Malware Analysis Report

2024-12-07 10:20

Sample ID 241112-3b21xaskfz
Target 70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867
SHA256 70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867

Threat Level: Likely malicious

The file 70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 23:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 23:21

Reported

2024-11-12 23:23

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\backgroundTaskHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\DpiScaling.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CloudNotifications.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\nslookup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SearchIndexer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\verclsid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmdkey.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ctfmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ndadmin.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sdbinst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Utilman.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\compact.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\driverquery.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\regini.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dxdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PresentationHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dfrgui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fondue.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\rasautou.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasphone.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\hh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PING.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\colorcpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\DismHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\at.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\tttracer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\edpnotify.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mobsync.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sxstrace.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\tcmsetup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TSTheme.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\attrib.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cleanmgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\schtasks.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dvdplay.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\findstr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\odbcad32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regini.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.84_none_42927ae06bc1dce9\f\WpcMon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_813ba58adb6e7f68\r\GameBarPresenceWriter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_fontdrvhost.exe_94bdc76d C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\WMIADAP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.264_none_911b6d2a51481d59\mavinject.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\f\MdmDiagnosticsTool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-fodhelper-ux_31bf3856ad364e35_10.0.19041.1_none_e8e077950faced1a\fodhelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\SenseSampleUploader.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_f68db62a3702882b\f\SearchProtocolHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.1_none_996ba223b673811b\dsdbutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.423_none_204af7ff19532470\OOBENetworkCaptivePortal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tieringengine_31bf3856ad364e35_10.0.19041.746_none_8d7110d8c33b651f\f\TieringEngineService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_39961f6f77f90ff5\UserAccountControlSettings.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.262_none_e73f0197262d9fec\TiFileFetcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.423_none_81cc87a43da05fd1\control.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_092d70d1898e5ff9\r\DismHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.1_none_f58a3da76ed0f251\dsdbutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_46ba1386f4ce2b0b\f\diskpart.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\f\isoburn.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.117_none_4d353cf1ceb5d6d2\notepad.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1_appidpolicyconverter.exe_83972af0.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_23e2379a6f03d0cb\f\gpresult.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1\appidpolicyconverter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-certificateinstall_31bf3856ad364e35_10.0.19041.1151_none_ae854961a06058b2\f\dmcertinst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.19041.1_none_d6d84e47a8300235\ldifde.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.746_none_11e04cec24452336_dwm.exe_04cf416e.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_4d40b8e902f83dd6\gpscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-cvtres_exe_b03f5f7f11d50a3a_4.0.15805.0_none_9959f3c5e4eeac5f\cvtres.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-help-client_31bf3856ad364e35_10.0.19041.1151_none_e0e8a531e34051a9\f\HelpPane.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_10.0.19041.844_none_64d33f8fb364398c\f\net1.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_10.0.19041.746_none_726cc4a1ebcb1c1e\f\wlrmdr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx-dfsvc_b03f5f7f11d50a3a_10.0.19041.1_none_833d086e8f306c45\dfsvc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\r\bootim.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1_none_52c6583f47afba7a\convert.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3594628932065f23\r\wevtutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..ckgroundmediaplayer_31bf3856ad364e35_10.0.19041.1266_none_3b00801193b15c0f\Windows.Media.BackgroundPlayback.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.746_none_4028b8f4f6c0b829\f\wpr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\f\iexplore.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\SecurityHealthService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\setup_wm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454\r\memtest.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_c05346ae3e1a99a4\rundll32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1288_none_f92f7256107c0e35\f\nvspinfo.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVDllSurrogate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.1_none_6314a7411fa6f2ec\FXSSVC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ttings-removedevice_31bf3856ad364e35_10.0.19041.1_none_69523ba694c053ca\SystemSettingsRemoveDevice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.746_none_64e9b1de23df7cf4\r\AppHostRegistrationVerifier.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_bd2b0ef5b58e1540\f\cscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_f57e58b71b913c6b\f\auditpol.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.1052_none_073e2a212d1697e6\ApproveChildRequest.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.964_none_21209b01f08afd33\SystemResetPlatform.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\r\wmpshare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

"C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/2684-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 c96fde6a9b9523f9feeb22864d5604dd
SHA1 e8ba41037e3e048c3324fd73eb6be24abc93abdc
SHA256 70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867
SHA512 fc9945cd72ccb12604c7a52279cc1248622067598fd45f19d4caba2665e1151b7f93e7173d8fb93893697be4f72066482d337f9cb9ed07756e2081804bae5cfc

C:\Program Files\7-Zip\7z.exe

MD5 9bd1cc36f10400c14630fbb9fcc62fd5
SHA1 557d992a823b4b5cba1ce36277df5117e3e7b86b
SHA256 004ebe79e253e251e3b1ec9ed1e5538db6aef598e0f11c785c76911b1809f5dd
SHA512 d52d6df7540f973abd9d0407f230de11fe0dadd323e574f6f8adc06e8e4402f52a636fbc253225709979fb5183310b18f7060e455767836f97f60b30d4ccdb79

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

MD5 9727b454bf8ea63bb8329d64120299e8
SHA1 f65ae916e5405314e1bf05eebbadf8ff323e6cd9
SHA256 f4ffae00adb8941377afff1e10ab49b851a9292c2e607394d22114cc6cbfead0
SHA512 ff763df4e37882ac8d74ca63f4d9d791788852bb32b84043109959c42f123e141a1af7b382dc4526e6305caf59e9f91833ca58024a386b4fea91d4c449bc8bac

memory/2684-820-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-1199-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-1200-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-2686-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-2687-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1756-2688-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 23:21

Reported

2024-11-12 23:23

Platform

win7-20240729-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Windows\SysWOW64\sysx32.exe
PID 2172 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Windows\SysWOW64\sysx32.exe
PID 2172 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Windows\SysWOW64\sysx32.exe
PID 2172 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Windows\SysWOW64\sysx32.exe
PID 2172 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe
PID 2172 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe
PID 2172 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe
PID 2172 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

"C:\Users\Admin\AppData\Local\Temp\70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 c96fde6a9b9523f9feeb22864d5604dd
SHA1 e8ba41037e3e048c3324fd73eb6be24abc93abdc
SHA256 70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867
SHA512 fc9945cd72ccb12604c7a52279cc1248622067598fd45f19d4caba2665e1151b7f93e7173d8fb93893697be4f72066482d337f9cb9ed07756e2081804bae5cfc

memory/2092-13-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2172-11-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2172-10-0x0000000000220000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_70823a2e245f70ef6829183c9ecf904a566c39246ff1e4d42d492bc66783f867.exe

MD5 9727b454bf8ea63bb8329d64120299e8
SHA1 f65ae916e5405314e1bf05eebbadf8ff323e6cd9
SHA256 f4ffae00adb8941377afff1e10ab49b851a9292c2e607394d22114cc6cbfead0
SHA512 ff763df4e37882ac8d74ca63f4d9d791788852bb32b84043109959c42f123e141a1af7b382dc4526e6305caf59e9f91833ca58024a386b4fea91d4c449bc8bac

memory/2172-20-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2092-22-0x0000000000400000-0x0000000000411000-memory.dmp