58e94
SHA512 4f6f702a72a60869d6ba98d848c9168e9c2d2c1aea570fca2f69b7f2e9a31da4ee868a07898c0000935c2b26baef748b936cb636c78d5ad616426f19cab17cf3

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 52e54e9108ea720fcd87b0e7b6157590
SHA1 0dbb5586d0237aba89f4818cecbf174a0878a6b7
SHA256 39f118fa992083aaa4c4a8d1274a332745853826074af7ff3376174b110ffe32
SHA512 f93aa7f545b2cf58f31be1a207f3437645d8ae1d81a2537456c9d30edc58fd08b06d8e6b7e1c777336568c81d44077471549cf7e56a64e4b5846227da20e75f6

C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe

MD5 c26c71382375c4bfee7a07b97342bcb0
SHA1 af12b23ba804bc49d9cd43cf007f1b96dc1af571
SHA256 c467b776e19a35e8b271fb025c510d585c51c30d0fd8ff5f869d586a61fe32b5
SHA512 a516f6307692b63045bf7d853e87035f53bb32074fd4b921680eea0355550d36a2198e76df6fccfdca33a31fd91bbf6158a2e5ff6a16ebb0b6b826f491080440

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 88c9e1b124a28b07a9dcc8ee526bbd89
SHA1 2df0c44c2a9f06a06d44a9e4ea4e017d8c691397
SHA256 082b927f2ec41947d5471ea85bddced2d97b6544f72730aedc9fc7fbb0c75842
SHA512 3e5e5b7605945a58b81b0cf1d826c089c9e4574da2f200897564b902823991e603734796c355cdd99ab9353dbcd8f40bb170377fe5cc12da45230823e99cb9e3

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 136c62dd6d02fe0dedbbadac010c9474
SHA1 0e36e9132092aabbc12b5252124172ed2d8b2362
SHA256 8855a7ab53caf0660cc7ae2cb99a196946a743575145529d6b98410cba9e4ad3
SHA512 d8d662cf6f498c7c495b7d3d7e81916fe959bc57247539942845da2c881ed4a4725241779ca0b91b0e58a5482e2a3c61e40eb5c9bb48c8c9d434b6a8250a9799

C:\Program Files\7-Zip\7zG.exe

MD5 002f3720fd3fdc9768ac4f8334df45bc
SHA1 e9598cd68ba66b6fb8d5bc8e2afc19f068dd50bd
SHA256 18a2a2a26acdc22567877093ed57b83b298dacca509c812870217051d98fad20
SHA512 5e6e88b820b441bb4c380bd290b140c9c3f999b8a1fe85ba651981dce4f7d579d538ffd97643336dc0da86633f5d99703f5d44540ba2cac5e8b303818ea8c0fb

C:\Program Files\7-Zip\7zFM.exe

MD5 d9ce6a5ab06f1017638883e55d1b6bc9
SHA1 4d087f964e28f09739745e2b88a0992ea2174a31
SHA256 18d401cb0b57f3cc95f8081fe4addc72c0be65772d6fc83aaf3352dd4d242ce7
SHA512 af56eb8bec5dda8b33351dca35c2d39e6b55a9505a2e28abfdac983d9ccf235cf742e1f3b800ea4736495ffdebccce053db13bd5ac56644b4b69359dd307731a

C:\Program Files\7-Zip\7z.exe

MD5 1283656c9ad7f7fc5e05c54687949bcd
SHA1 ce250f06c74b29e7eb8863204288d03afd7e129c
SHA256 cc632a348ba6e5ea417dcbee2f752909d15877439db4330667e4c1865f4fd26b
SHA512 e3c63f2f0d806bc9eb61bd5b24c26aee43a686e6145620a74fa963d39531933bad405e2d3f55f6df13c14992c75c0522e7a3ed859b554ee2954c4a7d9093a0e6

memory/4768-265-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3616-263-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-780-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4912-779-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-778-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-1866-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-2721-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-2723-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4240-2725-0x0000000000400000-0x0000000000411000-memory.dmp