Malware Analysis Report

2024-12-07 10:15

Sample ID 241112-tpdqsszjen
Target a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
SHA256 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed

Threat Level: Likely malicious

The file a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:13

Reported

2024-11-12 16:15

Platform

win7-20240903-en

Max time kernel

110s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sysx32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Windows\SysWOW64\sysx32.exe
PID 320 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Windows\SysWOW64\sysx32.exe
PID 320 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Windows\SysWOW64\sysx32.exe
PID 320 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Windows\SysWOW64\sysx32.exe
PID 320 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
PID 320 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
PID 320 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe
PID 320 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

"C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

Network

N/A

Files

memory/320-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 02461bcd9387cfb94a2ece08138b6110
SHA1 d1388114984c46dcdaa62b806f3216735bbb79a6
SHA256 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed
SHA512 ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

MD5 7a98f5fca675a4b9253cbeb231a0adf9
SHA1 e672cce31524e7f09362bdeff01deb2d59db3b94
SHA256 61fadf8ae797f69625014760b601949d52e876801aeefec0ea825cdb861f18ac
SHA512 920f268530850d0d97bcc0094ec439a3fc5e067a846bffe65a5dc2125b8c6aadf3c2c2d6c0bca671b60aaf5750f69073f756615a78c810e42e218feecd67748a

memory/2636-15-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/320-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2920-19-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2636-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:13

Reported

2024-11-12 16:15

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ROUTE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\shutdown.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\perfmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Robocopy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\chkntfs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\compact.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\openfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSa.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ddodiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msra.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\OneDriveSetup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ieUnatt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\setup16.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmInit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winrshost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\recover.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\runas.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\tar.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wbem\WinMgmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cacls.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\GameBarPresenceWriter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\grpconv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\setx.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dccw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\setupugc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TpmInit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\at.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\extrac32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\odbcconf.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Com\MigRegDB.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\fixmapi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\label.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cttune.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mfpmp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\TsWpfWrp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\efsui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RpcPing.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\odbcconf.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\subst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dns-client_31bf3856ad364e35_10.0.19041.1_none_97d38a6121b6e9e6\dnscacheugc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.19041.1110_none_fb1129caa00e000f\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\DataUsageLiveTileTask.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1_none_c719fa2e662738e0\WPDShextAutoplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiSettingsWorker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..nstaller-comhandler_31bf3856ad364e35_10.0.19041.746_none_ff3f6c27e956149f\f\LanguageComponentsInstallerComHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\f\wslconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1_none_61cd745a990bcfb3\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-browsercore_31bf3856ad364e35_10.0.19041.1151_none_cf9de3ecb3a8f61c\r\BrowserCore.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\f\wsmprovhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-runonce_31bf3856ad364e35_10.0.19041.1202_none_94cfabd8a89f0b96\r\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d\f\netiougc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\f\autofmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\AppVStreamingUX.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\AppVNice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.264_none_0f23d07ed2574292\r\DiagnosticsHub.StandardCollector.Service.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_9e3e509d4c4881e1\MuiUnattend.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.19041.1_none_37ab35f7e4b21a45\PrintBrmEngine.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.1_none_081f0e1c3ea3d07f\sxstrace.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmsp_31bf3856ad364e35_10.0.19041.1_none_39d506065bd87607\vmsp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..alenrollmentmanager_31bf3856ad364e35_10.0.19041.1202_none_1a780ff3456b7bcd\CredentialEnrollmentManager.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.746_none_d99fd60bc1fde773\f\LockAppHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_8f1e438c6737a711\r\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_vmconnect6.2_31bf3856ad364e35_10.0.19041.1_none_5c4aee22bbc45ef1\vmconnect6.2.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_5163f0069562aff6\powershell.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_9613f8b833f2e8f1\ByteCodeGenerator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.746_none_79bfc5cb57157e98\f\WindowsActionDialog.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\f\iissetup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user-broker_31bf3856ad364e35_10.0.19041.746_none_61e0347e850155a8\f\UserOOBEBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1081_none_f52da7b1195e2d45\DiskSnapshot.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\hvsirpcd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.746_none_a47144c464d15475\f\WSReset.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-autochk_31bf3856ad364e35_10.0.19041.1266_none_610e6b21ab533b13\autochk.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.546_none_1d38815769c81e5a\dllhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.264_none_4de8bd849baaa96f\f\WerFault.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-trustlet_31bf3856ad364e35_10.0.19041.423_none_c3eac275ecdf7e0a\r\NgcIso.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\UNPUXHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-update-usoclient_31bf3856ad364e35_10.0.19041.1266_none_23ae8c0349f1b325\r\UsoClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_10.0.19041.1_none_4bf3621a8ebe2ee3\vbc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchIndexer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_msbuild_b03f5f7f11d50a3a_10.0.19041.1_none_421bb61742382b2d\MSBuild.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\r\SndVol.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.19041.746_none_7a0308f7ffc334d5\resmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5f557b607e14f541\r\ByteCodeGenerator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\f\spoolsv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.964_none_510ebdd9292eed06\f\diskpart.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.264_none_1477a882bdce0df2\vmms.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..nsimulation-service_31bf3856ad364e35_10.0.19041.84_none_d062347205e52d46\PerceptionSimulationService.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.746_none_e7acb2599054dc72\f\WSCollect.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nsemanager-shellext_31bf3856ad364e35_10.0.19041.746_none_9043799a93dba365\f\LicenseManagerShellext.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\TiWorker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsicli.exe_20e14d4f.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5643c883846b0513\aspnet_wp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.19041.1_none_8b53de27def16277\eventcreate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

"C:\Users\Admin\AppData\Local\Temp\a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4164-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 02461bcd9387cfb94a2ece08138b6110
SHA1 d1388114984c46dcdaa62b806f3216735bbb79a6
SHA256 a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebed
SHA512 ac7a44e63730fc51878a3efe4622b9ecb6021ec76bef65d62b33cecf355252d006421ae9f5ce78eaf91f9a443317f6de7f072843175349c82b3d0a0ae25c0b1c

C:\Program Files\7-Zip\7z.exe

MD5 7758cd67d501ac40ddf2c2e2b1131e6e
SHA1 8fca66ba5fcd94c9a660ea04caa21ac557d4e122
SHA256 8b2c8d7a94ce5b755fbcfb0029db1a502186658ae0544a6cd409d4ca1c3583b3
SHA512 aba3070bbd090206c20d32f1417b5b93599c0a620538edeb8c0fce28198edc0aa249dc87b3a1b486ea372c7eb7621ed35131e8bfb8d05d445ab57c6db026c8f0

C:\Users\Admin\AppData\Local\Temp\_a50fec8d3ded1437eda153e413cfbe9acc92fe6fb6cfd0e119f3e80c5fc3ebedN.exe

MD5 7a98f5fca675a4b9253cbeb231a0adf9
SHA1 e672cce31524e7f09362bdeff01deb2d59db3b94
SHA256 61fadf8ae797f69625014760b601949d52e876801aeefec0ea825cdb861f18ac
SHA512 920f268530850d0d97bcc0094ec439a3fc5e067a846bffe65a5dc2125b8c6aadf3c2c2d6c0bca671b60aaf5750f69073f756615a78c810e42e218feecd67748a

memory/4164-284-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-379-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-380-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-872-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-1413-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-2358-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-2694-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-2696-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-2698-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4656-2699-0x0000000000400000-0x0000000000411000-memory.dmp