Malware Analysis Report

2024-10-16 03:19

Sample ID 220301-zww4lsdbdk
Target bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2
SHA256 bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2

Threat Level: Known bad

The file bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2 was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-01 21:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-01 21:04

Reported

2022-03-01 21:09

Platform

win7-20220223-en

Max time kernel

4294179s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ApproveSearch.tiff C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveSearch.tiff => C:\Users\Admin\Pictures\ApproveSearch.tiff.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointOpen.crw => C:\Users\Admin\Pictures\CheckpointOpen.crw.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromWrite.raw => C:\Users\Admin\Pictures\ConvertFromWrite.raw.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RenameRedo.png => C:\Users\Admin\Pictures\RenameRedo.png.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\SelectUnprotect.raw => C:\Users\Admin\Pictures\SelectUnprotect.raw.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectResolve.raw => C:\Users\Admin\Pictures\UnprotectResolve.raw.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateEdit.crw => C:\Users\Admin\Pictures\UpdateEdit.crw.B0fWd C:\Windows\system32\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNS.ICO C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00737_.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187829.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Common Files\System\it-IT\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTS.ICO C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.WIH C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MYSL.ICO C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\local_policy.jar C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\adovbs.inc C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\System\es-ES\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\OliveGreen.css C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00391_.WMF C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1460 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1460 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1460 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 960 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 960 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 960 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1152 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1152 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1240 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 540 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 1468 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1468 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1468 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1468 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1468 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1376 wrote to memory of 1676 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1376 wrote to memory of 1676 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1376 wrote to memory of 1676 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1348 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1348 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 980 wrote to memory of 1536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 980 wrote to memory of 1536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 980 wrote to memory of 1536 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 288 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 288 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1960 wrote to memory of 1992 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1960 wrote to memory of 1992 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1960 wrote to memory of 1992 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 428 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 428 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 428 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1948 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1948 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1948 wrote to memory of 1352 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1936 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1936 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1664 wrote to memory of 1836 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1664 wrote to memory of 1836 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1664 wrote to memory of 1836 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1204 wrote to memory of 1852 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2.dll

C:\Windows\system32\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\system32\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\system32\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\system32\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\system32\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\system32\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\system32\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\system32\net.exe

net stop MSSQL$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\system32\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\system32\net.exe

net stop MSSQLSERVER /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\system32\net.exe

net stop SQLBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\system32\net.exe

net stop SQLWriter /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1204-54-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-01 21:04

Reported

2022-03-01 21:09

Platform

win10v2004-en-20220112

Max time kernel

137s

Max time network

116s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ImportPublish.crw => C:\Users\Admin\Pictures\ImportPublish.crw.B0fWd C:\Windows\system32\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreEnter.crw => C:\Users\Admin\Pictures\RestoreEnter.crw.B0fWd C:\Windows\system32\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt C:\Windows\system32\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\plugin.js C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\TextConv\en-US\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\Logo.png.DATA C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\EE65D8FF-D437-4FAB-B3BC-C1431E48AD1A\root\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\readme.txt C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\readme.txt C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 3216 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3216 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3216 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1128 wrote to memory of 4080 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1128 wrote to memory of 4080 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 3904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 3904 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3904 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2028 wrote to memory of 1004 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 1004 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 648 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 776 wrote to memory of 3144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 776 wrote to memory of 3144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2396 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2532 wrote to memory of 2596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2532 wrote to memory of 2596 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2376 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2376 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1272 wrote to memory of 820 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1272 wrote to memory of 820 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 2724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2724 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1320 wrote to memory of 3024 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1320 wrote to memory of 3024 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 1900 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 1900 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1900 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3284 wrote to memory of 768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3284 wrote to memory of 768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 2060 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2060 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2060 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3496 wrote to memory of 3160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3496 wrote to memory of 3160 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 3192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3192 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2992 wrote to memory of 3696 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2992 wrote to memory of 3696 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 3464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 3464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3464 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2872 wrote to memory of 2312 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2872 wrote to memory of 2312 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\cmd.exe
PID 428 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 428 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bce72f157baf8064117c80e67998acc83fd27f1de64e0c9a68ad5c9209bc2bd2.dll

C:\Windows\system32\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\system32\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\system32\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\system32\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\system32\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\system32\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\system32\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\system32\net.exe

net stop MSSQL$TPS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\system32\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\system32\net.exe

net stop MSSQLSERVER /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\system32\net.exe

net stop SQLBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\system32\net.exe

net stop SQLWriter /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.167.48:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv601.prod.do.dsp.mp.microsoft.com udp
NL 104.74.226.34:443 kv601.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp601.prod.do.dsp.mp.microsoft.com udp
NL 104.74.226.34:443 cp601.prod.do.dsp.mp.microsoft.com tcp
NL 104.74.226.34:443 cp601.prod.do.dsp.mp.microsoft.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp

Files

N/A