Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-cf2ylaslaw
Target ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5
SHA256 ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5

Threat Level: Likely malicious

The file ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:01

Reported

2024-11-14 02:04

Platform

win7-20241010-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\StopOpen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\StopOpen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Windows\SysWOW64\sysx32.exe
PID 2836 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Windows\SysWOW64\sysx32.exe
PID 2836 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Windows\SysWOW64\sysx32.exe
PID 2836 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Windows\SysWOW64\sysx32.exe
PID 2836 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe
PID 2836 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe
PID 2836 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe
PID 2836 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

"C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

Network

N/A

Files

memory/2836-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 b2d9865fcfb9d37d3b0a704d89f41bdc
SHA1 b40e304ddbf36d6fc25a7330fb93af47e958195d
SHA256 ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5
SHA512 e6c7784a262a33c852a53152558a05b70c011639477d3205e2403e0cfdf155e45855491c08164534ef039ac5ca0080ccd652d7c722f749be1206b35d586ebac0

memory/2916-14-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2836-13-0x00000000003B0000-0x00000000003C1000-memory.dmp

memory/2836-12-0x00000000003B0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

MD5 e35d8d8519af2a2fb6b6e5f3e92162c3
SHA1 5db601138926ddfe54b37a6be5624f6c1bc3be9c
SHA256 581cc6ecc3d1233e386e4b7022b4d8a410cfd588a8241d35568f2abe875baaab
SHA512 01904bf7605b5ab5cc588c9ac608855dc599be0b455255a381963a00c5f000c26d71ec05aff19efec1a895bfe4931cb8bcde520eb65f8e26630c04356a8a0464

memory/2836-20-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:01

Reported

2024-11-14 02:04

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\credwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\xcopy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\calc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CredentialUIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fondue.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\winrs.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\perfhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SyncHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\appidtel.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\print.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\InfDefaultInstall.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A
File opened for modification C:\Windows\SysWOW64\RpcPing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sort.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mfpmp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\shutdown.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wevtutil.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\DWWIN.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\makecab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\prevhost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\whoami.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\certutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\OneDriveSetup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WerFaultSecure.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\whoami.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\gpresult.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\newdev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\odbcconf.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\srdelayed.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\gpresult.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Utilman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\verifiergui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\curl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\forfiles.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ipconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\netbtugc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\efsui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\icacls.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\makecab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mmgaserver.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\PresentationHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\userinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\curl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\findstr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\LaunchWinApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dialer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\sdiagnhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemUWPLauncher.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cmmon32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\TrustedInstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1_none_6f451098bef6266e\WMIADAP.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\XblGameSaveTask.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_920963acedc8777d\f\fontdrvhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.19041.1_none_cffda9bf5435db63\mcbuilder.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.746_none_428efbd28b482d1c\bdeunlock.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\r\bootim.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.19041.906_none_9e3e509d4c4881e1\MuiUnattend.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.746_none_099c40ad55bc5d6c\f\AuthHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-com-complus-ui_31bf3856ad364e35_10.0.19041.746_none_98f5b8d3db68981e\dcomcnfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winload.exe_75835076.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_324ea383dbfddeb9\r\mavinject.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-autofmt_31bf3856ad364e35_10.0.19041.1266_none_650ebab5a8c02ffc\r\autofmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rpc-ping_31bf3856ad364e35_10.0.19041.1_none_53ab1b93e0160a53\RpcPing.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_10.0.19041.207_none_59ba79211607f58f\WinSAT.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_7d1b4a535854fe42\f\quickassist.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVDllSurrogate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapphost_31bf3856ad364e35_10.0.19041.1_none_b19798c3028c2929\LockAppHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-d..-commandline-dsmgmt_31bf3856ad364e35_10.0.19041.1_none_a4a8dfd6e5f1aab8\dsmgmt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.19041.1_none_c2078a8db9a59aef\bootcfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printing-eduprintprov_31bf3856ad364e35_10.0.19041.1_none_67326312c2487423\EduPrintProv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.19041.746_none_c82b4b805b9ae361\f\SystemSettingsBroker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_10.0.19041.1_none_ad9c6c9be4203192\Netplwiz.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.19041.844_none_de5d9fe254d9f8c4\BioEnrollmentHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\HvsiSettingsWorker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\wslconfig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.746_none_6c7de5b30e8f6071\r\BackgroundTransferHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1_none_0b4eeb140948562c\drvinst.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\ScriptRunner.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\f\Taskmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1_none_1f29a4ae2c282494\winresume.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..sistance-dcomserver_31bf3856ad364e35_10.0.19041.1_none_e5e4ad7714f033ca\raserver.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mpcmdrun.exe_1d1038c2.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\WerFaultSecure.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.1151_none_15ecde7059d11b7f\wslconfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..dateclient-api-host_31bf3856ad364e35_10.0.19041.1266_none_149b57f8509ce672\f\wuapihost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..iodatamodel-library_31bf3856ad364e35_10.0.19041.264_none_52f277f293540161\WinBioDataModelOOBE.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_msmpeng.exe_2f1c6923.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-castserver_31bf3856ad364e35_10.0.19041.746_none_a5986eca8fd4063b\r\CastSrv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..management-omadmprc_31bf3856ad364e35_10.0.19041.844_none_93c03ca99a47dc8f\omadmprc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_14f1e9e91239944a\MdmDiagnosticsTool.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsirdpclient.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-c..mplus-admin-comrepl_31bf3856ad364e35_10.0.19041.1_none_aa4f3617632d6024\comrepl.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.19041.1081_none_737d8b2eaaa38234\DWWIN.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\TextInputHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..onentpackagesupport_31bf3856ad364e35_10.0.19041.1_none_15ad78a57833209d\CompPkgSrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1_none_d67c2e3d05659825\winrs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.19041.1_none_8dffc6a8f5e8b160\Windows.WARP.JITService.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevTemplateConfigItemGenerator.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-compat-compattelrunner_31bf3856ad364e35_10.0.19041.1202_none_33e8c5dac6801a49\r\CompatTelRunner.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_330dfb2b06b21af6\doskey.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_8fc08423f52c1606\r\wmlaunch.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.19041.1110_none_20a89186aedb6af7\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81\f\ntoskrnl.exe C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

"C:\Users\Admin\AppData\Local\Temp\ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp

Files

memory/4052-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 b2d9865fcfb9d37d3b0a704d89f41bdc
SHA1 b40e304ddbf36d6fc25a7330fb93af47e958195d
SHA256 ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5
SHA512 e6c7784a262a33c852a53152558a05b70c011639477d3205e2403e0cfdf155e45855491c08164534ef039ac5ca0080ccd652d7c722f749be1206b35d586ebac0

C:\Users\Admin\AppData\Local\Temp\_ba8492b50198c353402bb3678b9321abda262aa2d150be90c66fc7f0c1c455e5.exe

MD5 e35d8d8519af2a2fb6b6e5f3e92162c3
SHA1 5db601138926ddfe54b37a6be5624f6c1bc3be9c
SHA256 581cc6ecc3d1233e386e4b7022b4d8a410cfd588a8241d35568f2abe875baaab
SHA512 01904bf7605b5ab5cc588c9ac608855dc599be0b455255a381963a00c5f000c26d71ec05aff19efec1a895bfe4931cb8bcde520eb65f8e26630c04356a8a0464

memory/4052-11-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 f7ed64e4b04d499af83be21674fbd93c
SHA1 eac53ddab0f8803a66b24dad92c3392149e84af2
SHA256 044c876ccad64f92bb745e4e5235f57a40dc9ded1b6d50df882cc8df1edd9d52
SHA512 2310267dfd7e9e1f5fda9105faf483050b2dccb95ab535be810508d1b623b32c16e0e5f1867e33f3bdb435da8ed25071c76e1b88f4d17cda8cc6436e6a11839d

memory/3672-1006-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3672-1007-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3672-2687-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3672-2688-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3672-2689-0x0000000000400000-0x0000000000411000-memory.dmp

memory/3672-2690-0x0000000000400000-0x0000000000411000-memory.dmp