Malware Analysis Report

2025-06-16 00:04

Sample ID 241105-3ej99s1grp
Target 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber
SHA256 7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c

Threat Level: Likely malicious

The file 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 23:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 23:25

Reported

2024-11-05 23:28

Platform

win7-20240903-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2316 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2316 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2316 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2316 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2812 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2812 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2812 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 2812 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe --type=collab-renderer --proc=2812

Network

N/A

Files

memory/2316-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 c679d949e24f0da8ada06aa84d718bfe
SHA1 972f771daeb976b70c4847f929a83bd5917cb23e
SHA256 7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
SHA512 ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee

\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

MD5 b35327b6468894d08999a3579c4a8c0d
SHA1 ae5ceda3cecb3f9c64d2bbb02d764f0c5394f441
SHA256 c127bb107832faac1c823dd63af009b5e891f4dbaca1e4c299a549d22e3446c3
SHA512 67a537194e37fc0db15ac52b8c7f874e719f55b9f5e76e08cc56fc8913e9cba8903ead6eddfbbac93b871d2314cabe99803140a9b2ed319b24017dcc79fc7475

memory/2316-19-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2328-21-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 23:25

Reported

2024-11-05 23:28

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dplaysvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sdbinst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\gpscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mmgaserver.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\compact.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TRACERT.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\hdwwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msra.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\eventcreate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\iexpress.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mstsc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wowreg32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\clip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msdt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\quickassist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\upnpcont.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winrshost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\bootcfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\help.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PickerHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PING.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dplaysvr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\gpresult.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\hh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\printui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\rundll32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\iscsicli.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\pcaui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wbem\WMIC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\quickassist.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msiexec.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSa.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\lodctr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\bitsadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmmon32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\iexpress.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\timeout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.84_none_29cf9b86db5fb249\AuditShD.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-appcompattools_31bf3856ad364e35_10.0.19041.1_none_a9109d150b1bf064\TSAppInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\MsMpEng.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\r\Taskmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\f\ShellLauncherConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.0.19041.1_none_e6307765e4f96817\msfeedssync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\r\XBox.TCUI.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\f\wecutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_476e348ff3b593af\cmstp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1_none_f79dcf01d5a416bd\sdchange.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\r\mofcomp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1_none_339537d6c993f72b\AgentService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.1_none_9b8799837b1e944c\WindowsSandbox.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\r\csrss.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.117_none_9be21f0ef860b570\f\wslhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.84_none_b4499a04dddcc22e\scp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.1_none_eadb9d8875f59863\dllhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicecensus_31bf3856ad364e35_10.0.19041.1202_none_24329c73afbd2316\DeviceCensus.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.19041.1_none_d6d84e47a8300235\ldifde.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\r\Narrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\r\DataUsageLiveTileTask.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\r\SecurityHealthService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1266_none_1f1ff89fbf279f16\f\FaceFodUninstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\r\CHXSmartScreen.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\f\ImeBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..daryauthfactor-task_31bf3856ad364e35_10.0.19041.746_none_a9ff72b1a43fd663\f\DeviceCredentialDeployment.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UpdateNotificationMgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\r\CertEnrollCtrl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\f\ApplySettingsTemplateCatalog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.264_none_863c21753674f968\f\IESettingSync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_multimedia-windows-..n-playready-desktop_31bf3856ad364e35_10.0.19041.1_none_ef166e795b249cbd\prproc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_be98bb8265bc211a\r\mmgaserver.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1_none_c719fa2e662738e0\WPDShextAutoplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\setup_wm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\r\uwfux.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\r\klist.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\ResetEngine.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_aee92417063babbe\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d\r\wininit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\tpmvscmgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_ffd303094ff1fe66\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\r\user.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\hvax64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\f\securekernel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-adam-install_31bf3856ad364e35_10.0.19041.1_none_d2c567b17279a950\adaminstall.exe C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1504 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1504 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1504 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 1504 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 1504 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 3296 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 3296 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
PID 3296 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe --type=collab-renderer --proc=3296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 4644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1008

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1504-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 c679d949e24f0da8ada06aa84d718bfe
SHA1 972f771daeb976b70c4847f929a83bd5917cb23e
SHA256 7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
SHA512 ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee

C:\Program Files\7-Zip\7z.exe

MD5 b87635a654a3114d002a8afa35aa1f21
SHA1 8bd68dab76853a473189ddc7c2dc1a7021accd43
SHA256 b9d5f07627feeb624dc2cc4afc3edfb51a827fd75af29a08d9e3249ee8e97d93
SHA512 a84a829416a74c5a061f473a3065efa4e78b22d3ea31e9a056aec8a219fa586877788b72bbf9d11f75df1ec0d8a2f09707dad78edfb750b189f48c67ce5499f2

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

MD5 b35327b6468894d08999a3579c4a8c0d
SHA1 ae5ceda3cecb3f9c64d2bbb02d764f0c5394f441
SHA256 c127bb107832faac1c823dd63af009b5e891f4dbaca1e4c299a549d22e3446c3
SHA512 67a537194e37fc0db15ac52b8c7f874e719f55b9f5e76e08cc56fc8913e9cba8903ead6eddfbbac93b871d2314cabe99803140a9b2ed319b24017dcc79fc7475

memory/1504-75-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1504-74-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-638-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-639-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-1281-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-2689-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-2690-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-2691-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-2692-0x0000000000400000-0x0000000000411000-memory.dmp

memory/804-2693-0x0000000000400000-0x0000000000411000-memory.dmp