Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-d5th7awand
Target bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe
SHA256 bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365cc
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365cc

Threat Level: Likely malicious

The file bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:35

Reported

2024-11-13 03:38

Platform

win7-20240903-en

Max time kernel

110s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2552 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2552 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2552 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe
PID 2552 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe
PID 2948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe
PID 2948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe C:\Windows\SysWOW64\sysx32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

"C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

Network

N/A

Files

memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 03256d5a073278daba6e090091e134b0
SHA1 4b87b3ca4010370f72d84350a17213edd1c113bf
SHA256 bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365cc
SHA512 cd43774dc96570934714f1fcc61c9609736048ba7ccf6467b8f1dc24abca06c40ec1d012af018ac4f4094eb7beeb952676cbebc790d59da64b41b1530a60baa4

memory/2552-11-0x0000000000340000-0x0000000000351000-memory.dmp

memory/2552-10-0x0000000000340000-0x0000000000351000-memory.dmp

memory/2948-23-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2552-22-0x0000000000340000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

MD5 e0e8e1074c64db8ce17f7d4a88dc6d57
SHA1 55d16b566795bf19addabcaf8c0ca70c5d767fbd
SHA256 67159212684516c0488b6850e62991c93137b8fb1ee3ba4042a169be41542bb9
SHA512 e7ad30fdf7897c358e6415d192fde10b419cf9728878c27ad04ab5ed3e260d7086bb2a39aa8a923bf74b8099ffd89d70afa566f935bc059c6adef1d2f88e6e97

memory/2948-26-0x0000000000220000-0x0000000000231000-memory.dmp

memory/2552-28-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2552-30-0x0000000000340000-0x0000000000351000-memory.dmp

memory/2552-29-0x0000000000340000-0x0000000000351000-memory.dmp

memory/2552-32-0x0000000000340000-0x0000000000351000-memory.dmp

memory/1744-31-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2948-34-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2552-33-0x0000000000340000-0x0000000000351000-memory.dmp

memory/2948-37-0x0000000000220000-0x0000000000231000-memory.dmp

memory/280-40-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:35

Reported

2024-11-13 03:38

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Robocopy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regini.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\OposHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SyncHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\colorcpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\diskpart.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\netsh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\charmap.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dtdump.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\esentutl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\extrac32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSa.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\unregmp2.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cleanmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\diskperf.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasdial.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\shrpubw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wecutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wbem\WmiPrvSE.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dccw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sxstrace.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WerFault.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\instnm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\MRINFO.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RmClient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\UserAccountControlSettings.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\appidtel.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\edpnotify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mspaint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\AtBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rekeywiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\systeminfo.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmInit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\instnm.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mtstocom.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\recover.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TpmTool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ARP.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\msiexec.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\mspaint.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\printui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SecEdit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\hh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\OpenWith.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\doskey.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\odbcad32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\net1.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Media Player\wmpshare.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\ssh-add.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-label_31bf3856ad364e35_10.0.19041.1_none_0d20194b69a60627\label.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_10.0.19041.1_none_56e294df085b0025\BdeHdCfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-browsercore_31bf3856ad364e35_10.0.19041.1151_none_cf9de3ecb3a8f61c\BrowserCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.264_none_e85c49c0793f9f24\f\Win32WebViewHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.19041.1288_none_d616f4b76bd7b8a2\f\CustomInstallExec.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashUtil_ActiveX.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.19041.1_none_3d1291badd9e7f22\OposHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..nsemanager-shellext_31bf3856ad364e35_10.0.19041.746_none_9043799a93dba365\LicenseManagerShellext.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sensordataservice_31bf3856ad364e35_10.0.19041.746_none_dbfd31e3890afb72\f\SensorDataService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.19041.1266_none_7e2b6be969016c27\licensingdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.1_none_5c015a65c60d8097\hnsdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1_none_b354d0155be50ce9\pnputil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-vssservice_31bf3856ad364e35_10.0.19041.746_none_38c6194376a6b88c\f\VSSVC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\r\autofmt.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-uso-dtuhandler_31bf3856ad364e35_10.0.19041.153_none_c0c4ee134c2535a0\r\DTUHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\f\WerFaultSecure.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1266_none_ab5bdb26141e0be5\r\vmms.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.19041.1288_none_ff9a0c377d92f65b\wpnpinst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.19041.746_none_7c508e4438cec899\f\phoneactivate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.1_none_f0c3a71562899181\sessionmsg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\r\usocoreworker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\f\UNPUXHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.1_none_4b527e92ee1ad1e5\cmd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.1_none_40fdd440b9ba0fea\cmd.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\ImeBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\find.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_b4441130315b5f1f\f\mmgaserver.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.1_none_16cc981df6cf3111\WmsUserAgent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\replace.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_e190f18a08ed1a44\FlashUtil_ActiveX.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\f\EaseOfAccessDialog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\f\SearchIndexer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\r\hnsdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\f\securekernel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-openwith_31bf3856ad364e35_10.0.19041.1_none_2d66868246722e10\OpenWith.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c\f\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.1_none_8ade03f009f66b38\InputSwitchToastHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\f\dfrgui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.19041.1_none_540191f5bdbc78d5\nbtstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..client-ui-wscollect_31bf3856ad364e35_10.0.19041.746_none_e7acb2599054dc72\r\WSCollect.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.19041.1266_none_3e00d223332897b8\r\SearchApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sensordataservice_31bf3856ad364e35_10.0.19041.746_none_dbfd31e3890afb72\f\SensorDataService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c\f\drvinst.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_3f1cc1d15da468cf\f\relog.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\f\vds.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..andlinepropertytool_31bf3856ad364e35_10.0.19041.844_none_f3894559140c31d7\f\imjpuexc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.746_none_c77d8290c75caeee\r\DataExchangeHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315\r\lpkinstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchIndexer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmpconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_10.0.19041.746_none_c7a124154e1d7314\mtstocom.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.906_none_65f82ba919c64b11\InetMgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_c42bf1ebf80a8661\f\isoburn.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_a65e065ddcc839c0\ThumbnailExtractionHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\TSTheme.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454_memtest.exe_01d80391 C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.1266_none_07a5d18b92d8b668\f\cmproxyd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\print.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\r\MicrosoftEdge.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

"C:\Users\Admin\AppData\Local\Temp\bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2896-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 03256d5a073278daba6e090091e134b0
SHA1 4b87b3ca4010370f72d84350a17213edd1c113bf
SHA256 bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365cc
SHA512 cd43774dc96570934714f1fcc61c9609736048ba7ccf6467b8f1dc24abca06c40ec1d012af018ac4f4094eb7beeb952676cbebc790d59da64b41b1530a60baa4

C:\Program Files\7-Zip\7z.exe

MD5 844648883b4dba2cecceb09e68a66df2
SHA1 fce4865a79fafb371a223901b2e8b5bb027eaeb1
SHA256 588e7f564e4a43ae94448daa6f15db8bc7a7825a4de1861d1e1a16fb5d800e0f
SHA512 826e6b36a4b0538367d44a22dedfe43db125b78923d945f7711b1d1e1433a315f43e50cf6e0490a1b0c6551150a59e264d8340c135a0b1d41dc980db9cfafa0d

C:\Users\Admin\AppData\Local\Temp\_bfa2191f4914e8e08dc93eebd615d62bed1ab287a794e0df78813c25c3a365ccN.exe

MD5 e0e8e1074c64db8ce17f7d4a88dc6d57
SHA1 55d16b566795bf19addabcaf8c0ca70c5d767fbd
SHA256 67159212684516c0488b6850e62991c93137b8fb1ee3ba4042a169be41542bb9
SHA512 e7ad30fdf7897c358e6415d192fde10b419cf9728878c27ad04ab5ed3e260d7086bb2a39aa8a923bf74b8099ffd89d70afa566f935bc059c6adef1d2f88e6e97

memory/2336-46-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2896-59-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2336-57-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-777-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-776-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-1606-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-2696-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-2697-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3508-2698-0x0000000000400000-0x0000000000411000-memory.dmp