Malware Analysis Report

2025-06-16 00:04

Sample ID 241105-3fndbazpdv
Target 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber
SHA256 59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee

Threat Level: Likely malicious

The file 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 23:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 23:27

Reported

2024-11-05 23:30

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1088 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1088 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1088 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 1088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 1088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 1088 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2736 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2736 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2736 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2736 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe --type=collab-renderer --proc=2736

Network

N/A

Files

memory/1088-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 cd4e0696f981277d3f3513f34549f125
SHA1 43fa109b18d953344faae6afb987809a9a0a266a
SHA256 59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee
SHA512 87f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86

memory/1088-11-0x00000000001B0000-0x00000000001C1000-memory.dmp

memory/1088-10-0x00000000001B0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

MD5 05fc7907ae77304429f2099533e39e73
SHA1 f3e98ee40c9473d64222e4ecb783aa5234767719
SHA256 ee5a827a0d216ea35652c121ec85be227832e81592f4eeb6ea78012f0a6ce207
SHA512 6e7a56b53b73aaa1dfcc1ef721bf421f557872d2222db3cb43ee78ac4ca22eae2f1b2dd53eeec332e15262efd1cef778662b164a41d58570f43348730cc8d93d

memory/1088-21-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2728-22-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 23:27

Reported

2024-11-05 23:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\netsh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\verclsid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wowreg32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cliconfg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mfpmp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\shutdown.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\LaunchWinApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\lodctr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\powercfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\regedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dplaysvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\setx.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\certreq.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mmgaserver.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\stordiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\whoami.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dpapimig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\logman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\eudcedit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\edpnotify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wbem\WinMgmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\finger.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\regini.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\unlodctr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\autoconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dialer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\bthudtask.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mspaint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PresentationHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\w32tm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wermgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Netplwiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\recover.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\xwizard.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sxstrace.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\printui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\systray.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchFilterHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_6331d348ae4a8fa9\poqexec.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\r\eshell.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.19041.746_none_6275453e12708a76\f\recdisc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\r\Win32WebViewHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_e3ab86b70c430b3c\wordpad.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_10.0.19041.1_none_ab86440d95c72095\logagent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVNice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_10.0.19041.1237_none_d618a074f3588a53\r\bcdboot.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\r\Dxpserver.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1_none_e6e3c652a3ae2d1d\wininit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1_none_97e4facd611ea96a\autochk.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_46ba1386f4ce2b0b\diskpart.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.207_none_ac38fc33d542b487\f\WorkFolders.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.264_none_31474dbf12ce5adc\r\XblGameSaveTask.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\r\hvsiproxyapp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_10.0.19041.1_none_260e545bf60f6b0f\cliconfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.19041.264_none_a71c9f7fdcd899c5\r\SearchApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\r\MoUsoCoreWorker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1_none_6f451098bef6266e\unsecapp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1288_none_6f1fcb1866fcb4b8\r\ntprint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\r\wbadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\r\hvsiproxyapp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_a89196e695076787\f\InputSwitchToastHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\r\rmttpmvscmgrsvr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1023_none_9583d52fd3076014\r\SystemSettingsAdminFlows.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\r\UNPUXLauncher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmssessionagent_31bf3856ad364e35_10.0.19041.746_none_7f157730d01dcdae\f\WmsSessionAgent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\f\sdclt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\r\MusNotificationUx.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_b2fd45ddd475eb50\ngen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_476e348ff3b593af\cmstp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\WSReset.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.662_none_0070027dab4e4ffe\UtcDecoderHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_10.0.19041.1_none_7e31b18ab29f9913\TsWpfWrp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winload.exe_75835076 C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.1_none_e768b85cf7ad062e\TSWbPrxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\f\TSTheme.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1_none_6f451098bef6266e\unsecapp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1_none_cc2783ead104d62a\winrshost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoftwindows-undockeddevkit.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a22e961d4bcae1e\UndockedDevKit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\logman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.746_none_790f12933fbf7e0d\tpmvscmgrsvr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.423_none_d8a242bf396f7d4d\SpaceAgent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\TiFileFetcher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\ROUTE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\sethc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_regiis_exe_b03f5f7f11d50a3a_4.0.15805.0_none_c8f9d36146564b7f\aspnet_regiis.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\r\pcalua.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-compat-compattelrunner_31bf3856ad364e35_10.0.19041.1202_none_33e8c5dac6801a49\r\CompatTelRunner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ostic-user-resolver_31bf3856ad364e35_10.0.19041.1_none_7b261299a50c8282\DFDWiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\f\sdclt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\f\wscript.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..up-deviceencryption_31bf3856ad364e35_10.0.19041.1202_none_4f22e21b58d6c2e3\f\BitLockerDeviceEncryption.exe C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2796 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2796 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2796 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2108 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2108 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
PID 2108 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe --type=collab-renderer --proc=2108

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2796-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 cd4e0696f981277d3f3513f34549f125
SHA1 43fa109b18d953344faae6afb987809a9a0a266a
SHA256 59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee
SHA512 87f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86

C:\Program Files\7-Zip\7z.exe

MD5 cf91782089cf539220245a8ab01a89ce
SHA1 282f6f74537fa89a6e69a5210b14dd450b725f57
SHA256 36198acb04425ee207c21504171bbc9ae3f860e75d1f6d4aea9c1b476c596449
SHA512 a5ace830c7553e5428c64f6f7679afebf63f1db256d9151058effc0d36b07ca265a3372d18503cbf0d847e5def4878d82cd032146deb096e476a439fd7f917bb

C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

MD5 05fc7907ae77304429f2099533e39e73
SHA1 f3e98ee40c9473d64222e4ecb783aa5234767719
SHA256 ee5a827a0d216ea35652c121ec85be227832e81592f4eeb6ea78012f0a6ce207
SHA512 6e7a56b53b73aaa1dfcc1ef721bf421f557872d2222db3cb43ee78ac4ca22eae2f1b2dd53eeec332e15262efd1cef778662b164a41d58570f43348730cc8d93d

memory/2796-133-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-827-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-826-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-1709-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-2689-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-2690-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1004-2691-0x0000000000400000-0x0000000000411000-memory.dmp