Malware Analysis Report

2024-10-16 03:17

Sample ID 220304-sj455agfhl
Target fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847
SHA256 fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847

Threat Level: Known bad

The file fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847 was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Modifies extensions of user files

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-04 15:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-04 15:10

Reported

2022-03-04 15:12

Platform

win7-20220223-en

Max time kernel

4294211s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertFromUnlock.raw => C:\Users\Admin\Pictures\ConvertFromUnlock.raw.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\DisableConfirm.png => C:\Users\Admin\Pictures\DisableConfirm.png.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ImportExport.png => C:\Users\Admin\Pictures\ImportExport.png.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\MoveResume.raw => C:\Users\Admin\Pictures\MoveResume.raw.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterSuspend.tif => C:\Users\Admin\Pictures\RegisterSuspend.tif.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296277.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\HST C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handler.reg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00633_.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\offset.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tirane C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zurich C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.xsl C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 C:\Windows\SysWOW64\regsvr32.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 1152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe"

C:\Windows\System32\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1128-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

memory/1152-55-0x0000000075281000-0x0000000075283000-memory.dmp

C:\Users\Public\Desktop\readme.txt

MD5 35299df46141a15046afe84fe75b1156
SHA1 8158d654bca3a0ff2692fa75fa3226f35816c8b7
SHA256 6ad74453e832ad5b4155a7654fc4e4f083b05d82e0e84bf3d8374185d8e69a12
SHA512 00cf36bcf86e3b6d5e60c38e65c8e36da06c41730af32525c9f2d6a9cee15eac07d5fee195fc5e4d69a2140379363d07f237421de61ff672f2d96ab81220602c

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-04 15:10

Reported

2022-03-04 15:12

Platform

win10v2004-en-20220112

Max time kernel

153s

Max time network

147s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompressGet.png => C:\Users\Admin\Pictures\CompressGet.png.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ImportRemove.png => C:\Users\Admin\Pictures\ImportRemove.png.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeUnregister.tif => C:\Users\Admin\Pictures\ResizeUnregister.tif.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeAssert.png => C:\Users\Admin\Pictures\ResumeAssert.png.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeEnter.tif => C:\Users\Admin\Pictures\ResumeEnter.tif.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockCheckpoint.crw => C:\Users\Admin\Pictures\UnblockCheckpoint.crw.fgM9X C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InvokeFind.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-hover.svg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\te.pak C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.55\EdgeUpdate.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-focus_32.svg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 180 wrote to memory of 116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 180 wrote to memory of 116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 180 wrote to memory of 116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847.dll

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.90:445 tcp
US 8.8.8.8:53 api.msn.com udp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.105:445 tcp
US 131.253.33.203:443 api.msn.com tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.164.114:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

N/A