4dbcc09193952fac4d9168b92c9a164baadc37a76b3806d2a84c5668536a0588

Analysis

max time kernel
43s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mb-support-1.9.12.1020.exe
Size

13.5MB
MD5

de14da361ce2cb6402cdb86482b3e0a1
SHA1

12f67216f9c07d16a866053354ae3e65b7a07022
SHA256

4dbcc09193952fac4d9168b92c9a164baadc37a76b3806d2a84c5668536a0588
SHA512

6b8ba4374d9a36ff5e154c4b6316b457e1bf0077fd6c3290dde5cf780796466c39cff6a530f8bb303ca2588dbf2f650967047af7257525a7046087c754c3609a
SSDEEP

393216:nOa1DBylvuaQPj/GD0r97AhavQsmL4Deq:/1VsvyOc7AhavQsy4Deq

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234ef-234.dat	upx
behavioral2/files/0x00070000000234bb-231.dat	upx

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
4720	bcdedit.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023414-184.dat	autoit_exe

Executes dropped EXE 3 IoCs

pid	Process
3640	mbstub.exe
3460	mb-support.exe
4836	FRSTEnglish.exe

Loads dropped DLL 23 IoCs

pid	Process
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe
3460	mb-support.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb-support-1.9.12.1020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbstub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb-support.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mb-support.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mb-support.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mb-support.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	FRSTEnglish.exe
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	FRSTEnglish.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4836	FRSTEnglish.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	mb-support.exe
Token: SeBackupPrivilege	4720	bcdedit.exe
Token: SeRestorePrivilege	4720	bcdedit.exe
Token: SeRestorePrivilege	4720	bcdedit.exe
Token: SeRestorePrivilege	4720	bcdedit.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	4836	FRSTEnglish.exe
Token: SeBackupPrivilege	4836	FRSTEnglish.exe
Token: SeRestorePrivilege	1604	reg.exe
Token: SeRestorePrivilege	628	reg.exe
Token: SeRestorePrivilege	4264	reg.exe
Token: SeRestorePrivilege	760	reg.exe
Token: SeRestorePrivilege	1164	reg.exe
Token: SeRestorePrivilege	4772	reg.exe
Token: SeRestorePrivilege	4336	reg.exe
Token: SeRestorePrivilege	5112	reg.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe
4836	FRSTEnglish.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3640	4028	mb-support-1.9.12.1020.exe	87
PID 4028 wrote to memory of 3640	4028	mb-support-1.9.12.1020.exe	87
PID 4028 wrote to memory of 3640	4028	mb-support-1.9.12.1020.exe	87
PID 3640 wrote to memory of 3460	3640	mbstub.exe	89
PID 3640 wrote to memory of 3460	3640	mbstub.exe	89
PID 3640 wrote to memory of 3460	3640	mbstub.exe	89
PID 4836 wrote to memory of 2192	4836	FRSTEnglish.exe	95
PID 4836 wrote to memory of 2192	4836	FRSTEnglish.exe	95
PID 4836 wrote to memory of 3964	4836	FRSTEnglish.exe	97
PID 4836 wrote to memory of 3964	4836	FRSTEnglish.exe	97
PID 3964 wrote to memory of 4720	3964	cmd.exe	99
PID 3964 wrote to memory of 4720	3964	cmd.exe	99
PID 4836 wrote to memory of 4560	4836	FRSTEnglish.exe	104
PID 4836 wrote to memory of 4560	4836	FRSTEnglish.exe	104
PID 4560 wrote to memory of 1604	4560	cmd.exe	106
PID 4560 wrote to memory of 1604	4560	cmd.exe	106
PID 4836 wrote to memory of 3688	4836	FRSTEnglish.exe	107
PID 4836 wrote to memory of 3688	4836	FRSTEnglish.exe	107
PID 3688 wrote to memory of 628	3688	cmd.exe	109
PID 3688 wrote to memory of 628	3688	cmd.exe	109
PID 4836 wrote to memory of 4536	4836	FRSTEnglish.exe	110
PID 4836 wrote to memory of 4536	4836	FRSTEnglish.exe	110
PID 4536 wrote to memory of 4264	4536	cmd.exe	112
PID 4536 wrote to memory of 4264	4536	cmd.exe	112
PID 4836 wrote to memory of 4712	4836	FRSTEnglish.exe	113
PID 4836 wrote to memory of 4712	4836	FRSTEnglish.exe	113
PID 4712 wrote to memory of 760	4712	cmd.exe	115
PID 4712 wrote to memory of 760	4712	cmd.exe	115
PID 4836 wrote to memory of 4808	4836	FRSTEnglish.exe	116
PID 4836 wrote to memory of 4808	4836	FRSTEnglish.exe	116
PID 4808 wrote to memory of 1164	4808	cmd.exe	118
PID 4808 wrote to memory of 1164	4808	cmd.exe	118
PID 4836 wrote to memory of 2720	4836	FRSTEnglish.exe	119
PID 4836 wrote to memory of 2720	4836	FRSTEnglish.exe	119
PID 2720 wrote to memory of 4772	2720	cmd.exe	121
PID 2720 wrote to memory of 4772	2720	cmd.exe	121
PID 4836 wrote to memory of 3544	4836	FRSTEnglish.exe	122
PID 4836 wrote to memory of 3544	4836	FRSTEnglish.exe	122
PID 3544 wrote to memory of 4336	3544	cmd.exe	124
PID 3544 wrote to memory of 4336	3544	cmd.exe	124
PID 4836 wrote to memory of 3836	4836	FRSTEnglish.exe	125
PID 4836 wrote to memory of 3836	4836	FRSTEnglish.exe	125
PID 3836 wrote to memory of 5112	3836	cmd.exe	127
PID 3836 wrote to memory of 5112	3836	cmd.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\mb-support-1.9.12.1020.exe
"C:\Users\Admin\AppData\Local\Temp\mb-support-1.9.12.1020.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbstub.exe
  .\mbstub.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\mwbCAF1.tmp\mb-support.exe
    C:\Users\Admin\AppData\Local\Temp\mwbCAF1.tmp\mb-support.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4580

C:\Users\Admin\Downloads\FRSTEnglish.exe
"C:\Users\Admin\Downloads\FRSTEnglish.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /u /c echo 2
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
    3⤵
    - Modifies boot configuration data using bcdedit
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SOFTWARE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SOFTWARE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SYSTEM
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SAM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SAM
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\DEFAULT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\DEFAULT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SECURITY
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\SECURITY
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\COMPONENTS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\COMPONENTS
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\NTUSER.DAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\NTUSER.DAT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\UsrClass.dat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\system32\reg.exe
    reg load hklm\a7Ni3No0 C:\FRST\q5Dw0Vz4\UsrClass.dat
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FRST\q5Dw0Vz4\NTUSER.DAT

Filesize
2.0MB

MD5
116bc8cb03109bbb76f1acf399a0e22c

SHA1
5648f22639ad79f90aaaeb8755dfeca255d71009

SHA256
84240b46147adf181e957506bd699adf747d4472b0b383dabff9a7fa708b4143

SHA512
2762cf12f2007ef94e580866d3465f0f5451a752aafac57af8609ba3ea4876da439e3c7fcd4768ca278d5147d0abdabf8b2bb7f8843cdfb914739ee18ac6606b

Download Submit
C:\FRST\q5Dw0Vz4\SAM

Filesize
64KB

MD5
1311486fe79300d6a4260d5f7627b905

SHA1
fed14cf6cd520eadb8ee47034eda2892bc6f4558

SHA256
760cf73ba7ac725d438c6e4969f49381f18f279390a812ca0fab2686d0eb02b5

SHA512
92dff2779d501ad0e2293d1e00b989138c536bd930b9a0a90ea1d2d82845e96879697ce269c03b16b4e31420c154a1ea15d57779b14d0fcd345e014692466771

Download Submit
C:\FRST\q5Dw0Vz4\UsrClass.dat

Filesize
3.8MB

MD5
068cafd353f7ae57da0428225ff45878

SHA1
2a3db194bf21d30a2387d77b487ee52c2047dac1

SHA256
c95eb1a37c8c662bed037531039419001c4faba2ef0ba513fa3abbad88ad6221

SHA512
5ccec4e7fe17173758e66d4358c5844fa23b6c3f50fe2ba581d070bfd9527c78da58a78627571e245d917e3e8e77c00052116cefe05e92ef4c08476c8030f742

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\7z.dll

Filesize
1.1MB

MD5
b36399c9d97b893b50a90bd4f62a6e6f

SHA1
0e2f48533c5dfce3599d94bb868a621702bf5cea

SHA256
cbd498b53a064ee3433b18fe1ec323d504ddecd9e455b8eb012517c4efa01923

SHA512
82e69642ab4a76b28b2b202cd42b14331f2b9f0318309a8c9c4681447a1034cedd7d852045fde41c45bfa880897201662983faf3b22751cc0b58e3886d280f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\API-MS-Win-core-xstate-l2-1-0.dll

Filesize
19KB

MD5
e536b81cf7c6a943d7178d763c613172

SHA1
4f67ad45df5e8cc5e9f82f6bd5b4a2ae798c82ac

SHA256
e3651cbd3a91b742d662dc11a9d9a6b4e03c652b8b694d90298d38d446885039

SHA512
6d70ffb621ee8a6d77a409fdd5d7691090567888253d6b18f256d6f35d1eac52d72921c9acff32b5c5b246d2145101bd037b42180b565f728dc989c93a32b7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\CommonServiceLocator.dll

Filesize
15KB

MD5
c9cee5956d169dab74451ccbfcea1805

SHA1
ea31f1b6712d96b31a92c2ea928e79aeee3e3ae9

SHA256
fbedabaa7e65ee40d41ba1330fc6e9a476fc6a87948178b90f6dfad9d26572c8

SHA512
043c7fa8aa6d43db1e7003e034626583202cab8bde5f5e3349359f2bb0f266d2b9c7b85afac9b17a273b9b5618d1d96907b694e74f932e6e5d568b1f2d869a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\ERDNT.E_E

Filesize
159KB

MD5
89afdd29832aa923926bdd4b5f5243d5

SHA1
4ee93ef072559c5184236718fe07485bc5ddbe2d

SHA256
a559f249fc0e56bc925609773f6cc9cd1826bf70916be1d6370ce4707a6dfd84

SHA512
289e9be8566e7b1713c4ed0fa9be509b7d7dd6fe5bab6a7cee7a338f2aeab040419f1fbd032ba97b984691144b54ee8089a6e964ea8633bfa56539010e29a812

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\ERDNTDOS.LOC

Filesize
2KB

MD5
f9650a5c954d2a9f8844de99e8577f93

SHA1
791a85bf67f5dc3734453808bd3013a866b970ba

SHA256
3c3ba112731c697b8700de546195c4a02f96f4fe28d39a75551f932985e0c15e

SHA512
0b68eb79b37504586da9c7776594c6ebb0251539b7172a2d631d9cacf54d00445693bcacc7f6f15c9902f79fd3bc22a2274575df9d4db129ee0d856b41ed8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\ERDNTWIN.LOC

Filesize
3KB

MD5
388d865d44ee8069df8bd12efedadb3e

SHA1
e59a20c9c5de1164a16b23014fc3b6a6cf385d14

SHA256
9bdfefd45997b94cfe323d4ce4209941a08061ea364bb969a9d3afb418b6fe61

SHA512
e3db6a26c55ce3f141565afc5831a2ee7a63741838b084dcf8cadf500b2b2fbeaccf0e417c996c7a10a4de78ae4d2f423d3043c37025049b8cf154cded4623cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\ERUNT.EXE

Filesize
154KB

MD5
2e0323a94915faab10a25f3babf82584

SHA1
cd579e1cb8f3096f7fa31c948d9f5d54c68c206d

SHA256
f422eb7dc475e79663b390baa45fe757b7b134b8d53f2dc43fdf4fe5cbfd9f79

SHA512
483d9929929afc6843f32c0f877d4b2b50635d0968781facf6f9b0b30a93a22ef0c2ed749f81e9eb0fa42d76684cbc739bf582e1bd620be1fcd2027a47e68cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\ERUNT.LOC

Filesize
3KB

MD5
02187b1b6f37b3d0030791c802a6174c

SHA1
b0f8330dcca6d6f4426dcce8fe8705d12f06df1d

SHA256
fb96fb9575fad8df03df5e48b7ec0bd9a151ebabc9dd949867b087ea925f33da

SHA512
b8da90647afa78c7649a198556529567f65d59206e686d64c98e13496295a75580e89dbc18c92eb9ef36ab2bcc414d35af9b2cfb35417f7f4afd622fc7f248d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\GalaSoft.MvvmLight.Extras.dll

Filesize
23KB

MD5
9b9d52b1af97307c20cde8cf537ed06b

SHA1
e3272e2fc536aab8af69ded53040f0f0c534e2a7

SHA256
b1441f0d875e3749b0fce8ffd498ba3459e00ea4587d1f080b724bb7020cc5c8

SHA512
2f8aa24d9c29069a8bc6fc35784ce580d80b9aa0d902d8424b3e18d15f593e9c234d41e5f065fbace3fa785f35e574a99c391e2ed373a9a19f8dfb5110cdf4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\GalaSoft.MvvmLight.dll

Filesize
30KB

MD5
ef91d5dbddf5f3b2dd04d43012292cfa

SHA1
2a858de665200ee4827def975c674d111c413c94

SHA256
db4203b2781307ac0ff58db6b889cb6a51e50fca2103cc0f2c73401d81bad19c

SHA512
87561ff5495bea045494d559264e46750330adac01f83f84e686119f750fcb1b67e0fe2e84b8dd4393469e4619be1a2c055628467e47931db0ce7078e537eaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\Malwarebytes EULA.rtf

Filesize
39KB

MD5
51a2cd07c31dca35bfa81dbd89bee80f

SHA1
b2806af00dc9347254b106c3bb29c594a08d6918

SHA256
d9b5d2ef035b82722ae426171a46a855066ab6f83dcb2785917be27a1d441820

SHA512
5bbe38bdc60de2443f4d29b324d90093f079db4fb884826ae335c5fad3d494d97c8e5199bf4fded26cc67235bacaf98bd6f070952eb47019fd23323df3593fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-console-l1-1-0.dll

Filesize
20KB

MD5
a47a7084d4ed2fb6b9181075f91729a0

SHA1
b58e9474a3e7ff023c3a181a3912e7884e8e1a7d

SHA256
9490c5938112242cadc2c676f82b60fdcc7e5f56caa7aa2d2ba3a6ed358683d4

SHA512
0b5fe71b2e3cd7ffd836a0bf49f44818a59ca3cdb1934c6402dac1cb132aaea0b540624537f2c2b1e99922e551990d7b27f29f9b9a87e6e1ce5d4f6ba7e7d63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-console-l1-2-0.dll

Filesize
19KB

MD5
9b630e1445f1e687284077eecd999b03

SHA1
88b8da8b1fbaf0b91699e2a0ba212c5e8adc6e5d

SHA256
efd664c9f87b370a530cea5fcaec3d248f5c9d79e749862b3eb63448292ab20f

SHA512
32ae20bfd579b8bacbdf3cc6a7250662dcca5f2cc24f36e7034384ce2e3cc6e61f7cd7a5b54865ffa4ccd2bbe61d5bc9c5c9894ecb4981c410b66b19a485d1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
72f8626388893a536d0ee370acc9e456

SHA1
66cf9103fd285fc34ff018eef98c3bef0fdcba96

SHA256
5c9d7085295dae9a9b2d3a9c66d99d0061d0ba14f218b95e95e8b01bb7204c87

SHA512
7253b85867977cb8823bbff120f2fbdff2d499862a58b6b7d8bde083e7e07260294411ebf84cae4ce98963501d5ce7656f00dd0249fef7413cad727697e75477

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
5bf7aafd1e8ab7b806dba539a0b33474

SHA1
53a476277856de2ef21db9a4f56930f77e69d45f

SHA256
d9100e99b2b915623294e18377d162afe9fd354bf0c4a7208f1270721714a553

SHA512
369733aa72d84579c17de3094b5396ff9c760b84f161b36be814512a7dd10c61ddb63bbf889fcf6875311a665efb545d8da4e08fc232030cbd3cf4b607da45c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
a960e117840acb5ff1d2dcfbbe574e21

SHA1
46747ee4f408e063cf88c86a685412c08ae78473

SHA256
5695695176a80a3e7f9eac80bb3d92df1a5592be42b939b14087a3a6ae6efadf

SHA512
5bfbb2e49c9825b31a5d63e09e58dc7e05d8b5e49530753b879971531a398ec46f7a0fe3ef5ef605f396f7440a650e26bf2b6d933324c95410608ff48d13f3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
50fee042cee2a4aaba502d2f5087ae70

SHA1
347c3a75d19b784223296f19da64aded95056c3a

SHA256
656d1b11a6242142b9b289445fbe7617ad9b5f6fcf47ad6983ff09194c867bbc

SHA512
d2e4f9f13996a6d11cad2f5c2db74a155cc86db70820b33ec2cfe86882955ab96f79fde57901b3880d74775700c3bcabff7b270207a57959f948fa3e50e188d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
045e4617b49e817007d8a88652af7734

SHA1
305026109a1eabf49bf7ae6a233a4a11e2a22580

SHA256
fd387d4e358e3755db38a618066fb72cd03b17b54d058dbe3dab82065519edc7

SHA512
7e21cf4982ce6f4aa52f0281eae101287a850152c70577b456876356201e12983c9d211d04e05d2c81f80a56bc11ab54eaefa7e492e3910af21af14ff10962cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
adfc5bebc4a2c52023f47a1e548b0cc9

SHA1
a2562ef8534b1448409adfa6c5d7e283ad005a70

SHA256
7de5743f68d9bd6cff0fb8021c22d4069e2e993d97735db0ef65756ff915f39c

SHA512
89665104bd17f9020a871215f03acd40294302e933e503ad22b208ec7c96dddcf5f7b1ae1aa2c3d83fbd608d525d36ff2f7ee86762e44e441153124da352a278

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
1f6a4f144e52a23767cc74fe2f796ff0

SHA1
646f55fcf4cc0654f9e01e66fb20e463c1ac9c86

SHA256
634924290057ae9c0e4599d2c70656916be24bd594ab1904c0be7a8ea91ddc7c

SHA512
0e52078ad12bc9bf1d74d5ec98a547cf3db508532098bfefb8bbba8f4f7305bae2365dac50e9c010642c6a9bbbbeb3660c6fc658b00e8370cd3647c65ab7d403

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
7001bee6d2b9189081f4b558050fe106

SHA1
561dd7a7c58fd2599ff8694beaa908d2e3aaf68e

SHA256
6bbbc652ac07511af4126a4a820661eafaa3903c6a6993e2f5c0cdff541ae195

SHA512
301bb940359732dd2e263f6327df11a3c24f95c8d6396a0e2731b1b9d8179de196cc54baf2ab29e6175c66192db5d6e0513ba01655bc81af94ac29b02f2e560c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
109032959967f8cb078d72e397238509

SHA1
bd80538edb47f8620d78ae8ba6127e5748ae5889

SHA256
c05208903446e2bd528f726af1287be05243dd6cd1e42359440f9303fb7790be

SHA512
b2825341a8ffdfd1317c24a418ea581b513cd4e6628a989ae11e19b51083b29b5a7588bffbce21ded5127910b2d486d3e1436e6504595015218f6c84d98990a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
20KB

MD5
146e9998951e897a4f7f5a97baefa823

SHA1
0b822d157e4a0a21e1192bdd1d559219ac73f913

SHA256
ac011f904f8aa7c9a2577d959f7e430cda544ca13a1b3818c69d8514d079399a

SHA512
3deecb532e24790405054de1c63aa5937ecbced0791aa209b0fd1b0d4e68735a38a96dd86167ca3b1c340da0c2f8d2a6d33b2e34845ddbfd539941856c22ba5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
2a3da8e1cd09aca0fc13be43848c7695

SHA1
72380005fde41e6c6b37db5a46cdb0efc3d6cb08

SHA256
c3f671d3b41fffa444a33f79c0e65df7ca01e56598e4b2f90e7af18c77b97652

SHA512
e4b659aa290a6c256799a76890c296e702316094b132b9bc4b393dc6bff7640b7e62de0f05097932291db411dfb871533f7473cc6c55805f69d75562aae6dc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
163d64f0558d8d93b86acd1055ef2ca8

SHA1
5727ffb8ca641cb2b9daba4fd8341528dd1b7c30

SHA256
94af705ccfd2e10d65a06451226ace0e13eaa1fe5af9b3f7ab81d96ed0775c4b

SHA512
74862f8cf84f6d56ff45ae135d685b181c8dc9eb6b0bd20bc5f3c25e656f60a014c89f71a7e5f381ab06b3515454ce836a75fbbe7d2b1c7770656d144ed555c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
1922b0a9ab3cbb0f4a93c0df1e812996

SHA1
c3bb5c4682dd0cd16d828ee96e6cd02c047d8f44

SHA256
89c930d2e4482799f4f0f040b994c457310912ed1bbf2a4b61e58cc98f31f0d5

SHA512
10464a4027a62815a29dd888e870186f3c3ed809080784465eb5577051b42ae3064949c4fe8f4abe846b1253562436eda4514ebcdc8fc9d73a7d68f0fa8646d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
114a2b70fdcf21357f3070dc0c070b3c

SHA1
466c1006877e63f404269990da6926057cbc4ce7

SHA256
d91f680b1f54dcceddd9ead63dc08ee11845803f2cc6de7c545335803016f2d0

SHA512
af75aca3fbd6430eb2975cc6339501acbfd31f4dfb6eb9d3493448946ff301e9ec0bc252ab679cc2508ada510b15bdbb0dabe002ce2f7e4f1c1b437527c76667

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
a66bd19055465d56d2918beaafcb6a04

SHA1
106973cc2e03293cb4a03826f843d387431666f3

SHA256
3129f7b002b724cda522230ca7a9cb4b24f0679bf572d4fc990058d6b36cc293

SHA512
873a9e63608d70725e6046999e36b15dc99e362e0bafa4de1ccebc09bf7123d6bc5d21dff1f778f8b8cd3413b45b82344784f9f2e1b31f54ad34cb3a2754f0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
1f462654c1bbc1ced7e4d8e879732e14

SHA1
a56a7c4154870db07395d50f4d8d963e4cce92ab

SHA256
b8e6deceacbc5f8e483ad076196df819377d2731e146eb4f48c5a59da9abdd65

SHA512
917edfc5cbf3f82708d6cb84a2ad31c41b1b02cf44a921b6934bff614b69d0754115c35aaf4d181085a4b77ebd816fe06cb9def01addc5c68846da0850fe8cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
e52748f87b1f5905fd6d562533523c33

SHA1
c1f3b2b6bd929ba6b4deb79498204c9a5e0d5fb7

SHA256
b1e857e184818a6fa21e44c658fa3d6a752881ce909b18cc2d677dba0e2db87c

SHA512
25c80c468e43df617c0e18d06697f14c3bb1594b233dd7cea5aa76d49730aeba9e5f7d435acf9ff40a8dc66d9431721d44f2740ea34b1b667a0c7bb8faa78f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
18KB

MD5
01ee5032cb31b9a83c6b0eaed810315a

SHA1
36cad637293a5b01c0e0adbc16c55a37992b15c3

SHA256
a2cee2281a78f0a58f2a6c1e735f1725e96512c5dee49f021c549cac3c618ba7

SHA512
58b857c589870d2c4c3fdcb61198cf6c49ba5496b86b8ee6b60805d08b7da712674b41f1014433f125c1db5e255e18b5e2911c278316174fa54bae07f3c6b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
7dd35c4be2ec4d74946177698990b1bb

SHA1
b35fb40dca5f76f2ff9bcc0956659a834310e8bd

SHA256
ae67d1bda3d9c10560819e9e02ba475aeb3f7df7e8f73586d546f44ba6ef8046

SHA512
caac4e0e8bbff5e83964ea1502a96113fb1fd421f32fe70029352a533f4b95c826c827ee57c0d1c3d47c5e3b792cfd8c5c1477a6485eef6299601aeea947e684

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
ebfc306560273b257d3a1ef9861e35d6

SHA1
7834fb653634a181890531fb3e91c55eb0ed5745

SHA256
85aa1cdddda9ec9eba75f68cd98fc43430f1ecb68b957a7b70a7a6049feae76f

SHA512
bc3aa3b7ac552912c3dd405a3b0f0218ddddae459a16edb99c1870b020d41102762b24315be5b55781a8eafe99195888ec9f976842de165b95c423c43fc90a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
5a8978023b93c8c369d3696c8251b71d

SHA1
1ffc61471c2f49a80d5e3f83df2a9010d3c5a1c7

SHA256
dba254b1446808887d452bcd6c27685462c39dc2f1da181765f0898b4eb1b953

SHA512
53ae57280e593d886b609d55c313e2ef208c3f0ce53b5d015f57aaf3cce901a192efe60b24d9e9b5c6e9ef7779c9103a951e813780a53d12a27680965e5b39ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
b816bd9eef2adf08d27a22620feca795

SHA1
a8b8d1cb1e2fdc605449cd17c0e2f62db582b266

SHA256
4214f1c07c4abd241634cde318f4f73c9d1aeb931413c4245b6c61f77f3b54db

SHA512
d78616f681cea3317b9ffb86ae7b11778b90f47cb57fa92f8c8666f6e36fb6831e38c37d2fc9f5c81e743f8b77f25ccf657f28ff8b5f0599d70cade5c9ec9bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
ed3a91953d5ce03d65bd90fa46c1e29d

SHA1
92cdac4071850ac96759ae77a0b3c5f6bebdc2ef

SHA256
35ea6ec01e55108182c743b47fed5be381acf295982be87d92b4588ccb71240d

SHA512
edb4539b6081e73bb410668c420d437a0a746fc4aba28f7f15f7a2debc8bf8eb11e03f38957b438bfb95e86652b44c1bdb0162f449146df467ff5e1de281e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
d8e04bf7a8feae0cb8afe43a87d9ec93

SHA1
8fc010890f4ac7a8117dd5c3db21171a49eb6f06

SHA256
e1000ef817a5d8db82d1d58022c7ee3e1edffd2f9da15781902a4de2b71242e1

SHA512
116bdb64752dcb30d0557b2cf1a09ff692d621f0844cd59d69813dd0fd47735b0e1df34d077bbb4bea563655ca3460437a644ba26897026405af573035d9032e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
53f2e4ec1efe147f8df45e4ab05a07de

SHA1
ac03a30639a717b4895407e8d153f8919ff5bbbb

SHA256
b79bb037437212a95f18b1110a907a0f474878f40a7bb906f297eb5d24352e6a

SHA512
b435470311ed47f163cf42adb6334a9caa906580925d19e9febf3c979668c62e25d8232fd5bcebf2f86307708ac165d7e62608c7225c1aeb7ed1530aecb7c288

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
2e7fcee0944d063d8528399f22c9b2b7

SHA1
05a68b73e778817f52885e6f27800e99125efdca

SHA256
a38f46fe1a1bba3a8c7cc942bac945413c5c0e992ca599f9f09181b7f5645f52

SHA512
df689de14369d858412b79156acd8e2fcafeb45793eac91f1ce0cba37bcc2e88c53533934647960176c48133c1e5383f406eef859bfb5231f49730acf4320d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
f966b9ff936d60de02c37b16b9d23e4e

SHA1
7dffea259d7e5ffdf005900ac9417319acc66f33

SHA256
90788cc217e4f5e78ec988061552fcd1c1a3ab61c6df3de132aae606383fbc27

SHA512
bc27f4871e872d76b89d7f0ba5ed7d7062a04218bdf9a741598bfce82cd788e866d2c20513594726948e1701bfdb17afc2280405b0d994aaa3cd2ebefc1c8cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
735d7e5ae0a53b644482f5e70efeff5d

SHA1
8e99689cf9d24aa4268a51bd377015e9d9ad7f64

SHA256
e9d88aa96743aa2ff29ac8d7930ba0c8ebb21372329a1bf5926cce59a4b39f4b

SHA512
12239d14a634b7cdaa07e39186b674bc905f73c928db5230752407650f274bd401d10487b3ac2c426cc8da708f0ca6fbaffc2a5075e299901961bd205ad7bbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
6521cf7e6a66c747726fd09e51a1f92d

SHA1
b89168c27063a2b4f81c69df4ce23f144b55bcc4

SHA256
dc8ae6136313ed0ee26aed6e9d3a192413d62e12c7c568fae5a7abb784ca4c72

SHA512
03a63ed3c2e0be3e1e918eb01e5fb722be06d8e32179782ed3f7106048f522426bda045cd3ae605a066403bded2621923a8c33d075bf8e11b58c432a69481ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
281399c6a7ca9c52c6b20c78938ec2d3

SHA1
5e76793588075edaeedab8d30297d9a8031c74b5

SHA256
58e0f4ae04529a03bc5a453cdb891fcdaf82e4d7ec2757b3f88f5f967407fc94

SHA512
459fe7cb8433fa23dc765894b78c1e2fd007ac3ed659d6f4fc9191a589e349107f7c4c03718e34c9a9231324fdcd970fae75e2772c153a97001933869628a7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
2b20bc164f817ffbba1b547857b0da2a

SHA1
c40095898cfe64c6132e81090333317563184c3c

SHA256
a7a4ba2270ae7e5679ff9413d1e53ba706a95bec28c906de378ab4b1a8fbf6e7

SHA512
a760294cd9b9f3c0c9c0ec4800536df874ef7d3757cad9469da96c293187a9382867f332caf714f91c9059a90a3dda7670b265f3a5e2339b9e12ca05eb373e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
27KB

MD5
e92ba8ab3be45a5fa0b0439966583d8b

SHA1
88ec890850a4d531476151ddabb6f6def5d87273

SHA256
f65bb318be803581780fed95f57d0fd7b5c1b0e070e0062a8d06e4e5dde4c9ee

SHA512
4a5d11dfb7ed1c95eb2b839c9a094f7a8cd32e78d3af9f1eefe52857d9b17cc69649638b8afd8ae581518cf9b223c352ccdf84a46990ac56b57577502a9035dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-private-l1-1-0.dll

Filesize
72KB

MD5
8ff98e2ceb2724d9c7ce121a75036560

SHA1
5d0eb20c46c4c1ce1c188a5c3cfaf416617a58ff

SHA256
80ec395c2c5ad8b9728784d6aec611e0ce7a5ddefebef093235b420fdb74a7ab

SHA512
c029a78834236a6a4616ee93e0d06e44e880560c354a4872489d24497133462e8629c03af707825fc6fd447437922c863e5395f0851d5b19585bffa42d9ce4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
4bfd59d316c51af7c1f7d347477b5629

SHA1
96b6291180ae0a12b8a650557291ff60c1243367

SHA256
57998a0a8168a75eb8e5958019b29f86edee70931bdbcc18e06c9b93f4b70cbe

SHA512
cd9620909eaa85151edf996d506a6969d4f892fe11939158513e14c9e73c862eedda61faad3eb28e55f3ea10347253e5b7bdfaee624de6c514fdb4f902d085fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
f24259dabe9905bf00eef0374053937b

SHA1
b1949c85cfaeb2b2cdf99b51d3191e4e3bd0dd54

SHA256
f99a3f408880834ce3c762fb434cea98c87bc6df19b63d509d1093f2295bbc8e

SHA512
fc46db162ba62b46106c7b5c942e2ee186b126deebb8f2e48daf9892620d4b4acaa244fb4b65e1e6f02e06072a8b61d95e49e2ecbfa676cedc361735abb34f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
5f158413a85e905b0ceb5aaa1aa35f28

SHA1
8807fa016b184ae6e8b66177bf34f1810f5d6095

SHA256
93780b67e8ff9dd076cc67c620d1baa7b5518ecb5cf45ecc1dbf92e6bafcf646

SHA512
e20e433e45ac817f74fca61be03bb9a998adfb2038b50f4476bcb2fcaf0e09236844dc2a9fa4200724d62c646aa9ea5ad315e51fcb4aa9fbf1add1a55a735983

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
c04f55920b25221f81575231bbb5e4d7

SHA1
b0a65c6ee855e49a4a1d937572f7aaa7b6d9539a

SHA256
c87e13d8fb07cdf07deb3222270afec1de7fc7e481a9fb22068eee74f2a60685

SHA512
2159de09ae92d8a88feb7eb1d0072b928c726fad94a3a72d3523fb15e41a2ad9cb26affdb23cb3d6441fd2b377f29b3df5cd7e0db0ec48871c9dcdaa35a4a000

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
32abf928ec4678c2bd68a894da7de229

SHA1
eccc5e68ecf49a8bc448b88a6a8887a570ce47d4

SHA256
ae60603ed90d3ce024a9c05bdac449abb34ba43251241a27298f4a717a27c249

SHA512
0e71ba1249f65e05461c3e416876502104dc302131312d44151ebde2d95df9433b6faeea3ca0e1afe5831172d59eaf3f348735609894e5ecec3f8d31d199ab2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
59bf6195153eab0d466f501bf8f14f68

SHA1
e6e156d6c3eed6b4190a266f7374cafac8ad1c07

SHA256
28af247eca739d17fd68979b8c5067deaf85d4bf8478f480d00dc0337c06f47c

SHA512
abd4e96c6e1f54e989e3167402188136aca172cd926e9910a456094bcd0fade2f0eaac97887dcd1bdef658d8b6d5606a9a493d6b0687653a0496228cf1907ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\clean.json

Filesize
221KB

MD5
88d244aba61404af38a2b38fea22b7d8

SHA1
2a7b243fc59d76470703726bcf704601e1dc8dc6

SHA256
4c5605b89c7c9ce0328fc5bb4d4464ccc0dd3456b6f47f7cc006f45b5ab2dacb

SHA512
c1f09183c275403af56bd8433fa1cd24aaabbb16e3a6682ee703c6343f128eb8640d1cfcbbb2e38d1702a40c7c849cc0036ae4cb6574ac49cfe6a710cd391fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mb-support.exe

Filesize
1.5MB

MD5
037d30ffb11b618a41165917ec0a1ba8

SHA1
0ff3c12206036f2eb53989e7ddb28d92c265bd3f

SHA256
695cd2a6d6153689d36092d592cfaa0d2d845971f8e9ac2e0de71986149e3bda

SHA512
e0d0bc68a3b97cdf949e0fe258520ce16a1c9e59ff1df647408c4755ae565c53402074681148d3da1a969aba150fb49430375c6b5a1fea0ba5c5a678eac51b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mb-support.exe.config

Filesize
1KB

MD5
13ea16d9d53c5bdae98dd95500dce016

SHA1
40f121dfa8015676670d284165eb83d4639021e9

SHA256
31e4268db7cbfc6f6f833c75332b8f5be74ca61872ac94fd4ce612567290af5e

SHA512
0c5196c94e1677970e5671b16a834d1d0d63f0ae47bb0a064ec1c52cf9fe60c7e85d9fa3186029ec3428084d09d1186f3fa7af760fcbec80a9d1512844943371

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbcheck.dll

Filesize
2.8MB

MD5
0584ccbf9def752a5646995335456a60

SHA1
6995ce094905e6228f4045484b6507dfb9e4a17c

SHA256
d37c333727ea3e075d3bec3d94e2c5710647b01d88f5e8b3dfeb8211d607c3ff

SHA512
f17b19d0e5a3885a649ad1517ff2a885b833e9a7bc441268edf9fd7d6b2dbc0426a2e05b07c6232a781b2df97f75036b45728dd734cf037861182b88c971933f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbchkrpt.dll

Filesize
330KB

MD5
c23c1e4821beacbf26dae0f4270b7022

SHA1
b66e0af54fda410774faa6fd16137104967696c3

SHA256
498e07cd6fcaa91d08dbf34be3ef4a888bb207853aec93e5ba60cfb73cad27b7

SHA512
33a4cb24c14b5871bbcb8a5f1c3046135f8ee4926270d5d87d1322365963a82c328e85eee724e5b084ddefc4be40969a1bcda53abb92eb02956d5e012a8c4b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbclean.dll

Filesize
10.9MB

MD5
115de12d9e74d72da5f6260976adfbe8

SHA1
b6436669acdfe2e912153e56f2b20c8cbddfd6e1

SHA256
1842efb7b17e192b272c267dbde33a01de6b7a2dd89e9a86325d37ad0dc47eab

SHA512
61ac21d01b229da1b839f2c8f62affea9ecb3c689ba3726b21165bc79a25c6f37e52e80a0266840518675d4b28a5f404009af2893bc41b8fddb39b45811dc70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbcut.dll

Filesize
2.2MB

MD5
f87804a29dc047395a9326609e668653

SHA1
63f7257ce110b0be56466ec85046e53807f4c0cd

SHA256
df846a86c613c21a544cbcfb33cba895c19d730737bb428723a4ba569f033923

SHA512
7dfc2024b628b99035055a1e54384b81cf3d6ccff78c53664bd46ed4c010c4b6fe849d9ebf6423ef3478fe294d2de4df1660a7c0b865b1c6e1641c00bc55e5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbgrab.dll

Filesize
1020KB

MD5
9229d831d56c65d9923f8679470f18ab

SHA1
7bd14af2384d4a2b16748684ca50388c1fb684d0

SHA256
3bc10add44cff83a10f0ab2ca3feb172e92ec3b31b0d2746b09f3e222911eb8c

SHA512
162d711e23d78b7e1839be4c69e2d57e0ee98a667af75041d84063a68ca6faa21e945a002a5e644d4e591e1e8b56853c124289974e870b9806856e258cd0a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbrpt.dll

Filesize
283KB

MD5
2fdae27110359cd778f12070b0f52eb1

SHA1
e0ea50edc13cb35a5ef13cd47d484b7e3f317161

SHA256
a723ec2b3f0f220b6e0becaf957672bfbeb18f9c2f250cab6fe9b282f9e212cd

SHA512
5b1a95099c62eb85c5d27933588b56da65bafbe894573debbf26969e84a250796ec09469810f2122c4c8ef8474960242fe46dd61ced2d36d07b9c365f96bf6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB9F9.tmp\mbstub.exe

Filesize
3.8MB

MD5
9781d7f63e254c60d974c9b4cfcb802c

SHA1
f3313da0c1026fae92ff297174e154e8812f42a2

SHA256
adee3b93f426bf7ddba272bc448ec6b8c8b1abb13bca4088dab3966d32f9a4c9

SHA512
5eb307076a9df3920683cda738b44e65f05b0f772dc7412620c33ffbf695a06852c3a3f9ac6ee433890b24534cadaeedc3a0d7245cf0458889f96040c11d3f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwbCAF1.tmp\mb-support.exe.Config

Filesize
1KB

MD5
899a7629e0ba26baf8d7ee918145cf8f

SHA1
5f958ab1302906f824ed09ad307a4d239ca2599d

SHA256
4038778b4bbf343e4f0f68c5076a7ab00ab4815345fc122618a98f2d48f97886

SHA512
bce12dc399049813a22e408379155cb6afd8e69e4d02a4fb0fb4249cf734e18cf84756cf876196d23e242038c9965e0b5ada99c1aa2b7d81d535fffffd076f1d

Download Submit
C:\Users\Admin\Downloads\FRSTEnglish.exe

Filesize
2.3MB

MD5
f63b1bdaa158eaac2c803c03e4796739

SHA1
07ef4867d11f4877d189930f30c931b9ab47befe

SHA256
197f13b82962fb91ae5b91911d09a3c51d7f58c189ccbadc59defb65a01572ca

SHA512
10a9cf893d474ac3fdb5054e842b2b1b66e20709dedd983de0a5c340e2da8f734f3b5703844dfcd45be49860beb35048aad3159dd2b63551fa2af22a5ecfc7a8

Download Submit
memory/3460-266-0x0000000007110000-0x0000000007148000-memory.dmp

Filesize
224KB

Download
memory/3460-268-0x00000000072E0000-0x000000000CF2A000-memory.dmp

Filesize
92.3MB

Download
memory/3460-257-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

Filesize
40KB

Download
memory/3460-258-0x0000000006070000-0x00000000060FC000-memory.dmp

Filesize
560KB

Download
memory/3460-259-0x0000000005FE0000-0x0000000005FEC000-memory.dmp

Filesize
48KB

Download
memory/3460-260-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/3460-261-0x0000000006000000-0x000000000600C000-memory.dmp

Filesize
48KB

Download
memory/3460-262-0x00000000066B0000-0x0000000006C54000-memory.dmp

Filesize
5.6MB

Download
memory/3460-263-0x0000000007000000-0x0000000007092000-memory.dmp

Filesize
584KB

Download
memory/3460-264-0x00000000071C0000-0x00000000072D4000-memory.dmp

Filesize
1.1MB

Download
memory/3460-265-0x00000000070C0000-0x00000000070C8000-memory.dmp

Filesize
32KB

Download
memory/3460-251-0x0000000000DF0000-0x0000000000F60000-memory.dmp

Filesize
1.4MB

Download
memory/3460-267-0x00000000070E0000-0x00000000070EE000-memory.dmp

Filesize
56KB

Download
memory/3460-255-0x0000000005E80000-0x0000000005EC6000-memory.dmp

Filesize
280KB

Download
memory/3460-269-0x000000000D070000-0x000000000D080000-memory.dmp

Filesize
64KB

Download
memory/3460-270-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3460-271-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3460-254-0x0000000005940000-0x000000000596A000-memory.dmp

Filesize
168KB

Download
memory/3460-299-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/3460-338-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3460-250-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/3460-253-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3460-252-0x0000000005840000-0x000000000584E000-memory.dmp

Filesize
56KB

Download
memory/3460-399-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3460-400-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download