Malware Analysis Report

2024-10-16 03:14

Sample ID 220215-yn7dyahfa3
Target 05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3
SHA256 05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3

Threat Level: Known bad

The file 05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3 was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Modifies extensions of user files

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-15 19:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-15 19:56

Reported

2022-02-15 20:00

Platform

win7-en-20211208

Max time kernel

165s

Max time network

144s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

Signatures

Conti Ransomware

ransomware conti

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\SecretST.TTF C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\COPYRIGHT C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\sentinel C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnregisterSelect.pps C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DenyCompress.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\System\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Google\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SearchCompress.docm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\update-settings.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DVD Maker\de-DE\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Games\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Internet Explorer\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\FindUndo.clr C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\StartCopy.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Uninstall Information\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1688 wrote to memory of 1636 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1688-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

memory/1636-55-0x0000000076421000-0x0000000076423000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-15 19:56

Reported

2022-02-15 20:00

Platform

win10v2004-en-20220113

Max time kernel

170s

Max time network

180s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RenameRevoke.tiff C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RenameRevoke.tiff => C:\Users\Admin\Pictures\RenameRevoke.tiff.DQQAV C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RestartStep.crw => C:\Users\Admin\Pictures\RestartStep.crw.DQQAV C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\StartShow.png => C:\Users\Admin\Pictures\StartShow.png.DQQAV C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectProtect.tif => C:\Users\Admin\Pictures\UnprotectProtect.tif.DQQAV C:\Windows\SysWOW64\regsvr32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConnectUndo.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Google\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\TextConv\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\PublishSplit.asf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\System\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\include\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Google\Chrome\Application\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\FindPublish.potm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Google\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\GroupRequest.avi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ReadSave.ps1 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\System\en-US\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\System\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 3672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1356 wrote to memory of 3672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1356 wrote to memory of 3672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\05c8aaae3fb6c9605f5c69f8eb73cc2c1f08bd72213492e24f221a2ef60508a3.dll

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
NL 8.248.5.254:80 tcp
NL 8.248.5.254:80 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1080-130-0x000001CC82B60000-0x000001CC82B70000-memory.dmp

memory/1080-131-0x000001CC83220000-0x000001CC83230000-memory.dmp