d3e21e607c9b4e4c1d9cc08d38aca37b91544fbfd5a9b7aca3485215ef41fbef

Analysis

max time kernel
177s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2023 01:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MBSetup.exe
Size

2.4MB
MD5

e8a9e2ba85ba4a91c714e25f97227bb6
SHA1

175bbcda38deb982ebc12ae4589445ff98eb1851
SHA256

d3e21e607c9b4e4c1d9cc08d38aca37b91544fbfd5a9b7aca3485215ef41fbef
SHA512

c240b644fe77972982924d7347fa6f874fafdc97938dc20988d7d20edc8051059f7ca102bfddb2d5d7ebd69c6664d9ee793f1f26ba8c15eddc0e43e1b7015f58
SSDEEP

49152:ViT6ISa9C/5BirX0wxZN2DxiIq2d4BW3y3LP:VpISa0u/WRq2

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MBSetup.exe

description pid process target process

PID 1224 created 2576 1224 MBSetup.exe Explorer.EXE
Downloads MZ/PE file

description	pid	process	target process
PID 1224 created 2576	1224	MBSetup.exe	Explorer.EXE

Drops file in Drivers directory 10 IoCs

Processes:

MBAMService.exeMBSetup.exeMBAMService.exeMBAMInstallerService.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\SET90C3.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET89BD.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET90C3.tmp	MBAMService.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET89BD.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBAMService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe

Executes dropped EXE 5 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exeMBAMService.exembam.exembamtray.exe

pid process

4400 MBAMInstallerService.exe
3212 MBAMService.exe
3452 MBAMService.exe
3780 mbam.exe
4632 mbamtray.exe

Loads dropped DLL 64 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exembam.exembamtray.exe

pid	process
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
4400	MBAMInstallerService.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
3780	mbam.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
3780	mbam.exe
4632	mbamtray.exe
3780	mbam.exe
3780	mbam.exe
4632	mbamtray.exe
4632	mbamtray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MBAMService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MBAMService.exeMBAMInstallerService.exe

description	ioc	process
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\F:	MBAMInstallerService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe

Drops file in System32 directory 2 IoCs

Processes:

MBAMService.exeMBAMService.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exeMBSetup.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TableViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RadioButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\9017347ca68c11ed81ad5e3721e937b7	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbae-api-na.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-localization-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\MenuItemSubControls.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\SwitchStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\VerticalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\5a76fbec-ae09-42d6-919f-7c875fcbdbc6	MBSetup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_ro.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Label.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bak	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\RadioButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\HorizontalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Slider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Network.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\spinner_medium.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ToolButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\CheckDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SelfProtectionShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5QmlWorkerScript.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-synch-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtCharts\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\editbox.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\TextArea.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\TabButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\DefaultDialogWrapper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\copy.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\WidgetColorDialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\libEGL.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TableViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TextAreaStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\PageIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SwipeDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Switch.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-filesystem-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\critical.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_fi.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_pl.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\arrow-left.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Charts.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\slider-groove.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\checkmark.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Button.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Svg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\arrow-up@2x.png	MBAMInstallerService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBAMService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAMService.exeMBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exeLogonUI.execertutil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\SessEnv.dll,-101 = "Remote Desktop"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wsdapi.dll,-200 = "Trusted Devices"	certutil.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-305 = "Endorsement Key Intermediate Certification Authorities"	certutil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-304 = "Endorsement Key Trusted Root Certification Authorities"	certutil.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31A02CB9-6064-4A3B-BCB4-A329528D4648}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40D6E119-3897-41B3-AC5D-5FE6F088C97B}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{748A86D4-7EDF-41EF-A1EF-9582643B1C9F}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}\ = "IScannerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFA1689-38D3-4AE9-B1E8-B039EB7AD988}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44ACF635-5275-4730-95E5-03E4D192D8C8}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF168C7-A609-4237-A076-E461334BF4EA}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BA2811A-EE5B-44DF-81CD-C75BB11A82D4}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\VersionIndependentProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3498D9E4-6476-4AC0-B53A-75BC9955EF37}\ = "IMBAMServiceControllerV3"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECDAC35E-72BB-4856-97E1-226BA47C62C5}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9704115C-F54E-4D64-8554-0CAF8BF33B1B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237E618C-D739-4C8A-9F72-5CD4EF91CBE5}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3D482C3-B037-469B-9C35-2EF7F81C5BED}\ = "IRTPControllerV6"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0070F531-5D6B-4302-ACA0-6920E95D9A31}\ = "_IPoliciesControllerEventsV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\Version\ = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}\1.0\HELPDIR	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31A02CB9-6064-4A3B-BCB4-A329528D4648}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46A48DF-07CC-4C7F-89BB-145CF0DFC60A}\ = "IMWACControllerV15"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A583D5DD-F005-4D17-B564-5B594BB58339}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8640989C-20B4-41BE-BFE1-218EF5B076A6}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8153C0A7-AC17-452A-9388-358F782478D4}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71B13605-3569-4F4A-B971-08FF179A3A60}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08932AD2-C415-4DE8-821D-5AF7A5658483}\ = "IScanControllerEventsV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{616E9BE3-358B-4C06-8AAB-0ACF8D089931}\ = "ISPControllerEventsV2"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADCD8BEB-8924-4876-AE14-2438FF14FA17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8640989C-20B4-41BE-BFE1-218EF5B076A6}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31A02CB9-6064-4A3B-BCB4-A329528D4648}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FEFED84-854E-4029-A986-1D7774D4CF7D}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55E4B8FB-921C-4751-8B2D-AE33BD7D0B74}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08927360-710B-483B-BEEC-17E51FF84AF9}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55E4B8FB-921C-4751-8B2D-AE33BD7D0B74}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E1F91DE-30AF-469B-9A09-FCF176207F0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\ = "IScanControllerEventsV5"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC60FEE4-E373-4962-B548-BA2E06119D54}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3CFEBD-3B8E-4651-BB7C-537D1F03E59C}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46AEAC9A-C091-4B63-926C-37CFBD9D244F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE95CF-6463-415A-94AC-F895D0962D30}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\ProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A66A096-E54B-4F72-8654-ED7715B07B43}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDA4F172-98EF-4DF6-89AB-852D1B0EC2D4}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6724C143-DE69-4A93-80ED-19B75DD2AA99}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F245DA-55E7-451E-BDF3-4EE44637DFF1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}	MBAMService.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

mbam.exembamtray.exe

pid process

3780 mbam.exe
4632 mbamtray.exe

pid	process
3780	mbam.exe
4632	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exembam.exembamtray.exe

pid	process
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
4400	MBAMInstallerService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3452	MBAMService.exe
3780	mbam.exe
3780	mbam.exe
4632	mbamtray.exe
4632	mbamtray.exe
3780	mbam.exe
3780	mbam.exe
3452	MBAMService.exe
3452	MBAMService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mbam.exe

pid process

3780 mbam.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
3780	mbam.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

MBAMService.exeMBAMService.exeMBAMInstallerService.exeAUDIODG.EXEmbam.exe

description	pid	process
Token: 33	3212	MBAMService.exe
Token: SeIncBasePriorityPrivilege	3212	MBAMService.exe
Token: 33	3452	MBAMService.exe
Token: SeIncBasePriorityPrivilege	3452	MBAMService.exe
Token: SeBackupPrivilege	3452	MBAMService.exe
Token: SeRestorePrivilege	3452	MBAMService.exe
Token: SeTakeOwnershipPrivilege	3452	MBAMService.exe
Token: SeBackupPrivilege	3452	MBAMService.exe
Token: SeRestorePrivilege	3452	MBAMService.exe
Token: SeTakeOwnershipPrivilege	3452	MBAMService.exe
Token: SeSecurityPrivilege	3452	MBAMService.exe
Token: SeTcbPrivilege	3452	MBAMService.exe
Token: SeSecurityPrivilege	4400	MBAMInstallerService.exe
Token: SeTcbPrivilege	3452	MBAMService.exe
Token: 33	3656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3656	AUDIODG.EXE
Token: SeShutdownPrivilege	3780	mbam.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

mbamtray.exe

pid	process
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe
4632	mbamtray.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

mbamtray.exe

pid process

4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
4632 mbamtray.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4800 LogonUI.exe

pid	process
4800	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

MBAMInstallerService.exeMBSetup.exeMBAMService.exe

description	pid	process	target process
PID 4400 wrote to memory of 2212	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 2212	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 4128	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 4128	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 4940	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 4940	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 3568	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 3568	4400	MBAMInstallerService.exe	certutil.exe
PID 4400 wrote to memory of 3212	4400	MBAMInstallerService.exe	MBAMService.exe
PID 4400 wrote to memory of 3212	4400	MBAMInstallerService.exe	MBAMService.exe
PID 1224 wrote to memory of 3780	1224	MBSetup.exe	mbam.exe
PID 1224 wrote to memory of 3780	1224	MBSetup.exe	mbam.exe
PID 3452 wrote to memory of 4632	3452	MBAMService.exe	mbamtray.exe
PID 3452 wrote to memory of 4632	3452	MBAMService.exe	mbamtray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\starfieldrootcag2_new.crt"
2⤵
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\msrootca2020.crt"
2⤵
PID:4128

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\SectigoRootCA.crt"
2⤵
PID:4940

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\starfieldClass2CA.crt"
2⤵
PID:3568

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll
Filesize
1.7MB

MD5
461faf68ccc02b0223fd273b630f21fe

SHA1
363b8beaa74f0f454c2d544ace9e71a84bc2b4cf

SHA256
cb07f3f461e9c267831b1ab93af6dfda1bb51d72e42d73d00d26594f09326be1

SHA512
4b671f48e45fdedf50c7f7bb6c8d82a3b98f7502006eb002aaf8ff31f25f9ff1257c7bcc12caf622e43d4ec665b19d978ae3e3762f76def0bc71485ebdb8426f

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll
Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll
Filesize
2.5MB

MD5
e7a4bb8fa34bc5ae8b84bf15442da99c

SHA1
26e6d20876f01faa32a7a846c12dd35c695d55b6

SHA256
9ed946c62c7801779822a83d9126257f6426af381a42ce29d5a3c49c774fc141

SHA512
10b007f132cdaa7ea2e75281cd7767b59fd61335d28bc55b778e05479ac993e3578ba1370fe1ce6bf35d271ca970346d5f8cd13637f59fb1fa01c8a6345727b1

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll
Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll
Filesize
6.8MB

MD5
37419ddab3197022776988eccb0fa8f3

SHA1
da5b25a31ac111af62d33c80e7b45535ffbea1b4

SHA256
515f579285a96aa3afbebe3a3675db000a9448f1028e50cdb974c5171dac3ca0

SHA512
bd38687b6683a346330040908354a2acfbf363a5eb3cb7c98c0689c30ba1204f2f568b824778dcddcff2c5df1253ea591886c775c08c1bbb7fd6cf9f1f47e2ea

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll
Filesize
4.7MB

MD5
32912a1d3f24b9bfded56a48b8232c0f

SHA1
681f5826ba422832a8f9a927781e0a900fbd19dc

SHA256
b51b15cc2d2ce58ede93e13b305aacafd02a5aea3447685f3dc68fbccbbe197b

SHA512
327082e7b0df156254986e9f9f02bba8bfc1860cd27be7321d07144e3d5169c56c3a72978276cf3896c3d316cb18779a6e0e3baf3eec30d74c474a91123a965b

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll
Filesize
4.4MB

MD5
b7a9a7b44b82e954c1b77e7b7f71ee66

SHA1
02f3eabef778d5641eea89d318268e79949da7c6

SHA256
ba97bf9a2a0c454dbd965ef7b6c12f582d49391d5297fe2ef4a94bb13d2d472e

SHA512
524dee007193cc13ee81e9734564e8a121715f7ecb27d113eb7d8265b7562ab60237aa64c556a819239ee9b4abdc8523a57ca666bdd48de82eca79efba771bc5

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll
Filesize
6.3MB

MD5
c5cc2ea5caf096998e923d73f342f29c

SHA1
b17329d9db0816212d1b18a3c86fc3d7b1e2adb1

SHA256
dbb4eb4a1959721d923b40cda8fd4129c7ba5f4f75f009b052e282a8b1a975b6

SHA512
52089ffaac5cc48a96427a6c2555e421dc053549f545e308a81e09bb0144eae839c26e450dd0533bdded0c7c319f797ecc1800985a68689065534527c5ddd885

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dll
Filesize
3.0MB

MD5
384c9b81289cae99f16615b1de7851ae

SHA1
17bfdc22a62bd7cf7074e7d71e304296f1876f67

SHA256
a32b0d8e24258b7220c497697c672c4aab78a372c7c4bd86bcaddd96961e2be7

SHA512
735156432c35ddb792589bab7d4c47f5fa13e69f6124248afa11bb6cc2b42d5755170f0919dde6015c2e15c71c7f9b972134e943be9b799b9bca4225a5cefefd

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
Filesize
4.1MB

MD5
63d7f383b8d3b6658c34856aa6631969

SHA1
df1691d24a81bc7d31cf14e2a3a7047606e89d74

SHA256
a9b7811e2eaf97a46ffe0510a1f35d8611bac04676fa4b65b708f9a0143f4ba3

SHA512
009c199b940aaa42d350ab09df180ab8ebeb2efbf5f0408e610bd1a51b63f6dcb1e8ff4ae5308bf3180901ca616e94fc025d7e63e52d6d5bc3a4101384a8fd10

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll
Filesize
5.6MB

MD5
6b21c26f857373671151cc11839ce29e

SHA1
ec0594948c67b1a29a2c273f53a242048091da6a

SHA256
a6369387d1cee9fb95edabfd09a94e8c498cec42dea78cce97d86d9362be1631

SHA512
ebbb7162f3b81999c5881e1f05db693933776748221974a28fbc5b02db480b5bd84718c52e26878334baa1a2f515967033e9d38ae20b32e70a42b9196496061b

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Swissarmy.dll
Filesize
3.9MB

MD5
57bd4edc00bfcc94c98bbd7efbc9a2bf

SHA1
07a75ab8181f095a22bd82c969b80692eddd484b

SHA256
159e18af914578759fd62e1eb27a7321febe89d52e93fd500813fa1f64ecc62b

SHA512
b736bd35eec30e30d70e25306ec51857e6da53068f21a5d2713de617c80f98c899d1e1be1636e873e629dca6d623bb000b4466ef0f1eaa2be1076049f3006776

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SwissarmyShim.dll
Filesize
2.5MB

MD5
8d07eb27aadc92a85f8fbf3231c65f4e

SHA1
fd1334e5a75725d6478512faedeb880bdb5f9aab

SHA256
19d4b7529c8fc22176138cd16baf25eddbd6a31b656c6d59bfd67d39a7444e93

SHA512
f06ac3392f1a61800fd2823fb046af97185b7037fbda3bcb246fb0ba0f8d86222bb5094b6b2571ab5a0a0256643be9f500f5db3d312f7dd4ae3551ddf522c96c

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll
Filesize
5.2MB

MD5
8d0d6c623faaf558e86d5317875105bd

SHA1
ce91744941656b1e1b662ec0406f32fd2b3bc6cf

SHA256
8359134bf1fbdea340820de4178064cd2aca48d9c318391b0e0963b8286ba545

SHA512
89d4e29eaf3c75bcf2c5f9910571f577eaf65f1ab57b850134e309c90dfab9cfde40edfc1d345a48622dc1c02945ae3fb9676d37a04b1aa1a3d8411a9f1b22d9

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll
Filesize
4.3MB

MD5
b31e3425a0eb55028073c84b2d813202

SHA1
920c860b37eff9b3e587572bdcd9d255312b2356

SHA256
6f4f03952df7018cb2c7de49bd601fe35df025009fd86c38a266f2841a9263f6

SHA512
1a61a521cae70c9c36c18ef9ce865ad6c70c725b23ae87474d08829314cc1afaf91a4f8a6b915c4ec60af9ee0b4ff0a15b62ac5bf4bfeef7e5a1cff3d02becc2

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
Filesize
1.8MB

MD5
9aada57a1a7e0742afd440b19c18f3ac

SHA1
9769147e186d630043c2d3c3da8c6dffe12d366e

SHA256
004d6b3c7db948b9df4788fa64b3a29982770d4c1d4ed8579895d101d51d6db5

SHA512
3f8057c3a89a953ea8c46317d3c3e27cf9f5b2d2a70c46f6c7555cd78baf1baea23d5a7d9e4743fbc1f77740f685d69fcbd89685e32dc74b080e472e91d0cda5

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat
Filesize
75B

MD5
6515cf6cea1c818b71f9654a8e8fc773

SHA1
c5ad6c86c4def4292fda8572a36603b0fbf7f768

SHA256
0ece73fda4eb9d3d351ebcfce4475bfa73d881a30ae6c5056ce7b1a517d837a5

SHA512
90eda933a7831a753cc402777d2925aab619d693e0bd6a7a600f727a90d2af98524d38a786d22702103edfc1f9fa4d2055821d11d1b0a4828dd11ce5d7f3834a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sample.dll
Filesize
528KB

MD5
db9782624ece3382ca00cc833f2956ad

SHA1
ff09e856ad99e3152e7eb487ed6f224624cb6a2e

SHA256
a74e61946e35e4bceca9a05d0213cde33762067e10124e3273cf04e2d270eaf2

SHA512
e5b2225e42bb824c55400698bab891ae9e920143a83952a6fd81c6aa57dc4232aaf53339ee08d54d4007da89ea3044225ac735f6fdd4d7e6a14854f9c39b46be

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\version.dat
Filesize
47B

MD5
51f26b200b6a2f6f0839c6c919484931

SHA1
ff6312bbd41e74d9ae390f0559e0c4bb2a481600

SHA256
fa6eeba707197b25936b4177ab36099443958e99d0778f43555d8fc789befa38

SHA512
3777899c39c5402e9c93aa4b9e9a2e9858b07f1f10f1d79cf0a9c05e0d6179382405e0ec311555521911c4b4de2f5f4351b82e7bb34ddd7d4b800f07090c7f1a

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm
Filesize
315KB

MD5
9fab87bb260c499ec5145548d3ccef45

SHA1
a2dd911591db9c55d2061f5bf94007fdbea1f4ff

SHA256
e644741a08490566101eb9abe62b3b2f470e6b5feb20c855836bf325a56962b2

SHA512
be749ae6eac7c6ce88bea28d9f79dc81b25f427dcb261cd54ef817fdbfccc796374606fe06bb2612cd4d66647ec3fc7b93b626ebe438bb70aec77cf39883ff15

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr
Filesize
20.9MB

MD5
0d40dbacde46c72c307355859b0b08ba

SHA1
03fcc9cdc7dc23761c0cc0733ca0bda4dfdc09ee

SHA256
5b2fbfbd54cf5b6da2dc7eac5d06ea8fd83c27304a2c6ab088f2aed63ba0e1d0

SHA512
363d9d5628c518daf53ec70f9481e75585487637ec4c849e66db1f6d37580337d00cb6c878d6481dfbaaf7a051cf3968123cab6f97f5054fcef69aa51b0af407

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin
Filesize
639B

MD5
a733b0990116f5051bc41b255349ec14

SHA1
a812f04c55a1e46eff96ca45a07dba369c12785c

SHA256
b5cbd60565cc97567dae1b50007508ff1f9dacf60c27e9735c5402ce80186b0c

SHA512
e91c98a90823a28c9acd1f4d67b21395c41abd59b05bf43c284f65777699221fa1abd871ad4808bcf5564e238897d1d13c6a14be47185a694003708a3bbcb677

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb
Filesize
10KB

MD5
c3daa2a35c35eb667f23121def1f9c95

SHA1
8f0c8edf1f6da336e9a734cc064f885c64a70cb6

SHA256
7936f9211b6d86b8b23a72fc0e3fc21d6f7fccbd5bd2f495eee2f50a44c98dea

SHA512
ea035c2e241f25668592f5396e41425e1e22c8b6efef5475cd2d187f23bbc3d86940e5daec24b2897feff3356441867aaacfc513115ae61154baba5dc0cbbd38

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat
Filesize
924B

MD5
00f3db2ed89efa0b48b6a4f0016046c2

SHA1
6c36abf0f2467290bb7830fa065a504e97fbdea2

SHA256
6fd092bed8d2f2150d9dbe16b39df1a5505789281c979e9b59a2a9e514b82c1d

SHA512
5d963183666f47105f769ec06d3803142f9d4df06a772a3c3045b865d539f4ae00740d4eb78d4ed7055d82d333529656a571e1037877a9f62d1b6015a40f3bc9

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat
Filesize
514B

MD5
e750e58c303f304b69439e2986351391

SHA1
21ae3dde73a3b1e4ec7db63e2e1782c98a99fdb9

SHA256
23bc6d10a7edbf03224d376915bb649a2eacb46989d4730bbc98f189d56d267c

SHA512
aa9d4efc16d683a1e2f8fe1701e9f5c8582b8295600282f8fa43d62f8cf71dc587a7e5ce584e228e173ec1730f4f802f5a33eab5a38ea870ac03bd0065dccf02

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb
Filesize
21.4MB

MD5
8539e67041b5dd618ef2dc5d98b1e3a0

SHA1
7ce85a1ba6c72f85171651ac49dbde13d493a2e4

SHA256
74c209c2a7b1a466607c701259416119d09f3432f5fdab98870aa845fa7ea41f

SHA512
e345af1ea1c6782fa7195b86783629876c285eb3f2df033c0f789663df6d402a5cb318ac9ca3dbd2f63d875cf5e8a0ad41ea35efc3936a8a19b4c5821416ad7e

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb
Filesize
1.4MB

MD5
c1f0e5c2783d4aa018260f3b0e86843e

SHA1
c6f21942235ab9b1f3ae697899e0ae70db27a97c

SHA256
aecce42158f3dd1d42a2f7c6774c967d154aa539174c8b354eb0a7bddc03e0bd

SHA512
542ed61559ed2e41677c3739ccc4deaab89fb19f19ca28bfaf0f15a49ba1d35ef709d26ddca43e0153a39bf0dd8e94f95dd73f44a8be3b1390650b4e7f348b58

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb
Filesize
235KB

MD5
ab7ee8c778e56321b49f4a53769be96c

SHA1
a21b8b2b11edd5142756e472645f398b619d05c9

SHA256
0cbbfd5481619fafc7e3cd45bb80177af9958dee49c5cd29021f48324b0c6c17

SHA512
ac6d127b61aee840319677b6d273e5d402b9183cbb7a7b4e765b9b7aa1c8359c0b0e32f5c7e0bbbb7e90b49d4d48fef55194b96af80ff3a861b8d02b46f33c15

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb
Filesize
39.1MB

MD5
55503739661b666e5b7009232571957e

SHA1
0a6edfb6134bcf08b04d637f278df57e32cd1c4e

SHA256
84e5ec71c2b4c6b947ed75a21309f4b3e0f5ec9802b375c65c60be5d26f2f588

SHA512
845052ac199f50cf46298191c838b94583f363cec33971fc3b5cf203c28e60379edf160dfb9e92a57d8f1e07d1856c23e8dba8606ca9cd12e0152cee3055abd6

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll
Filesize
1.7MB

MD5
461faf68ccc02b0223fd273b630f21fe

SHA1
363b8beaa74f0f454c2d544ace9e71a84bc2b4cf

SHA256
cb07f3f461e9c267831b1ab93af6dfda1bb51d72e42d73d00d26594f09326be1

SHA512
4b671f48e45fdedf50c7f7bb6c8d82a3b98f7502006eb002aaf8ff31f25f9ff1257c7bcc12caf622e43d4ec665b19d978ae3e3762f76def0bc71485ebdb8426f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll
Filesize
2.5MB

MD5
e7a4bb8fa34bc5ae8b84bf15442da99c

SHA1
26e6d20876f01faa32a7a846c12dd35c695d55b6

SHA256
9ed946c62c7801779822a83d9126257f6426af381a42ce29d5a3c49c774fc141

SHA512
10b007f132cdaa7ea2e75281cd7767b59fd61335d28bc55b778e05479ac993e3578ba1370fe1ce6bf35d271ca970346d5f8cd13637f59fb1fa01c8a6345727b1

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll
Filesize
6.8MB

MD5
37419ddab3197022776988eccb0fa8f3

SHA1
da5b25a31ac111af62d33c80e7b45535ffbea1b4

SHA256
515f579285a96aa3afbebe3a3675db000a9448f1028e50cdb974c5171dac3ca0

SHA512
bd38687b6683a346330040908354a2acfbf363a5eb3cb7c98c0689c30ba1204f2f568b824778dcddcff2c5df1253ea591886c775c08c1bbb7fd6cf9f1f47e2ea

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll
Filesize
4.7MB

MD5
32912a1d3f24b9bfded56a48b8232c0f

SHA1
681f5826ba422832a8f9a927781e0a900fbd19dc

SHA256
b51b15cc2d2ce58ede93e13b305aacafd02a5aea3447685f3dc68fbccbbe197b

SHA512
327082e7b0df156254986e9f9f02bba8bfc1860cd27be7321d07144e3d5169c56c3a72978276cf3896c3d316cb18779a6e0e3baf3eec30d74c474a91123a965b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll
Filesize
4.4MB

MD5
b7a9a7b44b82e954c1b77e7b7f71ee66

SHA1
02f3eabef778d5641eea89d318268e79949da7c6

SHA256
ba97bf9a2a0c454dbd965ef7b6c12f582d49391d5297fe2ef4a94bb13d2d472e

SHA512
524dee007193cc13ee81e9734564e8a121715f7ecb27d113eb7d8265b7562ab60237aa64c556a819239ee9b4abdc8523a57ca666bdd48de82eca79efba771bc5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
8.6MB

MD5
f72076a37f16ee94d1d743703530f8c5

SHA1
a06165df6ef5eca3f768056f310d6db53fc70748

SHA256
82778f81a4bbbbdebad965e41f4d918a55ad8c1e035627739b1f14cb2b984fab

SHA512
62b838f552ce8a3fe97cd8de2e616eda821624de223efe27a8b901fffc2dfe1deff4b622a2a8ebaffa8395810f01a84b23744754b7cebe7404ea0bd5e399a763

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
8.6MB

MD5
f72076a37f16ee94d1d743703530f8c5

SHA1
a06165df6ef5eca3f768056f310d6db53fc70748

SHA256
82778f81a4bbbbdebad965e41f4d918a55ad8c1e035627739b1f14cb2b984fab

SHA512
62b838f552ce8a3fe97cd8de2e616eda821624de223efe27a8b901fffc2dfe1deff4b622a2a8ebaffa8395810f01a84b23744754b7cebe7404ea0bd5e399a763

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
8.6MB

MD5
44ad907c4828810a3f8a5261dcaad1f7

SHA1
940399524d50a5bd955e22ed3e0de20394551a9b

SHA256
ba4dab3e08f09ca6d2ad3fd6117f05b1eee7b93224a667e9f6c4350ada90c1f9

SHA512
a6a288e6cb2c898993d3f5b474de4fc0212eb3fb26280be9f5a6f27e0fd74a31244a49648d3867a2aa802182d0f883afd8feca7c13ed90a7edee45bcea19be72

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
8.6MB

MD5
44ad907c4828810a3f8a5261dcaad1f7

SHA1
940399524d50a5bd955e22ed3e0de20394551a9b

SHA256
ba4dab3e08f09ca6d2ad3fd6117f05b1eee7b93224a667e9f6c4350ada90c1f9

SHA512
a6a288e6cb2c898993d3f5b474de4fc0212eb3fb26280be9f5a6f27e0fd74a31244a49648d3867a2aa802182d0f883afd8feca7c13ed90a7edee45bcea19be72

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
8.6MB

MD5
44ad907c4828810a3f8a5261dcaad1f7

SHA1
940399524d50a5bd955e22ed3e0de20394551a9b

SHA256
ba4dab3e08f09ca6d2ad3fd6117f05b1eee7b93224a667e9f6c4350ada90c1f9

SHA512
a6a288e6cb2c898993d3f5b474de4fc0212eb3fb26280be9f5a6f27e0fd74a31244a49648d3867a2aa802182d0f883afd8feca7c13ed90a7edee45bcea19be72

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll
Filesize
3.0MB

MD5
384c9b81289cae99f16615b1de7851ae

SHA1
17bfdc22a62bd7cf7074e7d71e304296f1876f67

SHA256
a32b0d8e24258b7220c497697c672c4aab78a372c7c4bd86bcaddd96961e2be7

SHA512
735156432c35ddb792589bab7d4c47f5fa13e69f6124248afa11bb6cc2b42d5755170f0919dde6015c2e15c71c7f9b972134e943be9b799b9bca4225a5cefefd

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll
Filesize
4.1MB

MD5
63d7f383b8d3b6658c34856aa6631969

SHA1
df1691d24a81bc7d31cf14e2a3a7047606e89d74

SHA256
a9b7811e2eaf97a46ffe0510a1f35d8611bac04676fa4b65b708f9a0143f4ba3

SHA512
009c199b940aaa42d350ab09df180ab8ebeb2efbf5f0408e610bd1a51b63f6dcb1e8ff4ae5308bf3180901ca616e94fc025d7e63e52d6d5bc3a4101384a8fd10

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dll
Filesize
5.6MB

MD5
6b21c26f857373671151cc11839ce29e

SHA1
ec0594948c67b1a29a2c273f53a242048091da6a

SHA256
a6369387d1cee9fb95edabfd09a94e8c498cec42dea78cce97d86d9362be1631

SHA512
ebbb7162f3b81999c5881e1f05db693933776748221974a28fbc5b02db480b5bd84718c52e26878334baa1a2f515967033e9d38ae20b32e70a42b9196496061b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
593B

MD5
fbf06336b1cfba4c3729efe231278c35

SHA1
237463f2b38bb81dbd8f6f0e6e4e4f166e9040b2

SHA256
02555029b3d46cba9802543dc9717c748bc8a3475f76925f16af75cbce71077a

SHA512
5873fea3ccaf3ac76a4dcc0c0f1a548ea5a73905029f0dfd9b233c63b23b68068aaf35bfc5114d866b109df6bcb1288ee2ad35b5154268bfff42a84b58c5c0fb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bak
Filesize
593B

MD5
fbf06336b1cfba4c3729efe231278c35

SHA1
237463f2b38bb81dbd8f6f0e6e4e4f166e9040b2

SHA256
02555029b3d46cba9802543dc9717c748bc8a3475f76925f16af75cbce71077a

SHA512
5873fea3ccaf3ac76a4dcc0c0f1a548ea5a73905029f0dfd9b233c63b23b68068aaf35bfc5114d866b109df6bcb1288ee2ad35b5154268bfff42a84b58c5c0fb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll
Filesize
2.5MB

MD5
8d07eb27aadc92a85f8fbf3231c65f4e

SHA1
fd1334e5a75725d6478512faedeb880bdb5f9aab

SHA256
19d4b7529c8fc22176138cd16baf25eddbd6a31b656c6d59bfd67d39a7444e93

SHA512
f06ac3392f1a61800fd2823fb046af97185b7037fbda3bcb246fb0ba0f8d86222bb5094b6b2571ab5a0a0256643be9f500f5db3d312f7dd4ae3551ddf522c96c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dll
Filesize
5.2MB

MD5
8d0d6c623faaf558e86d5317875105bd

SHA1
ce91744941656b1e1b662ec0406f32fd2b3bc6cf

SHA256
8359134bf1fbdea340820de4178064cd2aca48d9c318391b0e0963b8286ba545

SHA512
89d4e29eaf3c75bcf2c5f9910571f577eaf65f1ab57b850134e309c90dfab9cfde40edfc1d345a48622dc1c02945ae3fb9676d37a04b1aa1a3d8411a9f1b22d9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll
Filesize
4.3MB

MD5
b31e3425a0eb55028073c84b2d813202

SHA1
920c860b37eff9b3e587572bdcd9d255312b2356

SHA256
6f4f03952df7018cb2c7de49bd601fe35df025009fd86c38a266f2841a9263f6

SHA512
1a61a521cae70c9c36c18ef9ce865ad6c70c725b23ae87474d08829314cc1afaf91a4f8a6b915c4ec60af9ee0b4ff0a15b62ac5bf4bfeef7e5a1cff3d02becc2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
2.7MB

MD5
97d526df9b27a9b98261e7be0341e2ed

SHA1
2f586dbde13113bf1325922770d193859320aadf

SHA256
5c87dd45f19546740013cadc63a8ff83bd6e1c14852359a8b3b6d64be0d1bd15

SHA512
c58be7d22a3da29311b2af0d2e27b3cf72d66d2f548a5e411b6f37fbb582f131cff306262f673a55d37901216c3f150be297a1b916e5d47eb729bf6a2c4b3b87

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
2.7MB

MD5
97d526df9b27a9b98261e7be0341e2ed

SHA1
2f586dbde13113bf1325922770d193859320aadf

SHA256
5c87dd45f19546740013cadc63a8ff83bd6e1c14852359a8b3b6d64be0d1bd15

SHA512
c58be7d22a3da29311b2af0d2e27b3cf72d66d2f548a5e411b6f37fbb582f131cff306262f673a55d37901216c3f150be297a1b916e5d47eb729bf6a2c4b3b87

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll
Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll
Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\SectigoRootCA.crt
Filesize
1KB

MD5
b821ee78c10eda973c40a382fa5ca457

SHA1
f40c413c6d17c4c4195d30a9a1454d186710727c

SHA256
028fd01ccc988386d6718eda921f6131044a61c06e0f84574d4911918e4659f3

SHA512
ea4b9b5e8d7ea4e9c137fc21b36112c01905aad771ad09c408ab94d7eb7d0458a60f3730b5a5af6cbfe8d6167c28132483b68900e7c8db55a4430e7bbd56d61f

Download Submit
C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\msrootca2020.crt
Filesize
2KB

MD5
77ac2a1ae404c2e29334c4d0ce29ac0e

SHA1
c8eecd58d3b43a2ddec5054ef9eacdf0c2940e62

SHA256
626727d3f4fb4c4ef816648217966d5eb2a028afe03c801788b1834a456b48e8

SHA512
40bf30c83db166803798fdfbdcbc04d6d01bce7ec569d2f24089bf1b6d81f8694876d43c29ce78359d1101d40386044a0b9f11aedabb3a6348eb1a7da6762fd9

Download Submit
C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\starfieldClass2CA.crt
Filesize
1KB

MD5
7fe5fafc33ce6e6f97e73bc5071bc3ce

SHA1
9ea40194cd3610f746f9fadee86d8e57e7905d2e

SHA256
64e8c4bf59964857adcd42001e719c1764a7f060d52b170982504e07bd26246b

SHA512
4578f75aa7bd65e5932c9d851299f1ec71bcc6c3e70361a9df76053532f246e026de1cbfdfdc8ac285bc5c9eb32fcc39cdcd405995734f3d3256c61cfbaeca09

Download Submit
C:\Windows\TEMP\MBInstallTemp9017347da68c11edb3055e3721e937b7\servicepkg\starfieldrootcag2_new.crt
Filesize
993B

MD5
d63981c6527e9669fcfcca66ed05f296

SHA1
b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e

SHA256
2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5

SHA512
5fada52ff721f4f7f14f5a70500531fa7b131d1203eabb29b5c85a39d67cf358287d9d5b9104c8517b9757dba58df9527d07dc9a82f704b8961f8473cdd92ae7

Download Submit
C:\Windows\Temp\MBInstallTemp9017347da68c11edb3055e3721e937b7\7z.dll
Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp9017347da68c11edb3055e3721e937b7\7z.dll
Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
memory/2212-135-0x0000000000000000-mapping.dmp

Download
memory/3212-143-0x0000000000000000-mapping.dmp

Download
memory/3568-141-0x0000000000000000-mapping.dmp

Download
memory/3780-208-0x000001B833E50000-0x000001B833E60000-memory.dmp

Filesize
64KB

Download
memory/3780-215-0x000001B833E50000-0x000001B833E60000-memory.dmp

Filesize
64KB

Download
memory/3780-201-0x0000000000000000-mapping.dmp

Download
memory/3780-203-0x00007FF80ABC0000-0x00007FF80AFDE000-memory.dmp

Filesize
4.1MB

Download
memory/3780-204-0x00007FF80A650000-0x00007FF80ABBB000-memory.dmp

Filesize
5.4MB

Download
memory/3780-214-0x000001B833E50000-0x000001B833E60000-memory.dmp

Filesize
64KB

Download
memory/3780-202-0x00007FF63EB90000-0x00007FF6400A9000-memory.dmp

Filesize
21.1MB

Download
memory/4128-137-0x0000000000000000-mapping.dmp

Download
memory/4632-207-0x00007FF80A650000-0x00007FF80ABBB000-memory.dmp

Filesize
5.4MB

Download
memory/4632-206-0x00007FF80ABC0000-0x00007FF80AFDE000-memory.dmp

Filesize
4.1MB

Download
memory/4632-209-0x000002086A970000-0x000002086ADB0000-memory.dmp

Filesize
4.2MB

Download
memory/4632-211-0x000002086ADB0000-0x000002086AFB0000-memory.dmp

Filesize
2.0MB

Download
memory/4632-213-0x00000208683B0000-0x00000208683C0000-memory.dmp

Filesize
64KB

Download
memory/4632-205-0x0000000000000000-mapping.dmp

Download
memory/4940-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads