Malware Analysis Report

2024-10-16 03:20

Sample ID 240908-syr44stdkn
Target 3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554
SHA256 3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554
Tags
conti discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554

Threat Level: Known bad

The file 3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554 was found to be: Known bad.

Malicious Activity Summary

conti discovery ransomware

Conti Ransomware

Renames multiple (64) files with added filename extension

Drops desktop.ini file(s)

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 15:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 15:32

Reported

2024-09-08 15:34

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

96s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

Signatures

Conti Ransomware

ransomware conti

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RegisterTrace.emz C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ShowGroup.wmf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Google\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RepairAssert.fon C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office 15\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InstallFind.001 C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\dotnet\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\locale.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\BlockBackup.otf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\TraceUnprotect.xlsm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Crashpad\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Crashpad\settings.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\PingDisable.inf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnlockInvoke.mhtml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\dotnet\LICENSE.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Crashpad\metadata C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RevokeGroup.edrwx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RevokeRemove.mov C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 1496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 1496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 1496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1496 -ip 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 2136

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.114:445 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.172:445 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\ProgramData\readme.txt

MD5 df7b95b1555951e1c1095ec1a913f78a
SHA1 076812ba99a65a76f6510824f9317c85b7a65bdb
SHA256 15ac17280f7e4b43eb21c090792465494eede0937897c271eb1cc14733dc371e
SHA512 b85bee418326445ed0efd217cb92432138ad63b46ff41d98a85d2af648698448f1680a320669ec4d1a735c8a40d5747983652d02fafc5c9737747e659f4f8e30

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 15:32

Reported

2024-09-08 15:34

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

Signatures

Conti Ransomware

ransomware conti

Renames multiple (64) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConvertFromPing.xltm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Java\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ProtectLimit.jpeg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SearchGet.nfo C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SyncExit.htm C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Office\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ClearRead.xltm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DenyRequest.asx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnlockWait.bmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnprotectClear.odp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConvertGet.7z C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ProtectWrite.jpeg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\directshowtap.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\MountRegister.vsx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\locale.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UndoResume.htm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnprotectDisable.rtf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UpdateTest.vdw C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Mozilla Firefox\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Microsoft Games\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConfirmLimit.easmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConnectRename.dib C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\EnableConvertFrom.vsw C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\PublishExport.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SaveExit.wmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\BlockAssert.nfo C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RequestSubmit.vstm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UseUnpublish.WTV C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DVD Maker\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InvokeDisconnect.mp4 C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Internet Explorer\readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\StopRestore.htm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\offset.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\NewDisable.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DVD Maker\SecretST.TTF C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\AddImport.gif C:\Windows\SysWOW64\regsvr32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1796

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp

Files

C:\Program Files (x86)\readme.txt

MD5 df7b95b1555951e1c1095ec1a913f78a
SHA1 076812ba99a65a76f6510824f9317c85b7a65bdb
SHA256 15ac17280f7e4b43eb21c090792465494eede0937897c271eb1cc14733dc371e
SHA512 b85bee418326445ed0efd217cb92432138ad63b46ff41d98a85d2af648698448f1680a320669ec4d1a735c8a40d5747983652d02fafc5c9737747e659f4f8e30