Malware Analysis Report

2025-06-16 00:04

Sample ID 241105-27ae4a1fnn
Target 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
SHA256 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf

Threat Level: Likely malicious

The file 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (317) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 23:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 23:12

Reported

2024-11-05 23:15

Platform

win7-20240903-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Windows\SysWOW64\sysx32.exe
PID 2980 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Windows\SysWOW64\sysx32.exe
PID 2980 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Windows\SysWOW64\sysx32.exe
PID 2980 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Windows\SysWOW64\sysx32.exe
PID 2980 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
PID 2980 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
PID 2980 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe
PID 2980 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

Network

N/A

Files

memory/2980-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2708-17-0x0000000000880000-0x000000000088E000-memory.dmp

memory/2708-16-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

MD5 b4f9829423e89017d71f0be914831ab3
SHA1 ea4b8f722d4a177637f004317027f48789cc0c8a
SHA256 23c59c9297ff0792f2da83712f322107ce8f6221b7772b18e6d847b25dfc5a89
SHA512 d98c81a77d812a7055771d8be77eb34e52ac0e07cf4188058a5e323f11adfcd42926ec4f3fdacb35e33097640f7fc9d4eca1c6eb3c5951f620f573c6d14d8ebe

C:\Windows\SysWOW64\sysx32.exe

MD5 52e3c216b043490cdbb87e17218f4d47
SHA1 e21be588a01cb4022dafe84eb9c88305532b17ff
SHA256 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
SHA512 d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526

memory/2980-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3036-20-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 23:12

Reported

2024-11-05 23:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"

Signatures

Renames multiple (317) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dpapimig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\netbtugc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TCPSVCS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TRACERT.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\at.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\xcopy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ipconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ComputerDefaults.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msdt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RdpSaProxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\nslookup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\shrpubw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ndadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fixmapi.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sxstrace.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TRACERT.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\backgroundTaskHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\lodctr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\logagent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wowreg32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\bootcfg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fondue.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\icacls.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\makecab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sdiagnhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\curl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\charmap.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\findstr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msinfo32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\openfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\proquota.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasdial.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\BackgroundTransferHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\choice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhst3g.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Netplwiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\OposHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cliconfg.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows NT\Accessories\wordpad.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsicli.exe_20e14d4f C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_816403dd2374fa29\r\dfrgui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-makecab_31bf3856ad364e35_10.0.19041.207_none_d949ad80fc4d976e\makecab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.84_none_40bd4149a6d52edb\f\AppVClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.1_none_b0feb06b14107c04\wecutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\subst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\tpmvscmgrsvr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.1_none_544850fb795d0a4f\UpgradeResultsUI.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..onment-core-tcbboot_31bf3856ad364e35_10.0.19041.264_none_de5e254ba7caf399\f\tcblaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_e4c1e71455c2721c\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.1_none_cf7ec085c4b5345c\fltMC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\gpscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsimgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\BioIso.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_f89a6b0476f024dd\wabmig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate_31bf3856ad364e35_10.0.19041.1_none_0469a68bc74049ec\dllhst3g.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.1_none_2eeab9eac7c3eb5c\WFS.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateBaselineGenerator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1_none_522bacd027283125\UwfServicingShell.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.207_none_ac38fc33d542b487\f\WorkFolders.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSUNATD.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1_none_8c3cb0a560e64b91\splwow64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..egistration-cmdline_31bf3856ad364e35_10.0.19041.1202_none_b3f538f2c4a648b2\f\dsregcmd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\TextInputHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\f\LockScreenContentServer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9_lsaiso.exe_51c00eb7.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..tiondialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_f20ecec27517964b\PinningConfirmationDialog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.1_none_d910ec4e86b0552b\XBox.TCUI.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-applaunch_exe_b03f5f7f11d50a3a_4.0.15805.0_none_a89f46f8bfac0a1e\AppLaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5\f\rasautou.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_10.0.19041.546_none_f786fa028426f858\fltMC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.84_none_40bd4149a6d52edb\AppVClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-containers-ccg_31bf3856ad364e35_10.0.19041.1_none_126d541494a0ae5b\CCG.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\r\ssh-add.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_e4e5027bf1e82209\WerFault.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\f\OOBENetworkConnectionFlow.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_b5fe9c5c09b9d7a9\f\rundll32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\cscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\AppVClient.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\autoconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1_none_c76758d7f0069e2e\newdev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_10.0.19041.1_none_ad39955b83a3f25f\SystemPropertiesAdvanced.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_86e0e6ce46c9ed74\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.19041.746_none_b8eadbf8a9c907b3\psr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\SecurityHealthService.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_c26c8624c595ae48\GameBarPresenceWriter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-d..-commandline-dsdiag_31bf3856ad364e35_10.0.19041.1_none_a6017688e5093466\dcdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_10.0.19041.1_none_59f3ce100425ffb0\SMConfigInstaller.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.19041.1_none_3626754ec37c229b\RmClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\wscript.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.1_none_e768b85cf7ad062e\TSWbPrxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.1_none_39d7f735c58f975e\UserOOBEBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVStreamingUX.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\r\BdeUISrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\r\MusNotificationUx.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\CExecSvc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

"C:\Users\Admin\AppData\Local\Temp\64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4388-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 52e3c216b043490cdbb87e17218f4d47
SHA1 e21be588a01cb4022dafe84eb9c88305532b17ff
SHA256 64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf
SHA512 d21ee7fb626317e9762e49acb0afcf70ecf546a6f7def8fddac24115c6f0aa404f94e98aa374d9cf6196077ff277c31e80a88240a25a13e8dcb701d874c30526

C:\Program Files\BlockRestore.exe

MD5 54c66635d838b35b5f45241bc52db9ee
SHA1 efeb0be3e710e74400985328f530474327d32940
SHA256 c54b926a4a9f960016749b4b49a87a7e574a6b3d6cd5a9ca6b6ccc0c9f2dbb21
SHA512 59aa26ef38351a4210fdac0dabcab24d23825e604057df9212d0ffa4c9e9fa1bb8a239453237abea8986eab29485d599e7d6cc9b883d2bd2b479109746ab6f35

C:\Users\Admin\AppData\Local\Temp\_64c5152fbb86d8ece9d57eb5d2d82c049b7e5ebeb27be76b9b40cefd0f33d9cf.exe

MD5 b4f9829423e89017d71f0be914831ab3
SHA1 ea4b8f722d4a177637f004317027f48789cc0c8a
SHA256 23c59c9297ff0792f2da83712f322107ce8f6221b7772b18e6d847b25dfc5a89
SHA512 d98c81a77d812a7055771d8be77eb34e52ac0e07cf4188058a5e323f11adfcd42926ec4f3fdacb35e33097640f7fc9d4eca1c6eb3c5951f620f573c6d14d8ebe

memory/4780-53-0x0000021B7B570000-0x0000021B7B57E000-memory.dmp

memory/4780-54-0x00007FF85E173000-0x00007FF85E175000-memory.dmp

memory/4388-73-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3596-994-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3596-1142-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3596-2692-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3596-2693-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3596-2694-0x0000000000400000-0x0000000000411000-memory.dmp