hxxp://google[.]com

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup-FA66A20B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup-FA66A20B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\International\Geo\Nation	MBSetup-FA66A20B.exe

Executes dropped EXE 6 IoCs

pid	Process
2220	MBSetup-FA66A20B.exe
744	MBAMInstallerService.exe
4628	MBAMService.exe
2604	MBAMService.exe
3580	mbamtray.exe
5208	mbam.exe

Loads dropped DLL 64 IoCs

pid	Process
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
744	MBAMInstallerService.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe
5208	mbam.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LOCALSERVER32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\F:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\leftanglearrow.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuBarItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Label.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\TabBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\VerticalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\TrayPlugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularGaugeStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\DelayButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\CheckBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-util-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\BusyIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularTickmarkLabelStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SliderGroove.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Pane.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_fr.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\AbstractButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Container.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\RadioButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\RadioDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\RadioButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\PrivateWidgets\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-private-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\GaugeStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\ToolTip.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\MenuBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-file-l2-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\CalendarHeaderModel.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SwipeDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\DefaultDialogWrapper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-math-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\editbox.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Button.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\HorizontalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\Page.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-time-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ComboBoxStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\knob.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SliderHandle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\BrowserSDKDLLShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\version.dat	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtCharts\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\FocusFrame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\RoundButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbam.firefox.manifest.json	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MwacSdkShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\JumpListLink.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\AbstractCheckable.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\check.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ScrollViewStyle.qml	MBAMInstallerService.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\ELAMBKUP\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	MBAMService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248195321988967"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	certutil.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-305 = "Endorsement Key Intermediate Certification Authorities"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36F3C7D7-BCB1-4359-AB71-0CB816FE3D38}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\ProgID\ = "MB.UpdateController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E3D4AC2-A9AE-478A-91EE-79C35D3CA8C7}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE77988C-B530-4686-8294-F7AB429DFD0C}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B471ACFB-E67A-4BE9-A328-F6A906DDDEAA}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B3DFEA6-6514-42CF-A091-C4DFFD9C2158}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E96FEF0-48F7-4ECB-B010-501044575477}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes\shell\open	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0067A5-A8F1-46BF-AA32-F418656FDE6F}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5186B66-AE3D-4EC4-B9F5-67EC478625BE}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AB5C774-8EB7-4C1B-9BBB-5AC3E2C291DD}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}\1.0	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAD7766B-F8F3-4944-AFE6-5D667E535709}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3B24818-1CC9-4825-96A9-1DB596E079C8}\ = "_ILogControllerEvents"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E46A48DF-07CC-4C7F-89BB-145CF0DFC60A}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}\ = "ITelemetryControllerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5250E5C8-A09C-4F87-A0DA-A46A62A0EACF}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\Programmable	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{778103CC-4FA4-42AC-8981-D6F11ACC6B7F}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController.1\CLSID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF7DFB76-BA49-4191-8B62-0AC3571C56D7}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F798C4B-4059-46F9-A0FE-F6B1664ADE96}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59F38D8-23CF-4D7F-BAE8-939738B3001B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DA5636E-CD8F-4F2D-9351-4270985E1EB3}\ = "_IScannerEventsV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BCAC7E-75E7-4971-B3F3-B197A510F495}\1.0\FLAGS\ = "0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C510D99-F27D-457F-9469-CFC179DBE0C7}\ = "IAEControllerV7"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ScanController.1\ = "ScanController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.UpdateController.1\CLSID\ = "{376BE474-56D4-4177-BB4E-5610156F36C8}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0EB1521-C843-47D5-88D2-5449A2F5F40B}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C367B540-CEF4-4271-8395-0C28F0FDADDA}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86}\ = "IScanParametersV5"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E149FEF9-F1DC-4894-8A8E-AA53F6807EFD}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB81F893-5D01-4DFD-98E1-3A6CB9C3E63E}\ = "IMWACControllerV12"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC5390D0-3831-4D42-BD1D-8151A5A1742C}\ = "IScanControllerEvents"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFC6C7E6-8475-4F9B-AC56-AD22BECF91C4}\ = "IMBAMServiceControllerEventsV2"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68E3012A-E3EC-4D66-9132-4E412F487165}\ = "IScanControllerV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72F290D5-789C-4D8A-9EBE-63ECEA150373}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32DF4C97-FE35-41AA-B18F-583AA53723A3}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F967173-2B83-4B7F-A633-074B06FD0C64}\ = "IScanControllerEventsV7"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E423AF9-25D2-451E-8D81-08D44F63D83F}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC60FEE4-E373-4962-B548-BA2E06119D54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44AC1571-055F-4CC8-B7D8-EA022C4CC112}\ProxyStubClsid32	MBAMService.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3580	mbamtray.exe
5208	mbam.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
744	MBAMInstallerService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2220	MBSetup-FA66A20B.exe
2220	MBSetup-FA66A20B.exe
2220	MBSetup-FA66A20B.exe
2220	MBSetup-FA66A20B.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
5116	chrome.exe
5116	chrome.exe
2604	MBAMService.exe
2604	MBAMService.exe
5208	mbam.exe
5208	mbam.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
5208	mbam.exe
5208	mbam.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
5208	mbam.exe
5208	mbam.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe
2604	MBAMService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5208	mbam.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
628	Process not Found
628	Process not Found
628	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4588	MicrosoftEdgeCP.exe
4588	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
2460	chrome.exe
2460	chrome.exe
5208	mbam.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
2460	chrome.exe
2460	chrome.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe
3580	mbamtray.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4024	MicrosoftEdge.exe
4588	MicrosoftEdgeCP.exe
4588	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2488	2460	chrome.exe	66
PID 2460 wrote to memory of 2488	2460	chrome.exe	66
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4584	2460	chrome.exe	68
PID 2460 wrote to memory of 4584	2460	chrome.exe	68
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70
PID 2460 wrote to memory of 3060	2460	chrome.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://google.com
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa03d49758,0x7ffa03d49768,0x7ffa03d49778
    3⤵
    PID:2488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:2
    3⤵
    PID:4080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:3060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2728 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2720 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3268 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5192 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:2224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5544 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6008 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5864 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:8
    3⤵
    PID:800
- - C:\Users\Admin\Downloads\MBSetup-FA66A20B.exe
    "C:\Users\Admin\Downloads\MBSetup-FA66A20B.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2444 --field-trial-handle=1788,i,6706434761009360967,1772310872975272129,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3136

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:744
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp6ef99615d07a11ed99f1feff0dc94917\servicepkg\starfieldrootcag2_new.crt"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTemp6ef99615d07a11ed99f1feff0dc94917\servicepkg\msrootca2020.crt"
  2⤵
  PID:3348
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:4628

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2604
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3580
- C:\Users\Admin\AppData\LocalLow\IGDump\twnphluilamgxysensfjugoihmolhrlw\ig.exe
  ig.exe secure
  2⤵
  PID:5540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:4852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
PID:5748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery