metasploit | d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
Size

224KB
MD5

0d49ab9ea970a3146b43d7a8b738387d
SHA1

bf833829fa6a07af50f00fa3d66a457cf5d778ad
SHA256

d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710
SHA512

a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3
SSDEEP

6144:fv8aWfVbAxePJkl6zUzMtWWuguGLDGlhHmAKMa/DLy/:MaQAxePJBz3W76IKMabU

Score

10^/10

metasploit backdoor bootkit persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 26 IoCs

pid	Process
840	regsrv42.exe
1344	regsrv42.exe
1544	regsrv42.exe
1924	regsrv42.exe
1660	regsrv42.exe
564	regsrv42.exe
944	regsrv42.exe
1728	regsrv42.exe
1196	regsrv42.exe
1828	regsrv42.exe
1940	regsrv42.exe
516	regsrv42.exe
580	regsrv42.exe
1140	regsrv42.exe
1580	regsrv42.exe
1036	regsrv42.exe
1288	regsrv42.exe
1896	regsrv42.exe
432	regsrv42.exe
2008	regsrv42.exe
1760	regsrv42.exe
1056	regsrv42.exe
756	regsrv42.exe
1604	regsrv42.exe
1196	regsrv42.exe
1832	regsrv42.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/848-57-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-59-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-60-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-64-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-65-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-66-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/848-73-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1344-85-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1344-86-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1344-87-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1344-92-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1924-104-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1924-105-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1924-106-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1924-113-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/564-124-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/564-125-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/564-126-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/564-131-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1728-143-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1728-144-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1728-145-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1728-151-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1828-163-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1828-164-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1828-165-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1828-170-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/516-184-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/516-189-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1140-203-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1140-209-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1036-223-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1036-228-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1896-242-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1896-248-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2008-262-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2008-267-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1056-281-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1056-287-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1604-301-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1604-306-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1832-320-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Loads dropped DLL 26 IoCs

pid	Process
848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
1344	regsrv42.exe
1344	regsrv42.exe
1924	regsrv42.exe
1924	regsrv42.exe
564	regsrv42.exe
564	regsrv42.exe
1728	regsrv42.exe
1728	regsrv42.exe
1828	regsrv42.exe
1828	regsrv42.exe
516	regsrv42.exe
516	regsrv42.exe
1140	regsrv42.exe
1140	regsrv42.exe
1036	regsrv42.exe
1036	regsrv42.exe
1896	regsrv42.exe
1896	regsrv42.exe
2008	regsrv42.exe
2008	regsrv42.exe
1056	regsrv42.exe
1056	regsrv42.exe
1604	regsrv42.exe
1604	regsrv42.exe

Maps connected drives based on registry 3 TTPs 28 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsrv42.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	regsrv42.exe

Writes to the Master Boot Record (MBR) 1 TTPs 14 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe
File opened for modification	\??\PhysicalDrive0	regsrv42.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File created	C:\Windows\SysWOW64\regsrv42.exe	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\regsrv42.exe	regsrv42.exe
File opened for modification	C:\Windows\SysWOW64\	regsrv42.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 840 set thread context of 1344	840	regsrv42.exe	30
PID 1544 set thread context of 1924	1544	regsrv42.exe	32
PID 1660 set thread context of 564	1660	regsrv42.exe	34
PID 944 set thread context of 1728	944	regsrv42.exe	36
PID 1196 set thread context of 1828	1196	regsrv42.exe	38
PID 1940 set thread context of 516	1940	regsrv42.exe	40
PID 580 set thread context of 1140	580	regsrv42.exe	42
PID 1580 set thread context of 1036	1580	regsrv42.exe	44
PID 1288 set thread context of 1896	1288	regsrv42.exe	46
PID 432 set thread context of 2008	432	regsrv42.exe	48
PID 1760 set thread context of 1056	1760	regsrv42.exe	50
PID 756 set thread context of 1604	756	regsrv42.exe	52
PID 1196 set thread context of 1832	1196	regsrv42.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
1344	regsrv42.exe
1344	regsrv42.exe
1924	regsrv42.exe
1924	regsrv42.exe
564	regsrv42.exe
564	regsrv42.exe
1728	regsrv42.exe
1728	regsrv42.exe
1828	regsrv42.exe
1828	regsrv42.exe
516	regsrv42.exe
516	regsrv42.exe
1140	regsrv42.exe
1140	regsrv42.exe
1036	regsrv42.exe
1036	regsrv42.exe
1896	regsrv42.exe
1896	regsrv42.exe
2008	regsrv42.exe
2008	regsrv42.exe
1056	regsrv42.exe
1056	regsrv42.exe
1604	regsrv42.exe
1604	regsrv42.exe
1832	regsrv42.exe
1832	regsrv42.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
840	regsrv42.exe
1544	regsrv42.exe
1660	regsrv42.exe
944	regsrv42.exe
1196	regsrv42.exe
1940	regsrv42.exe
580	regsrv42.exe
1580	regsrv42.exe
1288	regsrv42.exe
432	regsrv42.exe
1760	regsrv42.exe
756	regsrv42.exe
1196	regsrv42.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 1096 wrote to memory of 848	1096	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	27
PID 848 wrote to memory of 840	848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	29
PID 848 wrote to memory of 840	848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	29
PID 848 wrote to memory of 840	848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	29
PID 848 wrote to memory of 840	848	d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe	29
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 840 wrote to memory of 1344	840	regsrv42.exe	30
PID 1344 wrote to memory of 1544	1344	regsrv42.exe	31
PID 1344 wrote to memory of 1544	1344	regsrv42.exe	31
PID 1344 wrote to memory of 1544	1344	regsrv42.exe	31
PID 1344 wrote to memory of 1544	1344	regsrv42.exe	31
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1544 wrote to memory of 1924	1544	regsrv42.exe	32
PID 1924 wrote to memory of 1660	1924	regsrv42.exe	33
PID 1924 wrote to memory of 1660	1924	regsrv42.exe	33
PID 1924 wrote to memory of 1660	1924	regsrv42.exe	33
PID 1924 wrote to memory of 1660	1924	regsrv42.exe	33
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 1660 wrote to memory of 564	1660	regsrv42.exe	34
PID 564 wrote to memory of 944	564	regsrv42.exe	35
PID 564 wrote to memory of 944	564	regsrv42.exe	35
PID 564 wrote to memory of 944	564	regsrv42.exe	35
PID 564 wrote to memory of 944	564	regsrv42.exe	35
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 944 wrote to memory of 1728	944	regsrv42.exe	36
PID 1728 wrote to memory of 1196	1728	regsrv42.exe	37
PID 1728 wrote to memory of 1196	1728	regsrv42.exe	37
PID 1728 wrote to memory of 1196	1728	regsrv42.exe	37
PID 1728 wrote to memory of 1196	1728	regsrv42.exe	37
PID 1196 wrote to memory of 1828	1196	regsrv42.exe	38
PID 1196 wrote to memory of 1828	1196	regsrv42.exe	38
PID 1196 wrote to memory of 1828	1196	regsrv42.exe	38
PID 1196 wrote to memory of 1828	1196	regsrv42.exe	38

C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
"C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
  C:\Users\Admin\AppData\Local\Temp\d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710.exe
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\regsrv42.exe
    "C:\Windows\system32\regsrv42.exe" C:\Users\Admin\AppData\Local\Temp\D3A4AA~1.EXE
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\regsrv42.exe
      C:\Windows\SysWOW64\regsrv42.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        9⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        "C:\Windows\system32\regsrv42.exe" C:\Windows\SysWOW64\regsrv42.exe
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\regsrv42.exe
        
        C:\Windows\SysWOW64\regsrv42.exe
        28⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\699c4b9cdebca7aaea5193cae8a50098_4339b52c-c4ea-4bc4-b41f-93efca473d02

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
C:\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
\Windows\SysWOW64\regsrv42.exe

Filesize
224KB

MD5
0d49ab9ea970a3146b43d7a8b738387d

SHA1
bf833829fa6a07af50f00fa3d66a457cf5d778ad

SHA256
d3a4aa64e9e293da875922d32b3319cd732f1b555e1e58d6399d2977f179b710

SHA512
a3cfbb99d7a305cae7d6cbc983ccc74642d1530918e2b781a9a844aee46bee6ff40bb6cfab8d6d63d37e6c339a8c0122361649fb710740f2b9fd0848ac63aac3

Download Submit
memory/516-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/516-189-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/564-126-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/564-125-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/564-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/564-131-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-60-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-59-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-66-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-63-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/848-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/848-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1036-228-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1036-223-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1056-287-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1056-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1140-209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1140-203-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1344-92-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1344-85-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1344-86-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1344-87-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-306-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1604-301-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-145-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-143-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-151-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-163-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-164-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-165-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1828-170-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1832-320-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1896-242-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1896-248-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-106-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1924-113-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2008-267-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2008-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download