Malware Analysis Report

2024-10-16 03:18

Sample ID 220127-vwx9fshaa6
Target 2f76c2801b2bac498e94d68e99117c5367af97e0
SHA256 5e54dfc50c22a8cd92c5d05598bbafc75b999b93224d900017b892a4d9f22077
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e54dfc50c22a8cd92c5d05598bbafc75b999b93224d900017b892a4d9f22077

Threat Level: Known bad

The file 2f76c2801b2bac498e94d68e99117c5367af97e0 was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-27 17:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-27 17:20

Reported

2022-01-27 17:23

Platform

win10-en-20211208

Max time kernel

133s

Max time network

131s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f76c2801b2bac498e94d68e99117c5367af97e0.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SuspendStep.png => C:\Users\Admin\Pictures\SuspendStep.png.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectProtect.crw => C:\Users\Admin\Pictures\UnprotectProtect.crw.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\MergeRename.tif => C:\Users\Admin\Pictures\MergeRename.tif.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\PopResolve.raw => C:\Users\Admin\Pictures\PopResolve.raw.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Pictures\ClearClose.tiff C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ClearClose.tiff => C:\Users\Admin\Pictures\ClearClose.tiff.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\GetProtect.crw => C:\Users\Admin\Pictures\GetProtect.crw.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeCopy.png => C:\Users\Admin\Pictures\OptimizeCopy.png.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RequestMeasure.crw => C:\Users\Admin\Pictures\RequestMeasure.crw.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeUnprotect.raw => C:\Users\Admin\Pictures\ResumeUnprotect.raw.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointUndo.tiff C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointUndo.tiff => C:\Users\Admin\Pictures\CheckpointUndo.tiff.SACUR C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xsl C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\info.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.dtd C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.INF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\System\msadc\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\rescache\_merged\4183903823\97717462.pri C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2701812693.pri C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f76c2801b2bac498e94d68e99117c5367af97e0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2f76c2801b2bac498e94d68e99117c5367af97e0.dll

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2004

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1140-122-0x000001D011BA0000-0x000001D011BB0000-memory.dmp

memory/1140-123-0x000001D011DD0000-0x000001D011DE0000-memory.dmp

memory/2696-143-0x0000000010000000-0x00000000100D3000-memory.dmp

memory/2696-144-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2696-145-0x0000000010000000-0x00000000100D3000-memory.dmp