Analysis
-
max time kernel
153s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 08:47
Static task
static1
Behavioral task
behavioral1
Sample
31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c.dll
Resource
win10v2004-en-20220113
General
-
Target
31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c.dll
-
Size
1.1MB
-
MD5
fdebe604c063574d890211020d657aeb
-
SHA1
c86e34e85af20fe5d7d0f0740ad95c58e0831538
-
SHA256
31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c
-
SHA512
3efebff4a7b994702a551788b0d26c11c173f12fcfe779f5d41529fb69106f510e65f6510ac10a3c54f7880191af82f041932ba143cbd3fc2a022617756b7d62
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeExit.tiff => C:\Users\Admin\Pictures\InitializeExit.tiff.YMFOS regsvr32.exe File renamed C:\Users\Admin\Pictures\ResolveInvoke.png => C:\Users\Admin\Pictures\ResolveInvoke.png.YMFOS regsvr32.exe File renamed C:\Users\Admin\Pictures\UpdateShow.tif => C:\Users\Admin\Pictures\UpdateShow.tif.YMFOS regsvr32.exe File renamed C:\Users\Admin\Pictures\ApproveNew.crw => C:\Users\Admin\Pictures\ApproveNew.crw.YMFOS regsvr32.exe File renamed C:\Users\Admin\Pictures\AssertUnlock.crw => C:\Users\Admin\Pictures\AssertUnlock.crw.YMFOS regsvr32.exe File renamed C:\Users\Admin\Pictures\ClearReset.raw => C:\Users\Admin\Pictures\ClearReset.raw.YMFOS regsvr32.exe File opened for modification C:\Users\Admin\Pictures\InitializeExit.tiff regsvr32.exe -
Drops desktop.ini file(s) 23 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado20.tlb regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms regsvr32.exe File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf regsvr32.exe File created C:\Program Files\Microsoft Office\root\Integration\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms regsvr32.exe File created C:\Program Files\Microsoft Office\Updates\Download\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files\Mozilla Firefox\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms regsvr32.exe File created C:\Program Files\Internet Explorer\images\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files\Common Files\System\fr-FR\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl regsvr32.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeShutdownPrivilege 1104 svchost.exe Token: SeCreatePagefilePrivilege 1104 svchost.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe Token: SeRestorePrivilege 2012 TiWorker.exe Token: SeSecurityPrivilege 2012 TiWorker.exe Token: SeBackupPrivilege 2012 TiWorker.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
regsvr32.exepid process 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
regsvr32.exepid process 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe 1428 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1344 wrote to memory of 1428 1344 regsvr32.exe regsvr32.exe PID 1344 wrote to memory of 1428 1344 regsvr32.exe regsvr32.exe PID 1344 wrote to memory of 1428 1344 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\31e5c5f88b0f009ac26393610e3e7e331c44b093e179269fe07f2cd28ba3e72c.dll2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2012