Malware Analysis Report

2025-06-16 00:04

Sample ID 241106-azpfhasfjm
Target dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN
SHA256 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f

Threat Level: Likely malicious

The file dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 00:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 00:39

Reported

2024-11-06 00:41

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2548 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2548 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2548 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2548 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
PID 2548 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
PID 2548 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe
PID 2548 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

Network

N/A

Files

memory/2548-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 661d0561ddceaf9ae6edf8a50b6c26c0
SHA1 b1dd6be08f907050574f7102dfc83fd7223c0179
SHA256 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
SHA512 c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474

memory/2548-10-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2548-11-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2380-13-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

MD5 84aa72f040ae8f9e022bc1e9f7239d68
SHA1 316a576cacc2cf63e8c698dcd5ee66be0b88643d
SHA256 6faacf875bf79d89a97296dba832a12eedfb44dde44d8119e3e212a8afa7d5b7
SHA512 4314af0eb37069c7c61ca57f8fe5bedf61524e6fed2a4d3b40b63c8abb1dff12ea00cda864c31106b8af34863d379f8428e3e7942b3edb7b58e325c15bc58e71

memory/2548-21-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2380-23-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 00:39

Reported

2024-11-06 00:41

Platform

win10v2004-20241007-en

Max time kernel

108s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\compact.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\hh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mobsync.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ndadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cleanmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\isoburn.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\esentutl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\MRINFO.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmmon32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\makecab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\bthudtask.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\reg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SettingSyncHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\setup16.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winrshost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\expand.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\rasphone.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runas.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dccw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\AtBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wevtutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\finger.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\takeown.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dllhst3g.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\LaunchTM.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\user.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\find.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\autofmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\forfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mspaint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\autoconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SndVol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msdt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\chkdsk.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RmClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\recover.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasautou.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ftp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\UserAccountControlSettings.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{AFD1DC19-D740-4861-ADFA-3BC6A9F6A223}\chrome_installer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_10.0.19041.1_none_92d880487c3589c8\cmdkey.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\f\scp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.746_none_64e9b1de23df7cf4\r\AppHostRegistrationVerifier.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\r\SearchFilterHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\setup16.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_4c95cf26b3aa5907\f\CredentialUIBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..vercommandlinetools_31bf3856ad364e35_10.0.19041.1_none_70349c6644208282\flattemp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_10.0.19041.1_none_b0493212512a7f1a\ntprint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\f\isoburn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\f\ApplyTrustOffline.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_10.0.19041.1_none_ceb3891c2721fc43\chkntfs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\r\dfrgui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.844_none_95c651508e565d13\f\provtool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.153_none_59d1094dec9b8480\Spectrum.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\InputApp\TextInputHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client_31bf3856ad364e35_10.0.19041.1288_none_91a5fb477b6af5a0\r\SIHClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vdsldr.exe_20c491b3.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_a068a30a6853aaec\ByteCodeGenerator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_908b22903a403149\f\ndadmin.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\svchost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63 C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\pcaui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.19041.1_none_fce141858c5d7f03\IMEWDBLD.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\f\winresume.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\r\MicrosoftEdge.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\r\provtool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\ScreenClipping\ScreenClippingHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\WmiApSrv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_b817dbd29134ec4d\GameBarPresenceWriter.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\winload.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_9b0dd648f2c31f16\r\dfrgui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\audit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1_none_36e57bfcb85e0850\SpatialAudioLicenseSrv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.1_none_c564589414ffc535\mmc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_10.0.19041.1_none_8525a0b08bf57bbb\Locator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.1_none_c3249fe181844dfb\MsSpellCheckingHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_10.0.19041.1_none_2cda3b956fcdb26f\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\f\Taskmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\r\CustomInstallExec.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_10.0.19041.153_none_ff44cfa7cb529ce3\f\lpremove.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_f0aa60ae9c531752\CasPol.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\subst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1266_none_41843efc8f66bc7c\f\uwfmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.19041.746_none_c1db40c45e8f2d9e\f\wbengine.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\r\CameraSettingsUIHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1151_none_2c2550df02273de3\wusa.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_a6a8b89bc50eae31\cvtres.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..iedwritefilter-mgmt_31bf3856ad364e35_10.0.19041.1_none_82af78fa7992ecce\uwfmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.746_none_937e52b9922bd791\certutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\cmdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\autoconv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\dmcertinst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_46ba1386f4ce2b0b\f\diskpart.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

"C:\Users\Admin\AppData\Local\Temp\dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/1500-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 661d0561ddceaf9ae6edf8a50b6c26c0
SHA1 b1dd6be08f907050574f7102dfc83fd7223c0179
SHA256 dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290f
SHA512 c8b342af6e7180f99a0acf5c77a60a5b2d58c49c884dd929238797e27b79de8d9dece2d4444a7349f1e84ff036852a94f09608be24e80c0c56e80cc043719474

C:\Users\Admin\AppData\Local\Temp\_dbdd63359fbfc9c51b573c102a64e175e99d4aca9312da6d12b156ed1373290fN.exe

MD5 84aa72f040ae8f9e022bc1e9f7239d68
SHA1 316a576cacc2cf63e8c698dcd5ee66be0b88643d
SHA256 6faacf875bf79d89a97296dba832a12eedfb44dde44d8119e3e212a8afa7d5b7
SHA512 4314af0eb37069c7c61ca57f8fe5bedf61524e6fed2a4d3b40b63c8abb1dff12ea00cda864c31106b8af34863d379f8428e3e7942b3edb7b58e325c15bc58e71

C:\Program Files\7-Zip\7z.exe

MD5 faf1118ab8493df7829c59f7ef8ba26a
SHA1 be7437a5650ff6628aa4aaa872afd8499db3c652
SHA256 5c3b146c18b16b4a8db02453e04b455be394681cf9870e97e2fa253482c7cf2e
SHA512 e124b0f46101882a40b475280d2e0152c6b861a43d0b8377e4adc15c96e73ee04b4a09faf3f23087c0d11c653441e6d42022c0c2a92f75a26389233f4185516e

memory/1500-62-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-960-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-961-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-2687-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-2688-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-2689-0x0000000000400000-0x0000000000411000-memory.dmp

memory/556-2690-0x0000000000400000-0x0000000000411000-memory.dmp