d3e21e607c9b4e4c1d9cc08d38aca37b91544fbfd5a9b7aca3485215ef41fbef

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup.exe
Size

2.4MB
MD5

e8a9e2ba85ba4a91c714e25f97227bb6
SHA1

175bbcda38deb982ebc12ae4589445ff98eb1851
SHA256

d3e21e607c9b4e4c1d9cc08d38aca37b91544fbfd5a9b7aca3485215ef41fbef
SHA512

c240b644fe77972982924d7347fa6f874fafdc97938dc20988d7d20edc8051059f7ca102bfddb2d5d7ebd69c6664d9ee793f1f26ba8c15eddc0e43e1b7015f58
SSDEEP

49152:ViT6ISa9C/5BirX0wxZN2DxiIq2d4BW3y3LP:VpISa0u/WRq2

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETEEE4.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SETEEE4.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF742.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SETF742.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Executes dropped EXE 4 IoCs

pid	Process
2052	MBAMInstallerService.exe
1456	MBAMService.exe
3812	MBAMService.exe
1704	mbamtray.exe

Loads dropped DLL 61 IoCs

pid	Process
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
2052	MBAMInstallerService.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\F:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\[email protected]	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-time-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ComboBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Menu.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\critical.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ApplicationWindow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\qmlplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ToolButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\WidgetMessageDialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\XmlListModel\qmlxmllistmodelplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbae.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Svg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-math-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-process-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TreeViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Switch.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Slider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sample.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\styles\qwindowsvistastyle.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TextFieldStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Network.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbamelam.cat	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-rtlsupport-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\FastGlow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularTickmarkLabelStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ItemDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_sv.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyleHelper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\TextArea.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\StackView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\ApplicationWindow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ig.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Gui.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-libraryloader-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ToolButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\RectangularGlow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\resources\qtwebengine_resources_100p.pak	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_no.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-synch-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-util-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\ScrollView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Switch.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ScrollBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\CheckBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ArwSdkShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\ItemDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\BusyIndicatorStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ToggleButtonStyle.qml	MBAMInstallerService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4864	timeout.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\SessEnv.dll,-101 = "Remote Desktop"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wsdapi.dll,-200 = "Trusted Devices"	certutil.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-304 = "Endorsement Key Trusted Root Certification Authorities"	certutil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-305 = "Endorsement Key Intermediate Certification Authorities"	certutil.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\AppxPackaging.dll,-1001 = "Trusted Packaged App Installation Authorities"	certutil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{503084FD-0743-46C7-833F-D0057E8AC505}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB81F893-5D01-4DFD-98E1-3A6CB9C3E63E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{834906DC-FA0F-4F61-BC62-24B0BEB3769C}\ = "_IRTPControllerEvents"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{698A4513-65F0-46A3-9633-220A6E4D1D07}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\VersionIndependentProgID\ = "MB.LogController"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6ED2B0A1-984E-4A35-9B04-E0EBAFB2842A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A153977-1A37-4EF7-9226-9E128FA51AE1}\ = "ITelemetryControllerV5"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D57ACF19-30E3-4B7E-BCDD-6EEB8E57AF27}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{767D2042-D2F6-4BAA-B30E-00E0CD4015BD}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF}\ = "IRTPControllerEventsV7"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Version	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B471ACFB-E67A-4BE9-A328-F6A906DDDEAA}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8891F9E-90C4-4B3D-B87B-92DEA9221EBB}\ = "ITelemetryControllerV8"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B860FC17-5606-4F3A-8AE5-E1C139D8BDE3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1D8E799-D5A2-45B4-9524-067144A201E4}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDCB7916-7DE8-44C8-BAF6-F1BBB3268456}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController.1	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E}\ = "_ICloudControllerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F81B1882-A388-42E5-9351-05C858E52DDC}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFBD938D-3ABA-4895-97EF-5A0BDF7AC07D}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1D8E799-D5A2-45B4-9524-067144A201E4}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8640989C-20B4-41BE-BFE1-218EF5B076A6}\TypeLib\ = "{EEC295FA-EC51-4055-BC47-022FC0FC122F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8891F9E-90C4-4B3D-B87B-92DEA9221EBB}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1E6E99C-9728-4244-9570-215B400D226D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F14F58B-B908-4644-830F-5ACF8542D27F}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BCAC7E-75E7-4971-B3F3-B197A510F495}\1.0\0	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44AC1571-055F-4CC8-B7D8-EA022C4CC112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{956AEAEB-8EA2-4BE1-AAD0-3BE4C986A1CC}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9442AA1-AEB8-4FB4-B998-BFBC37BA8A99}\ = "ISPControllerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D488C7C-023D-4561-B377-DD9FB7124326}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B34A461-332D-479F-B8C4-7D168D650EBD}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0468FE5A-FFDA-4F57-83F5-79116160E9B8}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08927360-710B-483B-BEEC-17E51FF84AF9}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}\ = "IMWACControllerV3"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{473BC184-760C-4255-A118-E8064C4EC595}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{616E9BE3-358B-4C06-8AAB-0ACF8D089931}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BADF77CD-ECCE-4B36-88FF-6A2804FFE307}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F275D775-3A22-4C5A-B9AD-6FE8008304D0}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB473CB-B8B5-44A7-A3E0-D83AF05350DF}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9185897A-76F4-4083-A02C-5FFC2A51F6D4}\ = "ICleanControllerV10"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\ = "IScanParametersV7"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{473BC184-760C-4255-A118-E8064C4EC595}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31BF2366-C6DB-49F1-96A5-8026B9DF4152}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D10B0F61-43AA-40F4-9C6C-57D29CA8544E}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C4652FC-FA35-4394-A133-F68409776465}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8640989C-20B4-41BE-BFE1-218EF5B076A6}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.VPNController\ = "VPNController Class"	MBAMService.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1704	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
2052	MBAMInstallerService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe
3812	MBAMService.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1456	MBAMService.exe
Token: SeIncBasePriorityPrivilege	1456	MBAMService.exe
Token: 33	3812	MBAMService.exe
Token: SeIncBasePriorityPrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeTakeOwnershipPrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe
Token: SeRestorePrivilege	3812	MBAMService.exe
Token: SeBackupPrivilege	3812	MBAMService.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1796	firefox.exe
1796	firefox.exe
1796	firefox.exe
1796	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1704	mbamtray.exe
1796	firefox.exe
1796	firefox.exe
1796	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1796	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2656	2052	MBAMInstallerService.exe	100
PID 2052 wrote to memory of 2656	2052	MBAMInstallerService.exe	100
PID 2052 wrote to memory of 3888	2052	MBAMInstallerService.exe	102
PID 2052 wrote to memory of 3888	2052	MBAMInstallerService.exe	102
PID 2052 wrote to memory of 2924	2052	MBAMInstallerService.exe	104
PID 2052 wrote to memory of 2924	2052	MBAMInstallerService.exe	104
PID 2052 wrote to memory of 2876	2052	MBAMInstallerService.exe	106
PID 2052 wrote to memory of 2876	2052	MBAMInstallerService.exe	106
PID 2052 wrote to memory of 1456	2052	MBAMInstallerService.exe	108
PID 2052 wrote to memory of 1456	2052	MBAMInstallerService.exe	108
PID 3812 wrote to memory of 1704	3812	MBAMService.exe	113
PID 3812 wrote to memory of 1704	3812	MBAMService.exe	113
PID 1512 wrote to memory of 1492	1512	MBSetup.exe	114
PID 1512 wrote to memory of 1492	1512	MBSetup.exe	114
PID 1512 wrote to memory of 1492	1512	MBSetup.exe	114
PID 1492 wrote to memory of 4864	1492	cmd.exe	116
PID 1492 wrote to memory of 4864	1492	cmd.exe	116
PID 1492 wrote to memory of 4864	1492	cmd.exe	116
PID 1492 wrote to memory of 3568	1492	cmd.exe	117
PID 1492 wrote to memory of 3568	1492	cmd.exe	117
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 3568 wrote to memory of 1796	3568	firefox.exe	118
PID 1796 wrote to memory of 2784	1796	firefox.exe	119
PID 1796 wrote to memory of 2784	1796	firefox.exe	119
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120
PID 1796 wrote to memory of 4776	1796	firefox.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /t 1 & "C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi
      4⤵
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.0.103518714\1347602893" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97a4b46-6afb-46d8-9f16-451a3d766410} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 1780 1b9c1816858 gpu
        5⤵
        
        PID:2784
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.1.266972403\1718101825" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fe00935-897a-4240-b2a3-27f859067e06} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 2348 1b9b4871658 socket
        5⤵
        
        PID:4776
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.2.1350460231\2078806346" -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e9c3ba-8fbe-426f-9d63-1e5c7d18f87b} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3240 1b9c433f458 tab
        5⤵
        
        PID:4408
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.3.1039365827\824362109" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2776 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d825bdb3-14cc-4e82-b4f9-6a3af6a94a57} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3512 1b9b48e4e58 tab
        5⤵
        
        PID:1652
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.6.708341780\1755855840" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26658 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d048a7c2-4969-4b2e-9326-e163d59cff0d} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 5060 1b9c5c6e458 tab
        5⤵
        
        PID:1972
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.5.544452167\662146081" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4888 -prefsLen 26658 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96fa8a20-4677-4d4c-8819-70d3a41c7b13} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 4876 1b9c5c6de58 tab
        5⤵
        
        PID:4676
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.4.1638304542\1096357982" -childID 3 -isForBrowser -prefsHandle 4452 -prefMapHandle 4608 -prefsLen 26658 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a72422be-637b-4ff8-9756-e4e8552c7608} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 4584 1b9c5c6f058 tab
        5⤵
        
        PID:2816

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\starfieldrootcag2_new.crt"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2656
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\msrootca2020.crt"
  2⤵
  PID:3888
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\SectigoRootCA.crt"
  2⤵
  PID:2924
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\starfieldClass2CA.crt"
  2⤵
  PID:2876
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll

Filesize
1.7MB

MD5
461faf68ccc02b0223fd273b630f21fe

SHA1
363b8beaa74f0f454c2d544ace9e71a84bc2b4cf

SHA256
cb07f3f461e9c267831b1ab93af6dfda1bb51d72e42d73d00d26594f09326be1

SHA512
4b671f48e45fdedf50c7f7bb6c8d82a3b98f7502006eb002aaf8ff31f25f9ff1257c7bcc12caf622e43d4ec665b19d978ae3e3762f76def0bc71485ebdb8426f

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll

Filesize
2.5MB

MD5
e7a4bb8fa34bc5ae8b84bf15442da99c

SHA1
26e6d20876f01faa32a7a846c12dd35c695d55b6

SHA256
9ed946c62c7801779822a83d9126257f6426af381a42ce29d5a3c49c774fc141

SHA512
10b007f132cdaa7ea2e75281cd7767b59fd61335d28bc55b778e05479ac993e3578ba1370fe1ce6bf35d271ca970346d5f8cd13637f59fb1fa01c8a6345727b1

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll

Filesize
6.9MB

MD5
ef3e4c2c617164e495bbc0ec13890ca9

SHA1
f384c1892e00720ccb97a921d556654d730f1d3e

SHA256
7fa7d2d0618f46d50d36401f76d0314c72096ebd003d365d8df2b488bf02103b

SHA512
54f56aedaccf3bade0ec4601a86d23b8110702562be0a2fe2ce18aed09793eb0e7290215b3267e3e2c57dac850f446b10fd3a5e3c81e11508f1a70224366a51f

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll

Filesize
4.8MB

MD5
3cad89a85ae704b4e264a03dcbf1de8f

SHA1
aacc5111236b95b9044f3228c961345ead3ee5c2

SHA256
1f56f70c09fb6b6c92795dedbcfa0626ec29383d53166ef0f179e86a46b33b56

SHA512
4efbb0b81392378cd143e1526d94b39434306e7354dbd6326bceb37cc3919f2b84d4ec08b378a35b44a2f93b660623f9112a36f4fb745f34327f9fda8f0e84d2

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

Filesize
4.4MB

MD5
b7a9a7b44b82e954c1b77e7b7f71ee66

SHA1
02f3eabef778d5641eea89d318268e79949da7c6

SHA256
ba97bf9a2a0c454dbd965ef7b6c12f582d49391d5297fe2ef4a94bb13d2d472e

SHA512
524dee007193cc13ee81e9734564e8a121715f7ecb27d113eb7d8265b7562ab60237aa64c556a819239ee9b4abdc8523a57ca666bdd48de82eca79efba771bc5

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll

Filesize
6.3MB

MD5
888b794737cd78e918486cd2a4116c65

SHA1
335aa063439ee8c2242591dd4cfe6c9bc28531fe

SHA256
2194ea4af98e6ba23e14ac60860a6c727f4694a9d904025288997ad05f0859bc

SHA512
f6a15dc86a89adcbf9ea6b96eb7d5671a2077696ef4cacf88c36d7c73c5f28d96f4a257ae8672981a24907e0583bb15c01dfe09ee1ac5837ffa693d5668dbbeb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dll

Filesize
3.0MB

MD5
f44b6c80c46c4cf3071b5f5b916e1271

SHA1
839f2238ecbbfa80ebf9c1f77eafc78204b58761

SHA256
732523df43358729d5e85cceb557d69016dcdd3e2238d903c33c5327c3131fae

SHA512
99be164ae96bc4f93dc896d5df445ad1c2f023f10605a8c9857d7ebedfc5b070f50cd33b401d61003e601a06b8446e6c0b5dbddda4927a2e1352407d3b266942

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
4.1MB

MD5
c447ffc8af4633daf687e0a943061a60

SHA1
2f0a1854d75a82929dcff5308befe3b83439259b

SHA256
c01804c902c5532517fa0ceadc91beed01d5ac67adf062b7ce7eaba8272c40bc

SHA512
e0d650c35a46063d0e3870e1888d95827050e7792391b8c6ba4b5cd0cf2501cf0eb3aeb1c4a9f524467b6efcc4cb44c8816ba91aa09858c3594d8334a3eb2edf

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll

Filesize
5.7MB

MD5
a340fa4ce6b8a5e22dfe5348752138c8

SHA1
4cd995cce3194b43a5e2f12f032eb5cad88fc3c5

SHA256
250f17aad7e80a1b33b79b1e95cdae26d6be6f1c27dc9aaba1b6d8f346393b8a

SHA512
bc72a19624042b1a3f6f873ec193c890a12fbb85111b60399e5b3c9584a752c9c38b637fc37b5a7a968dcedaf804b299ee2156726aa7462bc940154d3654feff

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SwissarmyShim.dll

Filesize
2.6MB

MD5
89a38afcfa758e3298609c6c51929593

SHA1
2df1ee30adc92bd995526e41fd9c823354de30b4

SHA256
4795576483af0c136a71dcee87a0ffb54f0869cae6395ac2ff8312bf555e7161

SHA512
cceaed0b9a7517aebd739a377c7bd8987b9ac357be2bf987dbae31d59f2121c5bb9a9bfa2c70a9a54ad65546ef23903176dd6328d93408cb5c991257d59e2717

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll

Filesize
5.3MB

MD5
a6b7865089133607d9fe66617abcebea

SHA1
e7d887a75fd48945d3f56b5635bae822ad5c7a1c

SHA256
f1f1958fbd3ecc0b61f1be129025dfc59112c09b146299caca61bd6f552c0355

SHA512
3c0638229b90fd4d4ecfbdac89a467d514824e57f1d40f68c5009051a48cc53a0f2f5712aeb530ed6aa9b855272590563c95738abf768f46bdc332806e6d7792

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

Filesize
4.4MB

MD5
d0b204fb32962798ebd9ab0ad336a83c

SHA1
f281b35553afa236a214b910c537ecad0e3bacea

SHA256
627db74adff5407a074e94997cb724434478801607c972ff2afdf10d4928bb98

SHA512
5d3aa0851b7479d3c6d092052fa8271cb335f54ccac526a01c64745c222f906b6a5ece2fb6637e6dee878cf76af3ad89e0eb7e7686a7061c134a9e8e6d0d3eac

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe

Filesize
1.8MB

MD5
f4bcae29120428ab0d1b72acc375d7fe

SHA1
0970f103d74c634a91afd69388ab692f2df4819a

SHA256
f6e63c104b5a3714a035d2272e4663b0d9599c405bb31e7f9e7e108205707d4a

SHA512
078c4a5a15882ad74eaae3539bb787f28a5b3bb18e8b3a33bf44cfaf98d7dae05bf73245193ad2d3075686b6405c25a6cecdad3d6bb36ffa8b3da5812ae675b0

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
75B

MD5
41fb6e2500f1c73388454b2a49bac2e3

SHA1
654740636a4a562872417aa1fd8be9b841004861

SHA256
a8dc97bc10cfe317ec6ff9fe4367ef7ff272f054e099d95bd255a04ea914e9e6

SHA512
32fca5719ada6ee6c9dfe6fdf7d0b7992ee268b5646d0196c8c477dcc6dd798fd5f24dbf6fa148cd58e074a0046c9be9b3b2ef4bedd7bb124c5147ae1c7bb2af

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sample.dll

Filesize
528KB

MD5
f712ebc5aa4cc78b7f1a0c8810ce7db4

SHA1
48899721fbcd93b7d5440ce269b7777a62582eab

SHA256
46d6f6dad272240bcdcfc0d5c42f88a2784a5ebf31bb284555cf260b21e8a4d1

SHA512
20ea70c3b4e3cdd3727207b9b13e54332bee15ca18cde5228c7f93982310d77e5f6ebccd1a8251ad4d8cbf9ac6646bf7f5856f1c82d3b3ef2390fa779ec06017

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\version.dat

Filesize
47B

MD5
a26ef860b5878a7400e4ea50db6e2b4d

SHA1
9c2beb835ef24dd9e9bd791500ef4bb35f16a5c5

SHA256
af031cc78b5f25dbafe354b95b23ca60f14aac7825c0bb8bb396b909711d4dcf

SHA512
df646539049f5ad87a3b5a3600ebf727220c7755184d064f7774ee215c72c12a08469374ae386b28d7a7287a76d1bdf5bf78ed17073ca113ad2821a646f8da39

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm

Filesize
316KB

MD5
1dafc4de7ca94ea98bfd98e584483ba9

SHA1
c5d2cc9e72e8f7404af5e04366fc6ce039e7d30c

SHA256
0645ad7cb1777ffd2ac8b36f16df5664f2a982f159b658f4fdfe7078f19c9cf2

SHA512
bb8bb10405efee77e2e46a91a0ae2e0a699458dbc7e4416fcb2cdaab0add54553d08b4b2ac50fba6dde55462ebbca5ed02bd3824ed6b15f686e8b1b72ee4eafe

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr

Filesize
25.0MB

MD5
c9e1d56bd4fb4a0c5699b02e73aacbef

SHA1
bea23ff5de154440fb406e5aadd0b7c0d23c5d6a

SHA256
b55a0103e868b68507b2b53d94742479278721a47d7c82401ec041933e1cc914

SHA512
d0a8593f3a865937cf04c60ebee126b23b05adb03d091d94ecb4d8f44a1325d1b21f86c0d3683f98c85d12ba3f360de7da4a3a6a7ecca4200dc4940a649830a9

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin

Filesize
639B

MD5
544a36063346eeb1e751030008a9f7e3

SHA1
b5c44a037d16bfd5cfe0e6ba9cb770111b3aac82

SHA256
33a822063dc53b5a693b5920f6a14bf4c9c1905c08b3257b7621c9f0c41d39d6

SHA512
fb86ef1c271d10da364654b244253a4492b8331d69e2a71479671a44f613b88a72822b5a849159b63b7b28c7cbe0c6b7ed35f82cf749a598b23676fae70f279c

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

Filesize
10KB

MD5
b08f5c57848e38686fc3ea0214124e8c

SHA1
13b1fb16ac11decdaa6aadf702c29bb176076fe8

SHA256
9f526f72efc6115306277c70bb16f86112c35187e22291c2f23e0cebffc4e9a0

SHA512
b24ebcd09028995bf56ea9f1f8223fc3c4a8b26cb2d49c624b20373cdd439243d5b8663a058780f5a553274b5ecaacc0b817bf3b2b2bc156bb925e2062425597

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

Filesize
924B

MD5
0442a3f16c917d326496b95341cea953

SHA1
55c84ca2db1723565757e373d80f39c1d9a7b0e5

SHA256
5d13840e9d3b0b0a87319ccebc8a522a80362cad89629a731a600d719c6e88ff

SHA512
7c3d3ebcd3710ebe30b4a7535d22aa4b39ffaccf6a6866757d4a43921e1aa03a6ab3be177987cbbcbe6da514fd2eb7aef3dbca6ade93123b7fcb5060210367d7

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

Filesize
514B

MD5
9167f2b5ae53627de5512e4ead331cdc

SHA1
2b76c5f12bf096641e9d6c2c95b061b87e7e746e

SHA256
1430c15216fe4cb7461b059b01e04a9d539c6e6de88d98b40d017932781faf47

SHA512
272429b6df67ad273800358c19458eaaf65f34f0bb6ae19f667303f0d93a31005abafaf71ba51927f33107630cb32289891548f59906d35c8df7a88bd64f14b2

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

Filesize
21.7MB

MD5
f73eeea88febe13d789520e87483c292

SHA1
b2ff4540f9337c1ab8f379117fc7692fcc081b48

SHA256
7dfb153f20937862b76eee4437f2ac618427da906d1f7bd0d6fec57eceac043c

SHA512
4e71487b15a4984cad2dd559100532475787cd8a1a4686fa212a2ec20a801fbd2ebab65c08c6451fe6c34bf1cb726829d747afd266d87f74c844d9b55bc74016

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

Filesize
1.4MB

MD5
3e2599322e6c4b24689ad33a1ea0875e

SHA1
0cf990c744b3a401961113da95782bce39be53cd

SHA256
bb7a496a689ecde10e537dc5eb1c8f374b52287a763bcc0cb5388adc05085f38

SHA512
573bb53e673d7e403d63f30afd181690be3f47adc77fa882e372a50ec9bbc7c365251f4f5092aacbbc350a195713020ed435ffbf8d8436028e9e8e230345a81d

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

Filesize
233KB

MD5
471541d2750183c22b806f20c78b3b4c

SHA1
879698ec92809b1846955ac46bb40bdbd705a091

SHA256
8d8339a1e58886e580c28c516a697f526efd5ec0b92c588f1638112d9c5b119d

SHA512
11933a0ef1fbbb0c4d6b0ffdb84c652bf96ef5079941d51a0736f7055ff5b608f1101c57147f3b9662aec7391b183a77a2499254a2d7826631c49bcf7bda3f85

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

Filesize
38.9MB

MD5
bfc5a5f64dd1c2af0ad9cd1057a5e127

SHA1
e965a7f52df192eba3463be57b6097486042e4c6

SHA256
fc3eceb8d034cbad69f29d2a5dbb322c795754c3f518c7a7b78b6a8c33559c2b

SHA512
3bd3e7c77540b59c036dbc3e6b4f2b806ea5ea4199a5dbfdeb7899f31869217c9d7051ab16f389729a8e18d1a21e8ce97a4328fb8768cbd6ddb491d0ad96bb83

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll

Filesize
1.7MB

MD5
461faf68ccc02b0223fd273b630f21fe

SHA1
363b8beaa74f0f454c2d544ace9e71a84bc2b4cf

SHA256
cb07f3f461e9c267831b1ab93af6dfda1bb51d72e42d73d00d26594f09326be1

SHA512
4b671f48e45fdedf50c7f7bb6c8d82a3b98f7502006eb002aaf8ff31f25f9ff1257c7bcc12caf622e43d4ec665b19d978ae3e3762f76def0bc71485ebdb8426f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll

Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll

Filesize
2.5MB

MD5
e7a4bb8fa34bc5ae8b84bf15442da99c

SHA1
26e6d20876f01faa32a7a846c12dd35c695d55b6

SHA256
9ed946c62c7801779822a83d9126257f6426af381a42ce29d5a3c49c774fc141

SHA512
10b007f132cdaa7ea2e75281cd7767b59fd61335d28bc55b778e05479ac993e3578ba1370fe1ce6bf35d271ca970346d5f8cd13637f59fb1fa01c8a6345727b1

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll

Filesize
6.9MB

MD5
ef3e4c2c617164e495bbc0ec13890ca9

SHA1
f384c1892e00720ccb97a921d556654d730f1d3e

SHA256
7fa7d2d0618f46d50d36401f76d0314c72096ebd003d365d8df2b488bf02103b

SHA512
54f56aedaccf3bade0ec4601a86d23b8110702562be0a2fe2ce18aed09793eb0e7290215b3267e3e2c57dac850f446b10fd3a5e3c81e11508f1a70224366a51f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll

Filesize
4.8MB

MD5
3cad89a85ae704b4e264a03dcbf1de8f

SHA1
aacc5111236b95b9044f3228c961345ead3ee5c2

SHA256
1f56f70c09fb6b6c92795dedbcfa0626ec29383d53166ef0f179e86a46b33b56

SHA512
4efbb0b81392378cd143e1526d94b39434306e7354dbd6326bceb37cc3919f2b84d4ec08b378a35b44a2f93b660623f9112a36f4fb745f34327f9fda8f0e84d2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll

Filesize
4.8MB

MD5
3cad89a85ae704b4e264a03dcbf1de8f

SHA1
aacc5111236b95b9044f3228c961345ead3ee5c2

SHA256
1f56f70c09fb6b6c92795dedbcfa0626ec29383d53166ef0f179e86a46b33b56

SHA512
4efbb0b81392378cd143e1526d94b39434306e7354dbd6326bceb37cc3919f2b84d4ec08b378a35b44a2f93b660623f9112a36f4fb745f34327f9fda8f0e84d2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll

Filesize
4.4MB

MD5
b7a9a7b44b82e954c1b77e7b7f71ee66

SHA1
02f3eabef778d5641eea89d318268e79949da7c6

SHA256
ba97bf9a2a0c454dbd965ef7b6c12f582d49391d5297fe2ef4a94bb13d2d472e

SHA512
524dee007193cc13ee81e9734564e8a121715f7ecb27d113eb7d8265b7562ab60237aa64c556a819239ee9b4abdc8523a57ca666bdd48de82eca79efba771bc5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

Filesize
8.7MB

MD5
3c7b30585f27d8b078be165406bb651e

SHA1
26918e1e29b380ad833198658f939b057e33db7d

SHA256
1c340f49c4449d5eda5c425b893368f21f7d85901053c1d1b61f791020502ecb

SHA512
8825e70dabb6d99d11a1727ec831d428a509bdfaf0283367cd29cd6c560021bf65dd8cb9b54eb71e9bca22d8681fb155adde443e272646bdc28994b7990db07c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

Filesize
8.7MB

MD5
3c7b30585f27d8b078be165406bb651e

SHA1
26918e1e29b380ad833198658f939b057e33db7d

SHA256
1c340f49c4449d5eda5c425b893368f21f7d85901053c1d1b61f791020502ecb

SHA512
8825e70dabb6d99d11a1727ec831d428a509bdfaf0283367cd29cd6c560021bf65dd8cb9b54eb71e9bca22d8681fb155adde443e272646bdc28994b7990db07c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
8.7MB

MD5
acd4e9792488adc9627075238bcf3843

SHA1
54f49eba565197460b564af8ddfacad91df960ff

SHA256
84864e2ce732b2007492cdba8fd83d25f2a6314414e97f67e7bab9cb66ce3833

SHA512
8a0d680d532621da8e174ddc6142a89cf81b5af7d8a4325cffbcd61f473d3006dd419d0f740454610be818c53858ea7a30c22102465522130b5ba9b15c7a13a0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
8.7MB

MD5
acd4e9792488adc9627075238bcf3843

SHA1
54f49eba565197460b564af8ddfacad91df960ff

SHA256
84864e2ce732b2007492cdba8fd83d25f2a6314414e97f67e7bab9cb66ce3833

SHA512
8a0d680d532621da8e174ddc6142a89cf81b5af7d8a4325cffbcd61f473d3006dd419d0f740454610be818c53858ea7a30c22102465522130b5ba9b15c7a13a0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
8.7MB

MD5
acd4e9792488adc9627075238bcf3843

SHA1
54f49eba565197460b564af8ddfacad91df960ff

SHA256
84864e2ce732b2007492cdba8fd83d25f2a6314414e97f67e7bab9cb66ce3833

SHA512
8a0d680d532621da8e174ddc6142a89cf81b5af7d8a4325cffbcd61f473d3006dd419d0f740454610be818c53858ea7a30c22102465522130b5ba9b15c7a13a0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll

Filesize
3.0MB

MD5
f44b6c80c46c4cf3071b5f5b916e1271

SHA1
839f2238ecbbfa80ebf9c1f77eafc78204b58761

SHA256
732523df43358729d5e85cceb557d69016dcdd3e2238d903c33c5327c3131fae

SHA512
99be164ae96bc4f93dc896d5df445ad1c2f023f10605a8c9857d7ebedfc5b070f50cd33b401d61003e601a06b8446e6c0b5dbddda4927a2e1352407d3b266942

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MbamElam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll

Filesize
4.1MB

MD5
c447ffc8af4633daf687e0a943061a60

SHA1
2f0a1854d75a82929dcff5308befe3b83439259b

SHA256
c01804c902c5532517fa0ceadc91beed01d5ac67adf062b7ce7eaba8272c40bc

SHA512
e0d650c35a46063d0e3870e1888d95827050e7792391b8c6ba4b5cd0cf2501cf0eb3aeb1c4a9f524467b6efcc4cb44c8816ba91aa09858c3594d8334a3eb2edf

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dll

Filesize
5.7MB

MD5
a340fa4ce6b8a5e22dfe5348752138c8

SHA1
4cd995cce3194b43a5e2f12f032eb5cad88fc3c5

SHA256
250f17aad7e80a1b33b79b1e95cdae26d6be6f1c27dc9aaba1b6d8f346393b8a

SHA512
bc72a19624042b1a3f6f873ec193c890a12fbb85111b60399e5b3c9584a752c9c38b637fc37b5a7a968dcedaf804b299ee2156726aa7462bc940154d3654feff

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
593B

MD5
6cbf1f9199b1705b34c75c9c33ff14f0

SHA1
3efa02e69bc2a83e9085c26774b32229547d2852

SHA256
bf14350d89d6a9434850867c265ba2acddc40761a6c1c4ee943cb42e7bf5a585

SHA512
995afc2ac2a8b4313b602b010571f30075491086a13df1f4c0b619b2b9803022b8e694510b15ae503d3b1669cc6db32b0fea2420d1381e498b0c988f7ea9e4cf

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
593B

MD5
6cbf1f9199b1705b34c75c9c33ff14f0

SHA1
3efa02e69bc2a83e9085c26774b32229547d2852

SHA256
bf14350d89d6a9434850867c265ba2acddc40761a6c1c4ee943cb42e7bf5a585

SHA512
995afc2ac2a8b4313b602b010571f30075491086a13df1f4c0b619b2b9803022b8e694510b15ae503d3b1669cc6db32b0fea2420d1381e498b0c988f7ea9e4cf

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
655B

MD5
fbe49ff12c15759bf13451dea485331f

SHA1
85222d82031b952976feb5ce3d5910308187560c

SHA256
760059ba0f706e58657330d6881e3a101b56f67b3b5a281617599a3613f6206f

SHA512
25d53555bbfa999e5e30b28a238cfbf7330f4dc6c69891a8aeb156dd9c071b463a3762b738169c0d3e75cb5dffbf6530ab98f8effe1a9397f3213302fe43707f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dll

Filesize
5.3MB

MD5
a6b7865089133607d9fe66617abcebea

SHA1
e7d887a75fd48945d3f56b5635bae822ad5c7a1c

SHA256
f1f1958fbd3ecc0b61f1be129025dfc59112c09b146299caca61bd6f552c0355

SHA512
3c0638229b90fd4d4ecfbdac89a467d514824e57f1d40f68c5009051a48cc53a0f2f5712aeb530ed6aa9b855272590563c95738abf768f46bdc332806e6d7792

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll

Filesize
4.4MB

MD5
d0b204fb32962798ebd9ab0ad336a83c

SHA1
f281b35553afa236a214b910c537ecad0e3bacea

SHA256
627db74adff5407a074e94997cb724434478801607c972ff2afdf10d4928bb98

SHA512
5d3aa0851b7479d3c6d092052fa8271cb335f54ccac526a01c64745c222f906b6a5ece2fb6637e6dee878cf76af3ad89e0eb7e7686a7061c134a9e8e6d0d3eac

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
c72425e92fb1804d6f0dec0a59ef783b

SHA1
294f71997179899cb5dae2ab7cbf62d435e2826e

SHA256
808e8f5cdcbe8b277c027aa029c25131809202230b579b716ba17c8d6778df55

SHA512
e1125b1c6314de927c6a1b8211c968f5eacce52f4cd4f93730bc7b05fd0c3daeb4016168e4b54063305cc26d9c02ae06b0cc1bdb6269b1f631d221e1346d5885

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe

Filesize
3.8MB

MD5
b9d4462ef148f15b28f87040d294b6ac

SHA1
a11426b9b2054562973bab331cf3de32d4965fde

SHA256
c7d2a91dc0230c4b2f7833490e9299e3d1ec8a80379dcc6f90582f51415f96b3

SHA512
67064c8b60d050126053ec3ec108b270dc2e673aededd720a4c18463f7c185195d39db113dd8097543b7f259c8c23832f4d5780bd56c1bd94c266e7357c4ba51

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
22.1MB

MD5
f55ee10564dfde096fed148b36fa87e8

SHA1
d3e9b68880ec9d7d74f4ee5dd7445c16ae712bc1

SHA256
8ca62ef10d6cb40defa4a379b1202351e1034b9451d7c53b554d5c24315f4efc

SHA512
3f961ce85818f75fd9cef3223801b35a85e6b414d0f649e24edba26229887d2523e760f59f0a6f164156104cc416b087906afe4d3ada4c0c4b6570e6451e1270

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Filesize
8.0MB

MD5
d71e580c70548588faca4e4421b7fce9

SHA1
924bacd7de250be62178dd14f1e391b919a489fc

SHA256
08812c249960a9b3d88c3e29586422e8bd940dfce2279560cc2340fce594cdcb

SHA512
42d5318c1380e4c6b1330def1377a074c308127aed25f277037062e25c54d82c5f6396d781278f5174b7bb8b33a840210a86aad3b7df44e2d807f62b837d45e6

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
233KB

MD5
1dc6d344ee9b6b024ba23278891db9a5

SHA1
519b792d11daa2bf9d127f69cdd603a236576e04

SHA256
823e1c7321e177b006c1f3fd1ec8b99607a12d2c3c321f3a6cbbcf7030b6c240

SHA512
fb96c4ede03c3aa729d2ea5a72c5f14029f6d69a79b6e0d5449e371bf3acdbbd1cb2079e8bbac3a3140a257c71018bc7a2a31a45ad5c8b65382e67cc3431ab6a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
217KB

MD5
6a21162e1c8a9f65787b14bc439eb077

SHA1
1bf68b253edd6cae098144e24e09b4e22178784f

SHA256
8b7990e1c676f53918e41f6b18b20179d77e598352d9243b05e2ea22b2d9e4fe

SHA512
a0dafe66479b9e68ebf04a7e2fa7c7cc352fb075356b7eccebee7af527393711e3cb36c7ff6466a5e28b17d1d003c1c49ef176b448f5de36a7c8177c9c8808c4

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
10B

MD5
998cdb4aaab329f32b7f47e12e39f3ea

SHA1
120b5294f287c1012209dd530e3779531b037b6c

SHA256
79a1be670d35f1bcd3e21d744943b594100648a1dada89f134ba16e3a76f6981

SHA512
a095900684807d8bc770fb4f93f6ef1d7c96fccf038726429e416c749147c53bd0e195bd2655ab83298a6f2a0e6d6baa0c1d9580123d93cba10c576e06f54333

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat

Filesize
6B

MD5
9e94f26e0bdd478d4c04984bbee7af09

SHA1
2faa997e896c76833739c181ac8a9d43a06d490d

SHA256
98bfb5c401b5ddc4bd6b666ffec4037e780478a8ace9afad84567a4d6530b787

SHA512
185082a8b6b3868afe36593bfd5eaae910efc9acbe2bbf214da08f58debd6c536184b67def9062e337fcd6133c1c62c2999b16b76c6a9c232d5e751d0813fd6f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
a26ef860b5878a7400e4ea50db6e2b4d

SHA1
9c2beb835ef24dd9e9bd791500ef4bb35f16a5c5

SHA256
af031cc78b5f25dbafe354b95b23ca60f14aac7825c0bb8bb396b909711d4dcf

SHA512
df646539049f5ad87a3b5a3600ebf727220c7755184d064f7774ee215c72c12a08469374ae386b28d7a7287a76d1bdf5bf78ed17073ca113ad2821a646f8da39

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
1KB

MD5
5574f5de75ea1ea1fd5f61b320c48c28

SHA1
c4a19e70bd4bca7ad35c352016d5d7ec860ea995

SHA256
8768dc0a203b103ec7262224452f891d0b23fbc154c44d0f4145c080c7996c28

SHA512
eaf23911461a5af09c40de6a05c40f50a0b2ca29ecf34e053b78307cf3cef459d0d2cb46a425d448ca789167059c156ab19a39cd37ac5b54824e8fe59359c1af

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
bc9a1a41811bab3d01486635bcc4548c

SHA1
403f4019616bb4a06c4eeeba2858fd7a556dc1c4

SHA256
517b7169e994075e7c2a715aee3832aa7a63b1432e996e2d853d23db32acf9fc

SHA512
0b84cf39219e2bc4d0405890854ea1cf49665faae340f0b38334493c98e636ed49ecccc2c8adff585634058d7d56a7c1db82db7c45ee62fb48f49025df0914cc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
64KB

MD5
b2b2bb278b691ce1c06f509b80ff279d

SHA1
47edb8574baa339ea8e35f1bba0f0cee753bb207

SHA256
2ca66770b2847c41f33b8e3123a68673b1893f476bc8b8bc043ac7cf6489c04e

SHA512
50f125103bd84c61fe075ec1180fdb25bfb365ad8d63e87eea06e1ceaf82a3fe8ae0e91be1e1b04bf7d4392552503b5e6df9ef2771075e6c9f44fbea1d0e3a46

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
64KB

MD5
a94729fd8a322d324a453ca732bb9d03

SHA1
8b04488904ca04596a22245552df6db20c75b5ca

SHA256
af0faa07d7bdac3954d9cf222d0bf3c06be5ae4a63fa7a0373fadc6e23ad6193

SHA512
96f69b7e72d84057ad1df8fc62b999270678683a107ce885578b716e2372e20678c0b9689d5a665975292728c75580bac166f2f4f0621972898f5e984d8592b6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
fa778165891efa02c5498b15aeef5343

SHA1
1e0cb8facdcf47e84575b9356eb4d2970168fe1e

SHA256
d5e69b3dbe91132f688dd5ea284762b0f3870a928582998b642a91bca3ad5af6

SHA512
d53ae4de3564450dbf43a68ce0018f2002e5bc68422c60e0243b4765c28a257c9036b0d54c64d800b8bc9220201e7ede18a418d8da0241ef70bac86ad7af8913

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
808B

MD5
7f37bab64eec344057c60d8a4728f501

SHA1
5fa28dd5828ff3a8517d864bcf3de59742102136

SHA256
7afa69f9602c9cb005c4f3faa3a07d296f7b183c88315283b4ddc331dc846d00

SHA512
e39f6dc6e274b63089e08133f70b91fc97408894d9cb85b42a83c905a7aabf8bb46fafc6b11814166f63aac80fc1d868a7b55c27f2e96c8c39e50711ef098a2e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
543B

MD5
0bed0f6f26ab2c0e6aeb0413ea2124f9

SHA1
6f9eda0ad2359dfa2db38870791a174b8262b222

SHA256
55676a373d85ec4e520019db210cb7253733fd6b707161b5f566c88249a166e6

SHA512
c23ecf47486dc925b4ca791c2e117ef6597807ad80fa5ce0292779a23ca7d3394d6cd68387e6f1a40b2b436d4916e9db06f0f97afe64419c2e295e929307d877

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
fb19cab7a79c769eb13a9514b7b34ad3

SHA1
9db09f91286149dc607c5851b5b529e070eb593f

SHA256
eb1b0cb0c61403255060985d2ca1e2c8a65905571d59b1faff8914362edf673c

SHA512
5510fe4cf6ebed4404245ff8592085175a8d391ee68ce0bdac4392cfc94de539f89c7f7d9d40aa001b3ab8f9629d9041cd5e56c76651a1180bcfc170726329ae

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
10KB

MD5
74ca74b7ea007de1884e3f50483903f3

SHA1
5b799b243d4379991205ad674d0c9689b5ac2437

SHA256
2ff9f9d39236159baf3a1ce3d9faf046600423df9f4cc269bf30815254ae4c45

SHA512
96e46cdb8d90430b919b710bb307a1b622a3b470c71cda0d286a549b806e605ca948e28759626ba952b6a26e8399ec3b0ac12b4b073fc8d3799f66163b5a272c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
10KB

MD5
8a55f90b3a7fa588df101244ffd23c22

SHA1
2b5405f14378091b95916113fbb604da2b8e61b4

SHA256
eeb2a2151a31a21137a951f49bcce3d368f4102ed3111e5f73e88941d7872803

SHA512
a0100478de9220692d5f09166389ace9acd815e0cf33be3adfacb8d057b65ac7339c9d28b26092f3e96c3f8e46049e0784fd00c7be85c8e243387552432eaebf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
10KB

MD5
ce7a3a36b30ce1c4652ff6f07eb1fa20

SHA1
25c1d878f1c9edd5874ceea2fe76089f16bdcfc0

SHA256
d017e7b60ecc17093ff16ad2cd770beb49ed7aae76b6a79640b52372b730ee7e

SHA512
c346542a14b88410fb4b4d938c30d384f5d793a3bc284504328d56bc9f5bddb721e04b36b8420762f02f58f03d3e74679f5a17dd08c3feb3ca235ce19fc8b0a2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
753B

MD5
85eafccdaf36d07a0da991ebdcfb50a2

SHA1
4f2af6e6dce0ac83eaa5eed7288e992669dc7558

SHA256
c73571b7238ea0a379828017deb13bf9e0fb06bd7f747afd688180022b32c6f7

SHA512
0f65883f34e74d392a195ab00fcf1bf4d5474aa82c5ed946b6cbc08327559f723a9732ded42fcfde35752f2511d69c86b594b8d3b7c837188cd4fd0ce28ed131

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
1KB

MD5
706dc439c627eca1e2806c2ffec690a1

SHA1
40735df492d8ee280733f982f09114e702521a9a

SHA256
6e143a7fd8133c6ce2dcdc1e54dc5df5739d030be51fa3f558271d390e66eb10

SHA512
b97ad95d6e300d0c5e97fd8eddf35edce56dabbc1012792bc346a82c5db0ae2f945bc6d863a760d8fb440d99a7124058ae322ddf73067c3a8130cf2daafe92f6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
1KB

MD5
e6cdd912a69f5da7d06d179b645e142c

SHA1
51a04b04cd78fedce1a51a601e3e463834188965

SHA256
b3f87aa355cbef29ad16eef89f86cb5f1e56b2f00806b8cd347997a5819e74fe

SHA512
8bcb939c78a81a6c2d47213f0f40522793b3f0a9dae87ab5b5485fbe03795df878d79966f6ac156c999987849b8b4782c04b747caa805cf5c2aaad46f7a5a5fb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
4d77df5aeab284b81af0682c92f82363

SHA1
aec722264e7f71285ed568ae4d996cce0f95f517

SHA256
32f851c6f0be81ee7e4218b8d9fa76c3211f4ea3ae793bab075f1efc777e7fe0

SHA512
89c46600dc512e89f73507431ee3ad055c58ae093e10d49bb1e9b338e18bdd08a2dcb71519046fa4ec4a5f84a12592eff010dcb5e1dea30cea128ce501aa0929

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
811B

MD5
f9dd1be743bdf2ed9fdceb973269f51f

SHA1
fb636ede31d1b300d7518e1b0036aafe3d011a08

SHA256
96fd743c527c04d42d1ce23c488174f65452d0f18d23a31ec341eb58aacec51f

SHA512
86436d61a582eb32ca1eec8b858fdc6997f8229cecc4c7029ee9bb29466dfd06e8bac7b5a649992086e944ee06a7e2172d1d9f3787ed607ad86cd7a12d26352d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
814B

MD5
5956da9c1deb07c2175b03fd5f410b69

SHA1
2cd883aaa53d8bf8c1a7818c5bab21866c56be58

SHA256
009ee570085edcf38e4e9db9b54d8e85a8383f4ba1f1fdf9e9bc188256eed36f

SHA512
fffc2627f50d6d934fc1ba5d62a573416a39bec3712f3666a30d8460ee7697f9b8310c2b6b91c227d35a38f8ffb419aa7ae412db4a71d6da77b81f71b49a1ab1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
042faf2b0f3c03348a69b56c5408ea94

SHA1
02b5fe5da87a126110ce373f29c7a99cae5de75d

SHA256
324f2e7e56677bcf3d372413c3c3cf20877c7cf7c695e5669d1973d186e547be

SHA512
efe91a4c82adf560e341ca9b231ae2b44675504f4dbb4a28fcf538a9de635c896879dd8b9ba93368359a3156c801a289e43248ee34488c5524e56e68e5122d6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
b6c7738c176e4aba409a3bd1faf25d2c

SHA1
cbacf7224597a6db885d01a46bfcf76f7363b5e7

SHA256
99269a30fccb9363424ac9e582574227a19780e6591073c7108e34cbf8c2a9ca

SHA512
c58f6dec295a53f0ce9b23ad47196957ede2a83f9d8b2c846c5a37f1ba3c3dd605d515725639624fe5459e9e84e1ea47e6e334f04f87d84f61d8eb41a0596eb6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
8e0afbe3f2f099b165c6d9a150823ede

SHA1
fb688993cddb0a298bbce60481c96297cda9f0ad

SHA256
7be6c0c12202fbc92e2a19735d031ef4301d83e4541dc8afa1a013d416b9c94d

SHA512
a4e3b2de65f292ceeb862b3e04abdc6a5a79287057a626cffad906d3c379a59426f57c8d4a4de854da914dedc0bd4c2467b49a48260af41c2a2f1a152c66fc09

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
10KB

MD5
c96fad3e48fbfdd3407c63d197250413

SHA1
48245720d9786fd3fa7325ec887baee24549052f

SHA256
83228098c78e5ee6172fe57f51c8b12acacf30cef1743482e3be3d507501aa1f

SHA512
3065624d34666f701d8cc3240fda19d1a5d1f7adcd2204285f73e5fc7cf02d3943349a3f4a77fdfb7f5be071532f6be277b8e18191465dfb7547397eacf961c1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
2a6e8898c1b3b5d6f3dfd9833660c6bd

SHA1
334e039e17f77db95457a1dbfe68b4e3a1f26389

SHA256
3de8b319b1220efebbf6cfa391571f7279658a68c1e9379615e5f6f9d1c3b73a

SHA512
6ddd687be3d80484f88ed386e50f32d6a37e9c4b41c13516ac676195f0bcc1f639288f1da03edd6279985c80d1b6644b5f8c77a213b9963ec1304bf48cf802c5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
e65c5ee59faa4013c17feb712dadd3fc

SHA1
0f50dc0f7cc93996345e4b7576950c021be8eaaf

SHA256
0b9d12769cf2b2d866762cfa977c7e6f0952cdc823772b20b642f6a1b45a5f40

SHA512
c8d02d02aa697096f37708957f5f5d529da1d09955b8a8915b5c7c46d1f9bb5c1dc9cb0fcef40820843f8398f80396cca8847b79cfa0860cfbff7bbe7f6559cd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
ad131a32d32ab477793a064a3b38f766

SHA1
060734c838d746b0ed61f2ca1bebe22f18637c10

SHA256
b90c033439d5a59463cd29c9e7c1b2253f0c6e5cff3f508fd477e33750551b88

SHA512
0e47d57524b0d4e1a139d592098e9b32e411e0bd22298ac67ab5bfe0b4c25f76a1aaff3012a106bc4a68c9e33c84ddfb2ffbae1b49cfb1cea05b08b39ab723e3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
538d4f7ee095526783b3d206089a59a2

SHA1
f8778cf4cd370df02212f1e110b8dcf5e6ca455b

SHA256
23012875371466479cf7370c461b6a9a9cea5770d153f755c81da4bca69d294e

SHA512
7436d66d41565e4c258f789a198c51df6857c520caf49ba196390705cfd8cdb9c6885f17a549bdfe159380c4621336b2b144495071f7fad4bd400d053e99cad1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
e12fdf95d63e258caf38b6787229525a

SHA1
7284a312ef6899cb48b57c029f4066f53e55afa9

SHA256
a911c05d7bbbff401f06712e97e45d42429cc9a6a9f8b83fc585c554b579f8b8

SHA512
81f76e6387fa90f0d45cbb1bbb8db20785661848c891e910aa4699378c15775f02447794925fe92835d0b26196f3144e93be5912b5d82bd85cca8ce8b2d36847

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
0f7d7e42801ea5cf8ad92be674ef82fb

SHA1
6eeaa6ec7a2fb6762e91696286a6c2881bb699c6

SHA256
cdb00a2b4b09d13a86f562470d46b233c994214432abc97a4f060538fa972990

SHA512
3e9cbd501cbce5915f26c047a0a7b02ad9efe35eada872ce850e7488c1ed21c447bb24008fd7766be634ff599064915c0a12cc4f050f032eb120610cb33ed6a9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
883deefb7199c9f5e39d6cc65135f54a

SHA1
53e139896be21c5d76a0d9d182f3600da3739021

SHA256
dc0063345dbd29cf3fa21819fa019bbe458d1d018f2a7766323bbbcb70e5c9f9

SHA512
7c490da2bd0df22b7cf626174511feea61bae91fa452556558f4c2cac4c878088970873f6a57ea49ab66094fd7efea18b35d17cdabe50b937681f79529afcff2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
2c016e3cae7862bc37291a2539649f51

SHA1
7c336feb59abedf4f12884472b383dc6781729f6

SHA256
451c0de033f9d7b588d0ea68e0f839dd9aed8ca4abe04c4ae7760ae0f42d0ee7

SHA512
c8f0562f1febff8b9cfa1e93dc5100785c26441ca3d24ee9da1260f9d658674dc8d981534bca42a888c049973d1ba64c47b67fca8dc6b839af9d28fd767486d4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
062cc11242817739457631bdefae78d8

SHA1
3fa37e7bfed15d674a12116c7e873af633fc0c3a

SHA256
acfe7a11f238e744b6dc7d98dfe583c47e2f7fc7ce05c9a1814d0dba68a1dbe6

SHA512
a9660f026bee6ddec1a0ded7bb1453ba94a753d5817d5dd2b9a1f134f04334c2becb21955742d01582093150eb44d3434edc0bfac4e2e63fbdaf2756b5c03603

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
3c7f5b0e06cdc1c320b7b9a7e60264c4

SHA1
4d742ac75934548f3322ea6d309df1f7d9c97a9e

SHA256
8e5e0d118cb2ab07b0f1c3b39bea0f1d0760ed6b703f990ebb85e6186e379475

SHA512
6f84d19bcabd0581e6010c900cd604c1155746d73071ec9a5d55d1fba3bb7fa775fb50e279fcf2571582be3f6115b4797e245f405905df9a3e89e395bc695e57

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll

Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm

Filesize
316KB

MD5
1dafc4de7ca94ea98bfd98e584483ba9

SHA1
c5d2cc9e72e8f7404af5e04366fc6ce039e7d30c

SHA256
0645ad7cb1777ffd2ac8b36f16df5664f2a982f159b658f4fdfe7078f19c9cf2

SHA512
bb8bb10405efee77e2e46a91a0ae2e0a699458dbc7e4416fcb2cdaab0add54553d08b4b2ac50fba6dde55462ebbca5ed02bd3824ed6b15f686e8b1b72ee4eafe

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr

Filesize
25.0MB

MD5
c9e1d56bd4fb4a0c5699b02e73aacbef

SHA1
bea23ff5de154440fb406e5aadd0b7c0d23c5d6a

SHA256
b55a0103e868b68507b2b53d94742479278721a47d7c82401ec041933e1cc914

SHA512
d0a8593f3a865937cf04c60ebee126b23b05adb03d091d94ecb4d8f44a1325d1b21f86c0d3683f98c85d12ba3f360de7da4a3a6a7ecca4200dc4940a649830a9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\MBAMCore.dll

Filesize
6.3MB

MD5
888b794737cd78e918486cd2a4116c65

SHA1
335aa063439ee8c2242591dd4cfe6c9bc28531fe

SHA256
2194ea4af98e6ba23e14ac60860a6c727f4694a9d904025288997ad05f0859bc

SHA512
f6a15dc86a89adcbf9ea6b96eb7d5671a2077696ef4cacf88c36d7c73c5f28d96f4a257ae8672981a24907e0583bb15c01dfe09ee1ac5837ffa693d5668dbbeb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin

Filesize
639B

MD5
544a36063346eeb1e751030008a9f7e3

SHA1
b5c44a037d16bfd5cfe0e6ba9cb770111b3aac82

SHA256
33a822063dc53b5a693b5920f6a14bf4c9c1905c08b3257b7621c9f0c41d39d6

SHA512
fb86ef1c271d10da364654b244253a4492b8331d69e2a71479671a44f613b88a72822b5a849159b63b7b28c7cbe0c6b7ed35f82cf749a598b23676fae70f279c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb

Filesize
10KB

MD5
b08f5c57848e38686fc3ea0214124e8c

SHA1
13b1fb16ac11decdaa6aadf702c29bb176076fe8

SHA256
9f526f72efc6115306277c70bb16f86112c35187e22291c2f23e0cebffc4e9a0

SHA512
b24ebcd09028995bf56ea9f1f8223fc3c4a8b26cb2d49c624b20373cdd439243d5b8663a058780f5a553274b5ecaacc0b817bf3b2b2bc156bb925e2062425597

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat

Filesize
924B

MD5
0442a3f16c917d326496b95341cea953

SHA1
55c84ca2db1723565757e373d80f39c1d9a7b0e5

SHA256
5d13840e9d3b0b0a87319ccebc8a522a80362cad89629a731a600d719c6e88ff

SHA512
7c3d3ebcd3710ebe30b4a7535d22aa4b39ffaccf6a6866757d4a43921e1aa03a6ab3be177987cbbcbe6da514fd2eb7aef3dbca6ade93123b7fcb5060210367d7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.8MB

MD5
f4bcae29120428ab0d1b72acc375d7fe

SHA1
0970f103d74c634a91afd69388ab692f2df4819a

SHA256
f6e63c104b5a3714a035d2272e4663b0d9599c405bb31e7f9e7e108205707d4a

SHA512
078c4a5a15882ad74eaae3539bb787f28a5b3bb18e8b3a33bf44cfaf98d7dae05bf73245193ad2d3075686b6405c25a6cecdad3d6bb36ffa8b3da5812ae675b0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat

Filesize
514B

MD5
9167f2b5ae53627de5512e4ead331cdc

SHA1
2b76c5f12bf096641e9d6c2c95b061b87e7e746e

SHA256
1430c15216fe4cb7461b059b01e04a9d539c6e6de88d98b40d017932781faf47

SHA512
272429b6df67ad273800358c19458eaaf65f34f0bb6ae19f667303f0d93a31005abafaf71ba51927f33107630cb32289891548f59906d35c8df7a88bd64f14b2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb

Filesize
21.7MB

MD5
f73eeea88febe13d789520e87483c292

SHA1
b2ff4540f9337c1ab8f379117fc7692fcc081b48

SHA256
7dfb153f20937862b76eee4437f2ac618427da906d1f7bd0d6fec57eceac043c

SHA512
4e71487b15a4984cad2dd559100532475787cd8a1a4686fa212a2ec20a801fbd2ebab65c08c6451fe6c34bf1cb726829d747afd266d87f74c844d9b55bc74016

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
528KB

MD5
f712ebc5aa4cc78b7f1a0c8810ce7db4

SHA1
48899721fbcd93b7d5440ce269b7777a62582eab

SHA256
46d6f6dad272240bcdcfc0d5c42f88a2784a5ebf31bb284555cf260b21e8a4d1

SHA512
20ea70c3b4e3cdd3727207b9b13e54332bee15ca18cde5228c7f93982310d77e5f6ebccd1a8251ad4d8cbf9ac6646bf7f5856f1c82d3b3ef2390fa779ec06017

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb

Filesize
1.4MB

MD5
3e2599322e6c4b24689ad33a1ea0875e

SHA1
0cf990c744b3a401961113da95782bce39be53cd

SHA256
bb7a496a689ecde10e537dc5eb1c8f374b52287a763bcc0cb5388adc05085f38

SHA512
573bb53e673d7e403d63f30afd181690be3f47adc77fa882e372a50ec9bbc7c365251f4f5092aacbbc350a195713020ed435ffbf8d8436028e9e8e230345a81d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb

Filesize
233KB

MD5
471541d2750183c22b806f20c78b3b4c

SHA1
879698ec92809b1846955ac46bb40bdbd705a091

SHA256
8d8339a1e58886e580c28c516a697f526efd5ec0b92c588f1638112d9c5b119d

SHA512
11933a0ef1fbbb0c4d6b0ffdb84c652bf96ef5079941d51a0736f7055ff5b608f1101c57147f3b9662aec7391b183a77a2499254a2d7826631c49bcf7bda3f85

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb

Filesize
38.9MB

MD5
bfc5a5f64dd1c2af0ad9cd1057a5e127

SHA1
e965a7f52df192eba3463be57b6097486042e4c6

SHA256
fc3eceb8d034cbad69f29d2a5dbb322c795754c3f518c7a7b78b6a8c33559c2b

SHA512
3bd3e7c77540b59c036dbc3e6b4f2b806ea5ea4199a5dbfdeb7899f31869217c9d7051ab16f389729a8e18d1a21e8ce97a4328fb8768cbd6ddb491d0ad96bb83

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat

Filesize
75B

MD5
41fb6e2500f1c73388454b2a49bac2e3

SHA1
654740636a4a562872417aa1fd8be9b841004861

SHA256
a8dc97bc10cfe317ec6ff9fe4367ef7ff272f054e099d95bd255a04ea914e9e6

SHA512
32fca5719ada6ee6c9dfe6fdf7d0b7992ee268b5646d0196c8c477dcc6dd798fd5f24dbf6fa148cd58e074a0046c9be9b3b2ef4bedd7bb124c5147ae1c7bb2af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
5fc7459e0bc4f6a3f8481f6234e186b6

SHA1
4a4735df45f12641288806df6c1872a6737a703d

SHA256
657e013592b2fb9832c79b401e0256b4a079effa4dc0e4d9bd2420c3e47b84c1

SHA512
1ddeb76d9f1804aff8990921ba1e03c0e4081772916acf7173484b0a5bb1e3ea144c6bd43ace694ec0d0060651d08dd7f0b228d00a2bc97948cf46d523b3b4b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
09e477f991ca592d480ef490e862375c

SHA1
133649d5f59b9b96b324744bc0debfcdbf166021

SHA256
cf5bb4968ff4a3ffcc0972960743c1e362520f5b0f73b463af044abb459013b1

SHA512
98bd3aecb5731be85907aa8a524e485baa7d10d78d437da4223ea09b995b4b13a8557a8ad92bec18cfba3fa7f906279837ae9abd3cdd28c5da1b7adfa5cf15ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
714a4d8124235f19e165c355e99c9f9b

SHA1
0af97edf2620739bd3f04325bf31b083f1ad09fb

SHA256
949ae81d7d2c737bdf251d883eb34adfca42151937841b00e955bf6c9ac5b97e

SHA512
d1fb1afb1371c25b7790018d6ef6a2ba70102ab9871e1d6e8cac0b32f37f3923047dc03f37230058f79e88f6f3c4fc4d8266252752e6c973921d210763076bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
5c34fe895afff10657329eb1e31527aa

SHA1
56ef290ae4fbff15379ce9581cdc718d47dce9ff

SHA256
f8ebaf1e4f917591821a9f3df964321eac1adb064fbc43ee16b786cacf7898cd

SHA512
8b4b8434a2c243df54fb1522580f0fefc16f569c6f73cac0c930d0eaec3cf1227122069498a31fcf1ea3d60a97acb4859022c7be92639b4268f54ea885757e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
1147b02feabd02b1521db8e9a99ca794

SHA1
92f13e302fc75896491b227250535e40a8c2a6d6

SHA256
c8ffec3dab522e02b14aec937b4cf98dcb8bf2e25b17fba89dcce2c41d9479fb

SHA512
a3eece792be436ddee7ce070ac3f937b61f623858d89edcca25af46ed6eb6288167430fc2432e476df344dd35d870010143041b03a3272da11be0988b496a796

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9474bb1868b4160b8c8f9cbc2a2e99ec

SHA1
1821852760f6508f94fb1a8d7d01325a8a8378bc

SHA256
a28709f35548fcb39fb7e34e4ec052cce1f2714ee2672a8b2ed30326862e6101

SHA512
d47433857d00915c3486d1c9cfa77a19da752ff23256811fe6bcba62cf62c2609a9f8cbbfc45f412d50f2a5bcb62802313b204bf6b39328d95c4a7fc4a261dbd

Download Submit
C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\SectigoRootCA.crt

Filesize
1KB

MD5
b821ee78c10eda973c40a382fa5ca457

SHA1
f40c413c6d17c4c4195d30a9a1454d186710727c

SHA256
028fd01ccc988386d6718eda921f6131044a61c06e0f84574d4911918e4659f3

SHA512
ea4b9b5e8d7ea4e9c137fc21b36112c01905aad771ad09c408ab94d7eb7d0458a60f3730b5a5af6cbfe8d6167c28132483b68900e7c8db55a4430e7bbd56d61f

Download Submit
C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\msrootca2020.crt

Filesize
2KB

MD5
77ac2a1ae404c2e29334c4d0ce29ac0e

SHA1
c8eecd58d3b43a2ddec5054ef9eacdf0c2940e62

SHA256
626727d3f4fb4c4ef816648217966d5eb2a028afe03c801788b1834a456b48e8

SHA512
40bf30c83db166803798fdfbdcbc04d6d01bce7ec569d2f24089bf1b6d81f8694876d43c29ce78359d1101d40386044a0b9f11aedabb3a6348eb1a7da6762fd9

Download Submit
C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\starfieldClass2CA.crt

Filesize
1KB

MD5
7fe5fafc33ce6e6f97e73bc5071bc3ce

SHA1
9ea40194cd3610f746f9fadee86d8e57e7905d2e

SHA256
64e8c4bf59964857adcd42001e719c1764a7f060d52b170982504e07bd26246b

SHA512
4578f75aa7bd65e5932c9d851299f1ec71bcc6c3e70361a9df76053532f246e026de1cbfdfdc8ac285bc5c9eb32fcc39cdcd405995734f3d3256c61cfbaeca09

Download Submit
C:\Windows\TEMP\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\starfieldrootcag2_new.crt

Filesize
993B

MD5
d63981c6527e9669fcfcca66ed05f296

SHA1
b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e

SHA256
2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5

SHA512
5fada52ff721f4f7f14f5a70500531fa7b131d1203eabb29b5c85a39d67cf358287d9d5b9104c8517b9757dba58df9527d07dc9a82f704b8961f8473cdd92ae7

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\7z.dll

Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\7z.dll

Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\MBAMService.exe

Filesize
8.7MB

MD5
acd4e9792488adc9627075238bcf3843

SHA1
54f49eba565197460b564af8ddfacad91df960ff

SHA256
84864e2ce732b2007492cdba8fd83d25f2a6314414e97f67e7bab9cb66ce3833

SHA512
8a0d680d532621da8e174ddc6142a89cf81b5af7d8a4325cffbcd61f473d3006dd419d0f740454610be818c53858ea7a30c22102465522130b5ba9b15c7a13a0

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\servicepkg\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml

Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTemp7e8b5c69cad811ed881e72edbb006969\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml

Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
memory/1704-4208-0x000001633AA90000-0x000001633AED0000-memory.dmp

Filesize
4.2MB

Download
memory/1704-4204-0x00007FFD73470000-0x00007FFD739DB000-memory.dmp

Filesize
5.4MB

Download
memory/1704-4203-0x00007FFD7A9E0000-0x00007FFD7ADFE000-memory.dmp

Filesize
4.1MB

Download
memory/1704-4210-0x000001633AED0000-0x000001633B0D0000-memory.dmp

Filesize
2.0MB

Download
memory/1704-4207-0x0000016338520000-0x0000016338530000-memory.dmp

Filesize
64KB

Download
memory/3812-4205-0x000001FF9BD00000-0x000001FF9C1B0000-memory.dmp

Filesize
4.7MB

Download
memory/3812-3364-0x000001FF9BD00000-0x000001FF9C1B0000-memory.dmp

Filesize
4.7MB

Download
memory/3812-4206-0x000001FF9C610000-0x000001FF9CBD0000-memory.dmp

Filesize
5.8MB

Download
memory/3812-3239-0x000001FF9BD00000-0x000001FF9C1B0000-memory.dmp

Filesize
4.7MB

Download
memory/3812-3365-0x000001FF9C610000-0x000001FF9CBD0000-memory.dmp

Filesize
5.8MB

Download