bazarbackdoor | 4205b5eddc13a65524ad26863ce048ca67ea2cca3bae20ddcc73d7cce926f8c7

Analysis

max time kernel
956s
max time network
958s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07-04-2023 20:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Valyse Launcher.exe
Size

9.8MB
MD5

0fd78804897c07936d54739b8e65fb49
SHA1

ef8955ccb92b1d87e8553a01868da740dd1919f0
SHA256

4205b5eddc13a65524ad26863ce048ca67ea2cca3bae20ddcc73d7cce926f8c7
SHA512

1168e7dc5d013c2bde5d9f9394b6c14e47cb0c1e49915f0988632e19123148beb12a39a818d1fe1ab9c4042597c36b169c48acaee39a32e2dc2f0108146cffbc
SSDEEP

196608:Yk9adX+cTGCxPQHirKfwNJeP3//hr98jdu6RubbKtgSebm:Yk9kJT7VpNm598xu64bbKt4

Score

10^/10

bazarbackdoor backdoor discovery persistence spyware stealer

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MBSetup-01908E66.exe

description pid process target process

PID 1400 created 3176 1400 MBSetup-01908E66.exe Explorer.EXE

description	pid	process	target process
PID 1400 created 3176	1400	MBSetup-01908E66.exe	Explorer.EXE

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe	BazarBackdoorVar3

Downloads MZ/PE file

Drops file in Drivers directory 17 IoCs

Processes:

MBSetup-01908E66.exeMBAMService.exeMBAMService.exeMBAMInstallerService.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup-01908E66.exe
File created	C:\Windows\system32\DRIVERS\SET3EB0.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET37E9.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET3EB0.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET4C2F.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\mwac.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET4C7E.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbam.sys	MBAMService.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET37E9.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET4C2F.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET4C7E.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\farflt.sys	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup-01908E66.exeMBAMService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup-01908E66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup-01908E66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup-01908E66.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation	MBSetup-01908E66.exe

Executes dropped EXE 39 IoCs

Processes:

webview.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeWebview_X86_110.0.1587.63.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeValyse.exeMBSetup-01908E66.exeMBAMInstallerService.exeMBAMService.exeMBAMService.exembamtray.exeig.exeig-0.exeig-1.exeig-2.exeig-3.exeig-4.exeig-5.exeig-6.exeig-7.exeMB-SupportTool.exembam.exembstub.exembam.exembamtray.exeMBAMWsc.exe

pid	process
4876	webview.exe
388	MicrosoftEdgeUpdate.exe
912	MicrosoftEdgeUpdate.exe
4892	MicrosoftEdgeUpdate.exe
1536	MicrosoftEdgeUpdateComRegisterShell64.exe
3408	MicrosoftEdgeUpdateComRegisterShell64.exe
1016	MicrosoftEdgeUpdateComRegisterShell64.exe
804	MicrosoftEdgeUpdate.exe
1820	MicrosoftEdgeUpdate.exe
824	MicrosoftEdgeUpdate.exe
3904	MicrosoftEdgeUpdate.exe
712	MicrosoftEdgeWebview_X86_110.0.1587.63.exe
1716	setup.exe
1760	MicrosoftEdgeUpdate.exe
1788	MicrosoftEdgeUpdate.exe
4468	MicrosoftEdgeUpdateComRegisterShell64.exe
4948	MicrosoftEdgeUpdateComRegisterShell64.exe
408	MicrosoftEdgeUpdateComRegisterShell64.exe
2196	Valyse.exe
1400	MBSetup-01908E66.exe
4028	MBAMInstallerService.exe
2416	MBAMService.exe
4468	MBAMService.exe
5116	mbamtray.exe
2996	ig.exe
204	ig-0.exe
4188	ig-1.exe
2920	ig-2.exe
4584	ig-3.exe
2080	ig-4.exe
2352	ig-5.exe
2504	ig-6.exe
4800	ig-7.exe
4840	MB-SupportTool.exe
5096	mbam.exe
1976	mbstub.exe
2240	mbam.exe
3764	mbamtray.exe
1976	MBAMWsc.exe

Loads dropped DLL 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeValyse.exeMBAMInstallerService.exeMBAMService.exeExplorer.EXE

pid	process
388	MicrosoftEdgeUpdate.exe
1536	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
3408	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
1016	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdate.exe
824	MicrosoftEdgeUpdate.exe
1820	MicrosoftEdgeUpdate.exe
4468	MicrosoftEdgeUpdateComRegisterShell64.exe
1788	MicrosoftEdgeUpdate.exe
4948	MicrosoftEdgeUpdateComRegisterShell64.exe
1788	MicrosoftEdgeUpdate.exe
408	MicrosoftEdgeUpdateComRegisterShell64.exe
1788	MicrosoftEdgeUpdate.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
4028	MBAMInstallerService.exe
4028	MBAMInstallerService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
3176	Explorer.EXE
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe
4468	MBAMService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MBAMService.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MBAMInstallerService.exeMBAMService.exe

description	ioc	process
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\FRSTEnglish.exe	autoit_exe

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 24 IoCs

Processes:

MicrosoftEdgeUpdate.exeMBAMService.exeMBAMService.exeMicrosoftEdgeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exewebview.exesetup.exeMBAMService.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\BasicTableView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ToolTip.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Slider.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\msedgeupdateres_nb.dll	webview.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\msedge.dll	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MWACControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-synch-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularTickmarkLabelStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ScrollViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\MenuSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\msedgeupdateres_et.dll	webview.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\onnxruntime.dll	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbcut.dll	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\Locales\sr.pak	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SliderGroove.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\pwahelper.exe	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\CheckDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Popup.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Locales\is.pak	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\[email protected]	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\StatusBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Drawer.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Swissarmy.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SecurityProductInformation.ini	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Trust Protection Lists\Mu\Social	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\Trust Protection Lists\Sigma\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\ModalPopupBehavior.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Label.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\PageIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\EdgeWebView.dat	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_da.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\StatusIndicatorStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TableViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ProgressBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\CheckIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ToolSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\EdgeUpdate.dat	webview.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\telclient.dll	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\BasicTableViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\OfflineManifest.gup	webview.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.tmf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\MenuBarItem.qml	MBAMInstallerService.exe
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-4.exe	MBAMService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\msedgeupdateres_kn.dll	webview.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\110.0.1587.63\Locales\nb.pak	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\FastGlow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\XmlListModel\qmldir	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\msedgeupdateres_da.dll	webview.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Notifications\SoftLandingAssetDark.gif	setup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\dialogplugin.dll	MBAMInstallerService.exe

Drops file in Windows directory 5 IoCs

Processes:

MBAMService.exeMBAMService.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\ELAMBKUP\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	MBAMService.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2644 2196 WerFault.exe Valyse.exe
2400 3340 WerFault.exe Valyse Launcher.exe

pid	pid_target	process	target process
2644	2196	WerFault.exe	Valyse.exe
2400	3340	WerFault.exe	Valyse Launcher.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBAMService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4276 tasklist.exe

pid	process
4276	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAMInstallerService.exeMBAMService.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exeMBAMService.execertutil.exeMBAMWsc.exechrome.exeMicrosoftEdgeUpdate.exeLogonUI.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wsdapi.dll,-200 = "Trusted Devices"	certutil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\System32\SessEnv.dll,-101 = "Remote Desktop"	certutil.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMWsc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMWsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\HELPDIR	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{778103CC-4FA4-42AC-8981-D6F11ACC6B7F}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{956AEAEB-8EA2-4BE1-AAD0-3BE4C986A1CC}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\0\win64\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\\14"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDCB7916-7DE8-44C8-BAF6-F1BBB3268456}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController.1\CLSID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2650A9C4-A53C-4BEF-B766-7405B4D5562B}	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63A6AB57-4679-4529-B78D-143547B22799}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}\1.0\HELPDIR	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADCD8BEB-8924-4876-AE14-2438FF14FA17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226C1698-A075-4315-BB5D-9C164A96ACE7}\1.0\0\win64	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8ED8EAAB-1FA5-48D4-ACD4-32645776BA28}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F81B1882-A388-42E5-9351-05C858E52DDC}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5201562-332D-4385-87E7-2BB41B1694AA}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96C7187E-6EC4-49BD-88C7-04A3A8A97CC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0468FE5A-FFDA-4F57-83F5-79116160E9B8}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59F38D8-23CF-4D7F-BAE8-939738B3001B}\ = "IAEControllerV6"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CE94D34-A1E4-4FA8-BEDC-6A32683B85F5}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8640989C-20B4-41BE-BFE1-218EF5B076A6}\TypeLib\ = "{EEC295FA-EC51-4055-BC47-022FC0FC122F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{748A86D4-7EDF-41EF-A1EF-9582643B1C9F}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90A62FAD-6FA9-4454-8CEE-7EDF67437226}\ = "IScannerEventsV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25321640-5EF1-4095-A0DA-30DE19699441}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71AC94F2-D545-438F-9156-C231B7D94A56}\ = "ILicenseControllerV10"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014D0CF7-ACC9-4004-B999-7BDBAAD274B7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CE94D34-A1E4-4FA8-BEDC-6A32683B85F5}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt\ = "MBAMShlExt Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3B24818-1CC9-4825-96A9-1DB596E079C8}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79CAE9D0-99AA-4FEB-B6B1-1AC1A2D8F874}\ = "IUpdateControllerV5"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C4652FC-FA35-4394-A133-F68409776465}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\VersionIndependentProgID\ = "MB.LicenseController"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F49090F8-7DC6-4CBC-893A-C1B3DCF88D87}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68E3012A-E3EC-4D66-9132-4E412F487165}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C4652FC-FA35-4394-A133-F68409776465}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

MBAMService.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b05030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b272000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b05030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 1400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b27030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f1140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

mbamtray.exembam.exembam.exe

pid process

5116 mbamtray.exe
5096 mbam.exe
2240 mbam.exe

pid	process
5116	mbamtray.exe
5096	mbam.exe
2240	mbam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeValyse Launcher.exechrome.exeValyse Launcher.exeMicrosoftEdgeUpdate.exeValyse.exe

pid	process
3312	chrome.exe
3312	chrome.exe
5072	Valyse Launcher.exe
3208	chrome.exe
3208	chrome.exe
1588	Valyse Launcher.exe
1588	Valyse Launcher.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
388	MicrosoftEdgeUpdate.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe
2196	Valyse.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mbamtray.exembam.exe

pid process

5116 mbamtray.exe
5096 mbam.exe
Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

636
636
636
636
636
636
636
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

1780 MicrosoftEdgeCP.exe
1780 MicrosoftEdgeCP.exe

pid	process
5116	mbamtray.exe
5096	mbam.exe

pid	process
636
636
636
636
636
636
636

pid	process
1780	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeValyse Launcher.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeDebugPrivilege	5072	Valyse Launcher.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3312	chrome.exe
Token: SeCreatePagefilePrivilege	3312	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe
Token: SeCreatePagefilePrivilege	3208	chrome.exe
Token: SeShutdownPrivilege	3208	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3312	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
3208	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe
920	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeLogonUI.exe

pid process

948 MicrosoftEdge.exe
1780 MicrosoftEdgeCP.exe
1780 MicrosoftEdgeCP.exe
2944 LogonUI.exe

pid	process
948	MicrosoftEdge.exe
1780	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe
2944	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3312 wrote to memory of 1020	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 1020	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 4048	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2768	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2768	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe
PID 3312 wrote to memory of 2980	3312	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3176

C:\Users\Admin\AppData\Local\Temp\Valyse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Valyse Launcher.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bce49758,0x7ff8bce49768,0x7ff8bce49778
3⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:2
3⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2016 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:1
3⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:1
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:1
3⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1732,i,5099182467607092422,2607609778359808592,131072 /prefetch:8
3⤵
PID:652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bce49758,0x7ff8bce49768,0x7ff8bce49778
3⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:2
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
3⤵
PID:5060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7cde77688,0x7ff7cde77698,0x7ff7cde776a8
4⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3672 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4548 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4328 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4468 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4648 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4596 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4372 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5408 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2876 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5204 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5484 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3168 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5768 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:1
3⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 --field-trial-handle=1872,i,12943256427764597870,8992572555058941688,131072 /prefetch:8
3⤵
PID:980

C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\Valyse Launcher.exe
"C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\Valyse Launcher.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\webview.exe
"C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\webview.exe" /silent /install
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4876

C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU23B1.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Modifies registry class
PID:912

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4892

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1536

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3408

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1016

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUEzRThBNDctRUY0OS00NUIzLTkxMzktRDlGRUQxODRGMkZCfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMEY0MzU3MS01OTNDLTREQzQtOTc2NC1GNEMxODhGRUI0MEJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjQ1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MjQ2NDM0MjMwIiBpbnN0YWxsX3RpbWVfbXM9IjE1MjQiLz48L2FwcD48L3JlcXVlc3Q-
5⤵
- Executes dropped EXE
- Checks system information in the registry
PID:804

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{5A3E8A47-EF49-45B3-9139-D9FED184F2FB}" /silent /offlinedir "{A0CE7579-91BB-443D-9D01-99F61F21F758}"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1820" "896" "872" "892" "0" "0" "0" "0" "0" "0" "0" "0"
6⤵
PID:796

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "388" "544" "1136" "548" "0" "0" "0" "0" "0" "0" "0" "0"
5⤵
PID:4696

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /unregserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1788

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
PID:4468

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4948

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /unregister
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408

C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe
"C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe" launcher-type-valyse
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 3188
4⤵
- Program crash
PID:2644

C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\Valyse Launcher.exe
"C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\Valyse Launcher.exe"
2⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 2416
3⤵
- Program crash
PID:2400

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:704

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4276

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8bce49758,0x7ff8bce49768,0x7ff8bce49778
3⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:2
3⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4528 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3664 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4656 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:1
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5148 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5136 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5204 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4648 --field-trial-handle=1804,i,13631234028806449058,16307935786015202385,131072 /prefetch:8
3⤵
PID:3804

C:\Users\Admin\Downloads\MBSetup-01908E66.exe
"C:\Users\Admin\Downloads\MBSetup-01908E66.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
PID:1400

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5096

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:656

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:824

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUEzRThBNDctRUY0OS00NUIzLTkxMzktRDlGRUQxODRGMkZCfSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7RDZBOTkyNjAtOEQ5Mi00MURGLUE0MUYtMzJGRDc4MTcyNUExfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzI1NjQzNDk2MiIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3904

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4272B6E2-761F-4F11-AA79-3669F7CFF097}\MicrosoftEdgeWebview_X86_110.0.1587.63.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4272B6E2-761F-4F11-AA79-3669F7CFF097}\MicrosoftEdgeWebview_X86_110.0.1587.63.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
PID:712

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4272B6E2-761F-4F11-AA79-3669F7CFF097}\EDGEMITMP_80410.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4272B6E2-761F-4F11-AA79-3669F7CFF097}\EDGEMITMP_80410.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4272B6E2-761F-4F11-AA79-3669F7CFF097}\MicrosoftEdgeWebview_X86_110.0.1587.63.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1716

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1716" "936" "912" "932" "0" "0" "0" "0" "0" "0" "0" "0"
4⤵
PID:1224

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "712" "688" "644" "640" "0" "0" "0" "0" "0" "0" "0" "0"
3⤵
PID:2424

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUEzRThBNDctRUY0OS00NUIzLTkxMzktRDlGRUQxODRGMkZCfSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7OUM2NUY2NkQtMEVFNi00MTI3LTgwNDUtRDNCNDgxRTBEMUQ1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMTAuMC4xNTg3LjYzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3Mjg1OTY1Mzk3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzI4NjEyMTQ5NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjczMDI4NDE0MDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MzIxNDM0NzQ5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjYiIGVycm9yY29kZT0iODciIGV4dHJhY29kZTE9IjEwNzQ3OTA0MDAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwNDU4MjE4NDIiIGRvd25sb2FkZWQ9IjEyOTA4Mjg0MCIgdG90YWw9IjEyOTA4Mjg0MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjEiIGluc3RhbGxfdGltZV9tcz0iNzI0MjMiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4216

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4028

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\starfieldrootcag2_new.crt"
2⤵
- Modifies data under HKEY_USERS
PID:5072

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\msrootca2020.crt"
2⤵
PID:5016

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
PID:2416

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
PID:4468

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5116

C:\Users\Admin\Downloads\MB-SupportTool.exe
C:\Users\Admin\Downloads\MB-SupportTool.exe ""
3⤵
- Executes dropped EXE
PID:4840

C:\Users\Admin\AppData\Local\Temp\7zSEC83.tmp\mbstub.exe
.\mbstub.exe ""
4⤵
- Executes dropped EXE
PID:1976

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2996

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-0.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:204

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-1.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:4188

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-2.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2920

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-3.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:4584

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-4.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2080

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-5.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2352

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-6.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2504

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-7.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:4800

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
- Executes dropped EXE
PID:3764

C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status off true /updatesubstatus none /scansubstatus recommended /settingssubstatus none
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:5104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
1⤵
PID:3408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Installer\msedge_7z.data
Filesize
3KB

MD5
24e75234ead643239611dcfa2de7f68b

SHA1
45bad7e041ed18ec303e5962daa57fddda7a73b3

SHA256
90af87a7d806ebc25d05730603bb6dbce4aff5d71db5ed613267441ddcba5c1e

SHA512
139ef9c864e4b427d552690f78630c896d08d118690700c7841d188e367214befd13f8adce97015cd740d90539a1217d6aad96d9939cd12ead4247fabb7d8ed6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1716_1712507170\110.0.1587.63\Installer\setup.exe
Filesize
3.0MB

MD5
005fb6882161a039f6f489456e65c48c

SHA1
8f3dbcc25b1c148cc1817d7572df4843a4ba4948

SHA256
f5184b1efea9b9b6131450d20dab28047993cf2f2da72cc5c1793420e100bcf8

SHA512
479f749d14978274300e82e9f55f286b34c8dc965eb4871cbc90445134d6437e0c2e3d1cee2e3280af01c8f1f973b25130b18c9afdfb5935259e919eb8b98719

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
593B

MD5
74e0d7828d558a74444c9c813f0c4227

SHA1
92991c6e9649ba038ca6573b730f9cba787244aa

SHA256
f7afc890dcf1e59abb49b845b477a8ae0dd02ae83365e3114dca4e0754940b3f

SHA512
8277f457bfe6a1b35ca1aad03785ba0884044f5b67ce6259e95a5b7e82b645255c5979e6e0a01679837d58c150576d9cce63fcc45e9de3af5e9ca94bd9c73bf6

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
655B

MD5
48656777213e628344a9f6e0478a863d

SHA1
154d54e363c69de8e5903c8f00569339f91fefc3

SHA256
3c2d41ca0cd8cfeed15e052723f96af137a5f7d09ff509374ed5b19c089df21e

SHA512
89a38f8dcec3f9c2a427844e147264246bcf5ddf56a37b1a81a53bce922e009044f11ad0a2d235f6bf6784daabd7266e1d1b396ee4cbcccb623f631c6c325059

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat
Filesize
8B

MD5
5de6761dfaf6bff8a566a80bad9c0aed

SHA1
7c513bf3de55d4a397b3f41e538fa4988c41820c

SHA256
74f655918435255fc9d1cc9a7be6750df82f5a5dc4d3e422c5fd40e686826d9e

SHA512
87d9a3a5a4d8153273b3504c86a3a54a693ce8f0b23c3ac7719bdc646b516d59aae4f4f25c4d16d7c3860111029f20dcc13be19c44cc8edc6ed05fac7e86a491

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe
Filesize
3.8MB

MD5
bafe0316a997b14cdfd91ea213c67542

SHA1
5f15257200374c7f3fc7e8858578cf2edd1fc58f

SHA256
08ef4e9363d8117bef551cb3ebc1370c066ecfecd10781b64a6510b7d2d8247b

SHA512
931fa97c40e7a8822dda69af856343effa794e304b3d22f8c5489db1b05440c2d84b9dae37a0d0429987aa4f0dd5b2399fe228b494efd1b8c27c12a4a522abbc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Filesize
22.3MB

MD5
0eae912523483b77c66ebefaa361fbcd

SHA1
28fc9c46b610ab4b94ee4e6d0c33d5b155fb5175

SHA256
cc3c1308301e3916a9bdc0c00aaaefc5f4e5207b4626364500d30d7d977d3a9f

SHA512
d302b81a4f7bd9a8120e437b9448b36760cde3ec061b971895cb7ebe08ed7c502428302effec80c895237719323bddec585526665fc7cd8e2beafb67d7abfb1e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Filesize
8.1MB

MD5
bbc2f701f6397724ec997def851785c0

SHA1
ca16d57b0defe2f4f0bb4d14bea9baab5bc6874c

SHA256
083c0d95f234f624559e19a3be6de5bd304e0d0c43b68a78487cf01240bc08ae

SHA512
d0efe173217fcac12c0b1c366b7742ff8d8eeb4e8689b73562e5b1ec57427b0b94b249efe05d63f8b14684a1a46890c9f89896b01882ab31bb0a601d13b7a49b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys
Filesize
233KB

MD5
1dc6d344ee9b6b024ba23278891db9a5

SHA1
519b792d11daa2bf9d127f69cdd603a236576e04

SHA256
823e1c7321e177b006c1f3fd1ec8b99607a12d2c3c321f3a6cbbcf7030b6c240

SHA512
fb96c4ede03c3aa729d2ea5a72c5f14029f6d69a79b6e0d5449e371bf3acdbbd1cb2079e8bbac3a3140a257c71018bc7a2a31a45ad5c8b65382e67cc3431ab6a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys
Filesize
193KB

MD5
b97e91c67832f1ff52fea79bae37372f

SHA1
6b7d1151878730cbfd15bccf19026df88ef84b2f

SHA256
85dd0da0b7340652038c46237c14309bc8c34107353050facf552805f7d7853f

SHA512
d1c012bb4dbb368cd149a49fa52aa5f9ae546956f86901e4990ef46af4b658680830ce3a0b3a52af5dca2deb86d2a5567eb79e968e84e5588dcc8a81b8f452cc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys
Filesize
217KB

MD5
6a21162e1c8a9f65787b14bc439eb077

SHA1
1bf68b253edd6cae098144e24e09b4e22178784f

SHA256
8b7990e1c676f53918e41f6b18b20179d77e598352d9243b05e2ea22b2d9e4fe

SHA512
a0dafe66479b9e68ebf04a7e2fa7c7cc352fb075356b7eccebee7af527393711e3cb36c7ff6466a5e28b17d1d003c1c49ef176b448f5de36a7c8177c9c8808c4

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys
Filesize
177KB

MD5
1e12dfd5396809da1c6cc5bcffbea079

SHA1
db1aed7c81a618af1053e8c20a8f06facfc0835c

SHA256
5afffafc7392d7e587228b50862cbf2c435e45e596148fa05ac3c2d0af7721da

SHA512
cbf33ba1c0af4ebe85764a969a8b60fe3e65162f6f8f4eb91790d8aee4c09a7d4e8ee6a438116103fbd966ba2c377ce538801140402711543c402e3a7a375462

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat
Filesize
10B

MD5
69b658fbeec3172c7399a81fca80be51

SHA1
8f7b19f9428f3e53702209715d244f2516b7385d

SHA256
80f5bbe171839f4bc52616af01fe90931f72cba73c0008119e3046281c765b51

SHA512
8f609422356246b8f88f88545fc496ad18829241ce52ad05a764342c9ba7fc39d0bd2f5025d8a1dfc050389c6724d5d7d313c1d230a5074ab1c0173472e2fb09

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat
Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat
Filesize
47B

MD5
5385ca92012c3143e5f7a14fcd3ce105

SHA1
64af5d603781aa01913bacf401004178371e1764

SHA256
abbea76cc66f9445aeeb1829bd2cc3d9abd5a51d2665b5f9be9645d297e26daf

SHA512
b5fe90faaf18d1b80e04ae98595137ea011bd4800637a7929bb6d6af02a2f6d98ed89f687cfc25fb11071d65aed7320a19609a3a986e0b3728a9c5d08100d0c0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
47KB

MD5
7d4a0a46e15b956a7efc3158290f445c

SHA1
76cf76daacd3024491f83b5218627f59c61ef600

SHA256
ff4fa75ab69f34a004a70a6a10c03690060560db15504f11362956337af3f694

SHA512
60b5da811a489ae16bb51ae2c0c5a9c94316abfa6cf82faea3ced024f381e38dc1be8aa87e272ced65c47c64f867e0dd6de2ffbb40ae1703fffbb24aa0411416

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
64KB

MD5
ead0d61fc889fec9a71d995a30ed5eb1

SHA1
5c144fe8970ed4eea0a7cfb40be156f65ccb4481

SHA256
be68774524e6ccbe35e0f76e1cc88ec34e443dd8c32588fd352e4ee24c9c7087

SHA512
8661316166c7c0129b3b4c70acf302ecbc382db6120ae2cefb15c9519350559fc049f238e8bb4128f031abada23e544ebf0742d9135586e46fe2b3196313c1e7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
64KB

MD5
782e41d63cbb95c4fcbb43384e24d634

SHA1
028075f90a3460d42530af2dde5596c4f65e978a

SHA256
e1c4382277a96f1374cf785a3f62625e2321dfbcac845a6bca8f1d9a0f479e08

SHA512
dfc4568fb10a2f34d9202117782fa10b16db8f0e5e537c85e2307c9cce1b133a4e8da3b81334ef15734aa37531e407783c39859babf742f028efb9d79a8bab3e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
86KB

MD5
6e01daa318bfd658f941b3067e73715c

SHA1
2d34b1b70ce099640488836bd460000233f5c69f

SHA256
cd8decf97f38168237f792844a5c0b87a046979975c699b7a4011557244619e8

SHA512
526bd01ee9fb476148a445b4d96cd6e44ff916509550ca264cba8d77762af9b13c9ddb8e02eee8dfd4c9df0bd2c5d6918a91c5a73f9d530e8a88c09c2e058d20

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
607B

MD5
6d0fb80d79f703a1dae8b8fc63dad3b4

SHA1
553e108e5728f972feb781acc31cec04b69b6a83

SHA256
ede4e5719444ef9716f10d4e82d3315632feed4e7c03de236c18ba0171247f43

SHA512
1a3442ad8b0b89fe98bcc9e6a20a7a2ab33733b99b5bda44bf1dd0b6cf59976a746144c39d7c11aa1b6ec2b3a649da4cb4afd6249a86bc2d8f7c379160563c1c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
608B

MD5
0b491c99e3b60f1ce0617125c783ec98

SHA1
d561fcacf5e6f6b35fb0cca665296035ad2acdfe

SHA256
c57959a5e44a116ad44a7e88700e26052ab6bfdcec5ea359f9ac70c3b3571b2c

SHA512
1654adf897fe6a1ec4c71d1240d5164d868c423c93809e1f285fe75227ab035c8f621e7e774ff781fbe1af14cfd93b08d0675d29746fa0ead475906eea0311d7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
847B

MD5
acb2e9d6ba92e6831b16ba3c773a4c1d

SHA1
1e4805705029153fe55e03309c6c2065bd406abf

SHA256
fdc48f95caae522f715135ca389a7e2129a4a7e7f29ec814736a510866bb805e

SHA512
bd340f360936a6bb0303bffcd583979c63d28d83a0538eedb2e52e6b750988665ae19aba7d0083b9cb098a0b7cefe2c7375c5ff352125ff5091c2b6ed0c80475

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
543B

MD5
dd49aa252e12eba08ac57b41c1613093

SHA1
044777e78ad3df43edc5ee079a37b08299d864e0

SHA256
18402b96921ad3d52d6615514d88dbcd7aa01e1738452a68efc458e97cb02c23

SHA512
07a61809868b12773a4b51ab5d94a6989fd3c03a49882b5bddd4d518a129db61ac5dfc5efdaf23b4c1d835f44a62ff0055669f2d5e47203d8a84b6c3ec488ef5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
9KB

MD5
da84301ebc4c3c6fd26828a20f7a4ecf

SHA1
0684f36d4d13663273374b92a3f7060bf9edabf6

SHA256
be5b0798c20c1641d0a9dcee8f265dceb0765752e0146ce6650e3d392eb7fc1a

SHA512
9a0cb802288f705b0efa00dc44f6a9953567341daa529db6c33d348accd763d855bfd04bdba46715a69efede5c743084819a4cec439e7c407d27ed94e3d3791d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
10KB

MD5
06449ce64b323b35e9e6c4166fcc8b84

SHA1
cde442980ebe9ab7a70634591bada2d81371d7d2

SHA256
99dac9b20f42597425d73611005a244ffccccc8b21c56dbf83404b9c89e40d12

SHA512
40f8ca009b9cfc6c36f09c4764d72807292bf8f125e1462fddb3e936f4add5248c3f4fa00005d049aaed78045a60af3268ca1844a744b8d0891056af7e946915

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
10KB

MD5
d855c25d2011639d32bfbbfa5cf2697a

SHA1
49ecf21558baea2c2ec25124d3a5eda9952009d5

SHA256
ee82d92449acbedd4bb97b5f708393c04cc4336c96611e158ad2a785d64aacd0

SHA512
056d519b530abacefaa9c682a85810ff867e613060aa1a93c854ee0416bf5cc76c92f025a81283f222831476fb26e272680dc60223453f39bea39688000a8e08

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
10KB

MD5
10fd3b5cd470f2b15872d36bae2b83d6

SHA1
1d305eca19436265e8e23fdbdc7f7779b2ce9191

SHA256
e9e96085b9725c2372eec1e3b9981a8807d464c583412d87b84ef99bfe51ca7c

SHA512
c4c3cc15b010cf152a51eca4c5eeb449bd21b590f01d8ce5448a28c0b39d66c9d873b61601fd35c02ed984460714acfa42449bae87f69463548b7de3a089bfc9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
1KB

MD5
fd7a4c146148ed2666ee1f3bbd433e70

SHA1
e6b90a7701dedf0f4c978467d3f3307f0faac5b2

SHA256
840df8d84d24c22324daf8a4e954703f18b2dcea79ae219308b26d3bd2e4120c

SHA512
293c889021fe05974fca0f373fab2592182139b4a4d3e4326f3092a8e8a48e1daa0123089bb62eec7122c6202a1e5e6bfa5fcf0e0a9b5c21a0c678301ee764d8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
394KB

MD5
6e8e3751bfc7bf938904c95d0b0eace6

SHA1
09d76e99d77ce56862b23cff6a577ee38e9dea75

SHA256
cd2c38734bc06693e7806475b36cc65e473b98a84763aa867348c13436378571

SHA512
dadcaf447cd25d66d084444649f99d4c29567cfff447993f3ce3f0fb8ecd80a06e205766f655f4ae28f4c5754bb0b5ef61a16810be8372c89d3e6750bcff7e42

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
192KB

MD5
a0d72b1f12d8b92efb88848fc4fe9a5c

SHA1
6e6b5e6d41e69caffb45ec79391e5d98634c1413

SHA256
7c3f253884bc30c599d03ea5db4ba5e99720fe9a536e96dbc3a8b08e7584ba11

SHA512
4b00984c2ef6b083e729d154fe2d5fb42f44fa743e745a3f9bad48025868b1e663e7defa3941ea050880162ca99e61eeb9de22010cd073debb666296a3df60d4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
bd041837fe341ab59b246dde04ae1d7d

SHA1
0324625d963272fc6505b1d4f0fd365afbafd786

SHA256
fe40293ea3194f51b42fadc574e75ff0edff669e0633e564f265519b8bf71090

SHA512
99ffc78286e6db650d3fcba5b2017ad0374e530d4767ecf28159aa2680f8be8792206af72c10224900246feaaa35464eb9a92886ce00b2bc8101c74fc7247a29

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
bd041837fe341ab59b246dde04ae1d7d

SHA1
0324625d963272fc6505b1d4f0fd365afbafd786

SHA256
fe40293ea3194f51b42fadc574e75ff0edff669e0633e564f265519b8bf71090

SHA512
99ffc78286e6db650d3fcba5b2017ad0374e530d4767ecf28159aa2680f8be8792206af72c10224900246feaaa35464eb9a92886ce00b2bc8101c74fc7247a29

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
811B

MD5
befa3e18283e82534a78c22cd5781670

SHA1
0963a7e10f5f70c4922334f84c605eb7a8bfc883

SHA256
265edbb2810c309bb2fdceec323aab17bd243fe9261f0ec0b7024f3b7ddcbe2f

SHA512
1e700fb27e854be428597b01f9123ebf87e0b2ba6077eb93a02b9fa227ef9d68b69553551e3147e60f82ce2e15ad1dabd3b5b13817b2441156fbd448c8b1047c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
814B

MD5
8d51156d6f3bb8fa2b71d8b9b715f551

SHA1
f1377b70ecc7f7d929d2fb67e4a810f4c6d7ca7c

SHA256
ebc07ac35258ead78fb185ef2997ae5f5ed5a68a4a354c6a00373b79be1b3108

SHA512
5973ec7ee71da269310b09c903ae4e7aa91f99645c324070befeba7361b0f732538f282e2a5cbb8d968cadb756b9f677cb1db644bf215f90d890f3fd013c6de0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
3c78bbe79a82fcc3ed4ac7a13ffa0a95

SHA1
bf0d3b504921574a64ca5eb0c60e5c380ff3e9e4

SHA256
4480946ad27ffc6f84e3574a8fb2009b25e574ace068761ccc4759b6110f8910

SHA512
8cd1d47ea395e653609891d7dd30f9e8f878d52a968fecc3a165cc8222ce806362362747faf088a2282aa28107840a3242250698ac2ae083454d96b3bf63198c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
3185c0207575018dc834f386516eb814

SHA1
3954156a8a9a6c25f7fbcc113ed0b56e8fd700c1

SHA256
6e5620b42afdf840fa843bec214544399b9e2fcf4ca8b1ab5aa9270be3c92e98

SHA512
fff533d24df6ee122e5dac486b362dbed5fd488bcc515aa1af76d4d3fb49e1070399bd7fac11fb5ae40155d3c9abd5fc027443c3128f2ca12843fa9b0040085e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
2KB

MD5
1678630317be5b2d73235aa0031e613b

SHA1
70a81a261a978210a0597be97bc589f7e70b38dc

SHA256
22f7fb53753e8d7726c5b612d689549bfc90f5915b87115bd1a20d9a761901df

SHA512
64f3407e508c7876c00bc17ccc2191da0bb43b4156ba3b50fa28ba907bcbe8ebaf0cef34147f4cb60e892c287f7e267d3a131ab00c7e24c17e9bf8283ea7fbf9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
4KB

MD5
ec3f620ed5f8a5b298f04f2920bc009f

SHA1
c189fe0053f176a6c0cc12aaad843dbc577ed800

SHA256
17dd75d03e718689fc8f7eeb3d86ca7e8789e4be1eb5158db69d50fee2328acf

SHA512
190f4fd6b59955d877b4014952b6758f5000f049826225c77aef386f1f49dfa11e065d80b1d3e09341f8f40fcdb9591f9cc4f68dafb9ac65327c37d427cc1f9a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
9579f192da6310933c2b5c6bcf9537ef

SHA1
6d5ed40e18376e2e67a04e8bab04c9e7d5c034b3

SHA256
5db3e5831729326e9bbb8b28d364030874a534f9b84d5c1489f1ed443e941126

SHA512
d98743aee537c20782a86a213ddf7e13d453d93775e2ae2671a9301279c656ee3631e4d4c1ff50071b2a47fd88ac0479f3a8157aaf607b25ab60217f9d0029fc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
4KB

MD5
1b6bc31b797720ebe61e528dfccf326c

SHA1
09b2ccc85363d0c9022e8bfdb90393a26de8e2f1

SHA256
e7f45b04a4b594b48551a45e43307bcf6ab1e99342added7df91593787341a61

SHA512
9097186ba617a87ff7ee1f95a6e3a40726988ed2f4fab075df05a1b743c869e26abfd531ffa5b0f66414af3edbbdaa50f005358051eb806764e13aaac54306a0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Filesize
10KB

MD5
aae4560f94c07673fbc3a757c5f81edc

SHA1
312834234909e306583e65fba8c19bac9cea1220

SHA256
78c1393369cebb6df21265fabc0b36b4938af2cc7c52eb1167d955c303044256

SHA512
01f5cf03d29f51b6be7da1d25f175c24024346f8237b0bad283a1ce04a0f001a7f33e4dfec927fe83b651dc55107c3185bb8cfa9a0370d5cfbdc394319dae901

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
dfb0294e6abf1fd8b7d2d1e4610b92d6

SHA1
c573f327ae471b8823f309617c645fc50fd31aa0

SHA256
58d35d08265a10f944bb7dab2ac49d9197d32e5122c19db4487f28fb51d3bc61

SHA512
82758940c56aced17695b81369e512740b4a1ec67e02412c5fffcc8174ea81bff4210e4a7f55b4f83afbfe641bf101806ae8df24009f90b8dc8314c6d863eeda

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
6e464d0d3d19cf8e805bc70b446242b2

SHA1
bfcc22cf6ecda2740c7552b2380c2af9f8a4418b

SHA256
173039bdc2229b5034e0c712660783648a88df9c644f0f0ff5c743585fe6f28f

SHA512
313408fc86df8d12fd824140787dbcc8044ffcffe928572ec4df5de9ece17fd9021e69a896523f8ed118a7fbad5d823fd0eac2adc1b3998d8cafc2728e492497

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
03671752a03ed3d0c027c16878c3b1f0

SHA1
6cd9faf6af7cc9c6180f6fa01afe525c65fe3281

SHA256
ba3acd5e3ad68f6e59c64322e4a20895a28469430c092f9ed5f16f1bc1487bc6

SHA512
301afb4a15ea78f71a17e0e76b27ea314f9d810efbf39da30dd0c1a57a7ff77a385edff23ed043a34b197e883a7c925fb52e443d805f7a1f4568c53b139a79b1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
03671752a03ed3d0c027c16878c3b1f0

SHA1
6cd9faf6af7cc9c6180f6fa01afe525c65fe3281

SHA256
ba3acd5e3ad68f6e59c64322e4a20895a28469430c092f9ed5f16f1bc1487bc6

SHA512
301afb4a15ea78f71a17e0e76b27ea314f9d810efbf39da30dd0c1a57a7ff77a385edff23ed043a34b197e883a7c925fb52e443d805f7a1f4568c53b139a79b1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
a562ef07b748b1c26071fa252f4acde1

SHA1
9df40814637fc2e277559b0ad37bbf1bb7341701

SHA256
3c779af8e35b17a42d0533c4838378975872b106f24103be106d906d0dfd29fa

SHA512
d1fb73b9cdf54d70af78dd8f5aa62964cf6f98312de507953c8bcd9e063b88f722a77562cbba98f88620c46169ff49076b4dba147430f6f61e21801e66a7fbd4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
d167a8fab659cd40c28972e0f0d91390

SHA1
a53ef1fc8ee031396ce6f3044977bb4b97788997

SHA256
8447841bf94288d36f9f304e31fcca027ceef0fe08c15b067f9c98d138f2f60d

SHA512
4ee008224935d8a3167e45d867205703519eec66bec31878ce4d12a9b30a01471fcb924da7643e974b587fac6bccc4d657569fe1d15f08479c09a1790697749c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
93b4c2b50415207d82ff867d239545a8

SHA1
531985782247dc72b96f17e42d5ec23a8a770df8

SHA256
b2afdc7c63374572484e8a8cc202ade98f55c868c90574090a42da9269b9f695

SHA512
b0890f7995283744519686d67d8a9b51db3644907b7cca4d4ce3fca2b622660af84e5c81594528cf086a92b4f57d8cd275acc63501b15a27405b96f32689ea3c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
f7ed2e6d95d4518052bb07e168c289e6

SHA1
cf3bdd3a8fff395f9eb81263a9b158c69a241057

SHA256
88696f28dd5bb2bbc9a4110e07e572bd307c5fcf994bf4d06a69783969f23061

SHA512
4f68be264c1e997fb5d9254aef01f8085cdbb452d6fd6cd352674c8c404e446b08b45e32319db769456b171dae307af72d142189dbb8826a341e346850f66bfd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak
Filesize
1KB

MD5
a562ef07b748b1c26071fa252f4acde1

SHA1
9df40814637fc2e277559b0ad37bbf1bb7341701

SHA256
3c779af8e35b17a42d0533c4838378975872b106f24103be106d906d0dfd29fa

SHA512
d1fb73b9cdf54d70af78dd8f5aa62964cf6f98312de507953c8bcd9e063b88f722a77562cbba98f88620c46169ff49076b4dba147430f6f61e21801e66a7fbd4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
5fe665e9d80d7bee54629c9707d4dca7

SHA1
601b4b613b4a5f6af998b9de8fce389ae255eb82

SHA256
23a30722e7d4fed6d451648c7694ee5657731b6c3b1580146a6cdcda2ad3007a

SHA512
ef9de23443e2f823fcb30dee1764d45fd9a8150b7237b0e6e054376ff89b7bea73793fb75ccea8a897139327f9b597b280792066ec3922781b26661292b3e736

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
5aa2306d071776fa3418bcfe901f929e

SHA1
e82c7ae08a860ad31ef747a4a5d39ff7b83812ef

SHA256
924c78f838371c8dd14a531be6b3c27aedbc4539acade49b4f3fa275720c295a

SHA512
b0a74e4e902bf3d5958186f5257740181b7e11ef9afab6e6f44ec69804964818345f4332def9d94815be8196a5e62057b57b8a811f875b253916902a4787030b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
17b6b58fcc3a67b5ab38e2047f3dae88

SHA1
9ec58e07f08268d51cb55cdc9dc4f5cdffdf47b9

SHA256
11b02480fa3a8258433ac7f85f622640a0b1de240b8432a3f0a1fd7606f52f54

SHA512
7169bc41632d476933d71deafdf3b35302378758584e381436e1446150da347a3f7eeb5452c6291f4e7e82a71cfad9acb8c96b884ef6ba8d0f651b4f2ab82b58

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
c5847e00f30ad4ae1cd4544cb306fb4d

SHA1
20a9ba20ed7dabbbe32e0d2656456818909ba3d7

SHA256
93d6b8076b64d25cbb79271a2775e6b7f5f6c2ab5711678b9a751fa236c6b687

SHA512
a7dd42d8539fc901a78eee28718c6cbf579a889d0e7cbfad9f6bff0af42e9451ec168fc8dc1d45298ed2b3e4ece0130abafb322f751d1bb3122fed4a2a5b3143

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
c0ac94dc5b1aeb98ee1d7d02fb6c013d

SHA1
85dd1315214f76ffce82acd72074555135673faf

SHA256
3b3f344a159f68fe6fcc119086b9026fc29974b4eda4cc8237421e0e580d1a88

SHA512
c7b0061e0f9338a4c7656f47ba072d880197d62b4c902ebfc5f1348d6fbfc5acd761539f2e112d278b14ed7a668e103ea81feafd4888bf50d5eac8ef1e11bbff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
f4a105d7b2fdf51f680ab2d639f79396

SHA1
86ba89624e49bdf8970673a7ff23391e551ba709

SHA256
d08d01d8b2fa559d961105f1433960f7908db0d7f53ea8c32d8c96af440417c9

SHA512
bef03c4b5c4708ea6aabcacb797917bcb83ef7f46ad17f5d8fde807adaa6e66fba5035d3500b96922d84b0d64a2471879eb50e3eb59bbce4061cd3713351b5ea

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
17b6b58fcc3a67b5ab38e2047f3dae88

SHA1
9ec58e07f08268d51cb55cdc9dc4f5cdffdf47b9

SHA256
11b02480fa3a8258433ac7f85f622640a0b1de240b8432a3f0a1fd7606f52f54

SHA512
7169bc41632d476933d71deafdf3b35302378758584e381436e1446150da347a3f7eeb5452c6291f4e7e82a71cfad9acb8c96b884ef6ba8d0f651b4f2ab82b58

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\telemetry.json
Filesize
387B

MD5
dd63df9fccbff405f31685aa47456d29

SHA1
1e7eb3ed951f9c917e079d4a216b6a517bb8c41f

SHA256
1afbb7c7ce5c9e0a89dc1c7fe689d535be757cc8e31f9e5dccfc7a8cbf75db72

SHA512
3f0bb16081a66e68e707ead74048a232286ce4ec6aa1318104ddb18d5537553a60b0020b793c5f4fc4715ef626ca757173161d77830cceac8447c93c67e03f07

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll
Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll
Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm
Filesize
316KB

MD5
d62dc39a1552a098269259aaaea99838

SHA1
f4f52982aad954d0f0f0ba70fdc812cc33098e83

SHA256
6ae0ec8f4f9d518659fe3fbcfef119bb5fb9509b883691d3a14b71b41082ca17

SHA512
f3582c64dea61fc2957e79bc013cc9a0e5320318925b42393b373a8d336800b92af2975e2f39ec8345668b903d8e29e7937f0c47102c491ddfd7813d53637ecf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr
Filesize
11.8MB

MD5
5244beb7c027886f96bc7b98201f0662

SHA1
e5a2592c1bff569b42abad339652518f734c5a71

SHA256
96bf3e3797265c5ab88c69fbeb5d65176768ebd781d9f09c26919350c12208fe

SHA512
100e45487f9054f00efeb47c82529e045d8c43591c785dc83bb76121d8c0858c793f10f642818b0c09ef7ffcac9a51a52093b11b1c6067480d5855eb4c153a55

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\MBAMCore.dll
Filesize
6.3MB

MD5
888b794737cd78e918486cd2a4116c65

SHA1
335aa063439ee8c2242591dd4cfe6c9bc28531fe

SHA256
2194ea4af98e6ba23e14ac60860a6c727f4694a9d904025288997ad05f0859bc

SHA512
f6a15dc86a89adcbf9ea6b96eb7d5671a2077696ef4cacf88c36d7c73c5f28d96f4a257ae8672981a24907e0583bb15c01dfe09ee1ac5837ffa693d5668dbbeb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin
Filesize
639B

MD5
544a36063346eeb1e751030008a9f7e3

SHA1
b5c44a037d16bfd5cfe0e6ba9cb770111b3aac82

SHA256
33a822063dc53b5a693b5920f6a14bf4c9c1905c08b3257b7621c9f0c41d39d6

SHA512
fb86ef1c271d10da364654b244253a4492b8331d69e2a71479671a44f613b88a72822b5a849159b63b7b28c7cbe0c6b7ed35f82cf749a598b23676fae70f279c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb
Filesize
10KB

MD5
139463e2c959cb40c3cd45d9fbde3d9b

SHA1
366d67d10d35cc969de0119c43793944810eaf21

SHA256
db2c789d5b6879a3a3ba9bae5a928be8f930ccca617daff4f2d14d148a232808

SHA512
1a37f6bf3cc837a6582cedee5e72ec5af19dd9707015ca1ad12d20da6d5ab26efad8bf79ddecf3eb8e75f0c9b06edc7f9a6a0319e130496c10ef43713e0426b4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat
Filesize
924B

MD5
9a2fc3a52099cccad700275106dae0c4

SHA1
020af5093a5eeff090e6ac6a05a289950966c2e7

SHA256
4c16fd9cad9524a516784a07f38fdfa6f8834c306a3de499005e18ceb0ec509d

SHA512
efdced11e7c934f3e4d1afe7e831f24e73704dc74706ebe012a0342d248e7e2646199f623687360d27a0a394bf08d40cd2e73e3cdc830f82482839c5e8507190

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe
Filesize
1.8MB

MD5
f4bcae29120428ab0d1b72acc375d7fe

SHA1
0970f103d74c634a91afd69388ab692f2df4819a

SHA256
f6e63c104b5a3714a035d2272e4663b0d9599c405bb31e7f9e7e108205707d4a

SHA512
078c4a5a15882ad74eaae3539bb787f28a5b3bb18e8b3a33bf44cfaf98d7dae05bf73245193ad2d3075686b6405c25a6cecdad3d6bb36ffa8b3da5812ae675b0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat
Filesize
514B

MD5
d7838e5b2740cd40e57307adf1f77d22

SHA1
e87d72bcdff1d9673aa4f00e63bf338b009a956c

SHA256
7dc892b100f6bb7b40baf4172990b5255b12293c7e5bbfc7868395ed6c0a823b

SHA512
6aeeeff46085d3c232ae154e41403a5a13ef06e64ec00012ed270db76e949fba0f5c04bc1695759fd760849aff1f5b6f256bc74e07f6a18c5b184d4d96b1eaad

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb
Filesize
21.8MB

MD5
e763110867031eed228d752f8a39e938

SHA1
542788d5bfa1fc5783a623f4c84b69ac9490682c

SHA256
4e2e92570d3730e5bd6ce84fb899fa606ff1dfcc4a25b3ac43932232aea0684f

SHA512
7a084759d855a9e1e2bfd45c33b2be258ae75daf0c1f6cf5174d2011685da4be4ea6847ccc22d4cf3e101ca1b15d98fa4ee663620744d67866a66e765caefed9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll
Filesize
528KB

MD5
f712ebc5aa4cc78b7f1a0c8810ce7db4

SHA1
48899721fbcd93b7d5440ce269b7777a62582eab

SHA256
46d6f6dad272240bcdcfc0d5c42f88a2784a5ebf31bb284555cf260b21e8a4d1

SHA512
20ea70c3b4e3cdd3727207b9b13e54332bee15ca18cde5228c7f93982310d77e5f6ebccd1a8251ad4d8cbf9ac6646bf7f5856f1c82d3b3ef2390fa779ec06017

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb
Filesize
1.4MB

MD5
8b6c251dc30e650c5db33d757ab8197e

SHA1
714315ce6df0eec6fc84ed9a895ec3b9625536e1

SHA256
5f32c14a77409404e6c2087a6668020b55168d8d1eeb817188844f0224bda01d

SHA512
e24ae7549441523951319159da6b6680b97dfbcfd82f25c24067f1f2e139afa9f0fb0d4a878cb85da47e5fdb6c65ef201a18e99ebb1dc7e610aa4f0f3393fcc3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb
Filesize
233KB

MD5
3b6a3349c1b7b5b51f2c9b6547565010

SHA1
7e462057e984b67517ea18ab8052dab7754ff761

SHA256
04de4fbb5cfa86903d49ac7235122b5fd302245318aec0cf5df1a365e8f4d9fb

SHA512
bdd6208927d1263365f66823ef30e92ec649fd8e329b2d80ed419606f2f1e2679febd99b67bc893d2e21fe43be1badc8b0d905b3c74692da5fcf75b3af7e0579

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb
Filesize
39.8MB

MD5
61c5c9dd4daceb87084e0638577597fe

SHA1
52111a35039f9677cffda030d6ed4c41d4590d28

SHA256
26a20e0fc8dadd25e8cdc781cb97e9706fa90013be5a9da170e5afa823338474

SHA512
2b8591e10aad7157d338a35fae1c143b06d5f3cd00f61fc0d6ff6100ebe312a435445dc141760008be81960165f0f30afc04eb6d587bd0b4efa92eb93bdf336d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat
Filesize
75B

MD5
71ce445101bc5e5eb666305d40e89652

SHA1
f4fc49219230c33d67ef8b658dc3dc7f3328dc24

SHA256
779ae9d4738a735ef443ec7f2e886b917f55819e2db1605deacd06d81c6410c8

SHA512
adb40704618c74a6ea55e742f4d2a65e53f398b153966d4b74a4b71e221747963df4b723a99a42d49ca32371190e7084df32bd77c1952e53faca062c05ca93ae

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
15KB

MD5
5d54446ae05ee7c686ad521ee3cb3c80

SHA1
30afbba33fd8ab48b00fdb42a51fa922625cb3b4

SHA256
19e75f3a8464bdb76f3d2a846cca1ba5d4f3795b327f8b44cd25a704fe38478d

SHA512
d22e5a78b8df4599dc3089b1c66b2b0ce462da98505ed2b8d90fecd931d4d668ce14eb23f7f13e86f251e2c672b343a0f12711c9a0cff1b4fac48db8d2cc6762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
fbab354013f22bda4e6b9b30404ff61a

SHA1
b23b36d993d4c87f3969b853e20d354a09c74c94

SHA256
ef46d0cdabc081605ce6dd5e5ffdfd4cf7e1fd0c15e0a6061009e08fbd2dcf05

SHA512
e338985644a5a4af0043c2e8a35e55017e7554559637ccedb663c6b74c75f2203d514adf483ebb5fbbc1b681a0d57fc22d4043f8c173ab1b831dd71216591439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
fbab354013f22bda4e6b9b30404ff61a

SHA1
b23b36d993d4c87f3969b853e20d354a09c74c94

SHA256
ef46d0cdabc081605ce6dd5e5ffdfd4cf7e1fd0c15e0a6061009e08fbd2dcf05

SHA512
e338985644a5a4af0043c2e8a35e55017e7554559637ccedb663c6b74c75f2203d514adf483ebb5fbbc1b681a0d57fc22d4043f8c173ab1b831dd71216591439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\59fd7937-10c0-42d3-bb0f-30c59a0afad9.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
dd302e381e5d753f600c589aead765de

SHA1
5835afae49420b1a7bf5088b12274be90e0845cc

SHA256
0fecbe5d22d6ab8254453d8c0df230c34d5adef80bce465f61d4b0e93abebfcc

SHA512
91a9485e1cc78c1e932c2892670129a81f5a0cd50e08ec4cbb22f28aef5cf215ac9f0c72f81e54a0ee81ec75f05344cd649f5141f26a1896e6cc16ae1c5d174d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
71bf265ca9c4e486761fe9f878f50225

SHA1
43502c4d9f43b8c34673da68e8f11b8b825048af

SHA256
bbdc3a1d5aa1073c267e2dc5f411059cac85fccf32cbae6305c469a687054b10

SHA512
edf3407990c1d769221a82b40a5f4932d343c8886d77c89af6e19d0a1d26463192ed11449e10558f7e90836499e7b9532fce0e68ea226a30069c15581e1b8d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
780e678b8bb963c5d799188af0ad9f7a

SHA1
6a53438d9c5a045502412d160908311f579bd6b7

SHA256
87519cd2e1b65c9b0a46157b3f72b33cfd325a870c3ea917ddff916458e0e339

SHA512
aafe0345300ae95300a8df836200766f3000d1769293b712ff399c3a533f833377d835312344a5d19094db6389bff6850fe7c2683e865cd62e8e385470b24e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
36KB

MD5
d45c093df950021d9f99f8a62b93db63

SHA1
5e3b8e37d1aeb729c14ddc66f294e6cbc563eee4

SHA256
e0f67ff083376bf76d09287c5a87b412e044d669f79b456570a8a210875541b7

SHA512
182296237f050bfdf1cc8c96b017f6f71cc2af654331aa770ba67d0e7c67d5ba54c66aa8669548be09e559716c8cb3f60c6e1f6c0ef59382d647ce3d80d223b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
48KB

MD5
66d514f7a4e15967dd615da85477a4fc

SHA1
c5a54d294d0e31d2af5f0aee49e2b762d343899b

SHA256
862beacad0e0cf5c98ac73d8125cefbad0612fe5cd62afd431879347f8b51a4a

SHA512
ac67c6e691a33997cb6c118ccef1f68418b2b18dcb2c31220cb73692f1c7119865c2fb337b2a7c266426d40f8c0d472413ab7996b8a8444e1b300282b4a49569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
600B

MD5
90ffb877af5ebcf4a45ea4794b96680f

SHA1
780711890e5485bee6bdd51a2461bdfa6ae4ebbd

SHA256
2a041b24dffe2b371b87633e245e6e8927d4863a492256cec6f562f03bb0225f

SHA512
0f6064a2aadd57b35956d604e7ea6878457438e26673ced478bcb51d79ed87fdb25c3883659f912c0cb523e5d47478720729e5ed15b4f8f667d1115b1a65792c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
10aecce6077ebb354ce9dca11f3ec371

SHA1
fde93534b8f12760e52555b00a3c5b5c3f3b44c5

SHA256
b01ff91162a276a22453313fe0d046dc7151f227df642b699bf9e0536cb7584a

SHA512
15b1625578644c0adbd0ea84879fab4637b297cfd5aec1274cad82d11ce5deb708fbf86a63d681d0d755aa7fd3acf72fedae3c9a60f45ffa3c80b2d373696a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
317B

MD5
49e4c2a7008aeee39e9925bfc1303265

SHA1
d024e218c47962b1de20e03629ca4492339f7454

SHA256
ed93a7279f668ac65459f35349d0db3d3e4d18a5806acb31a337e1ae826300c3

SHA512
314ad33fe453593f795667bb6bde88c09e5ab2e955c85abf797c223164c6e05a85d90457fec7bfad20204b61c264fe6680cf496de17a8ed6756305cc7da072dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Filesize
330B

MD5
b2c67e594939c775fdf141ef58990bfb

SHA1
af7c6d1e54f27a7fea9de4b4fd0b35d85604706d

SHA256
2b9991c2add7d9a88e4e9904310fec609a66ac178342e11effa33aa42a6efeff

SHA512
3a283766d1a0580befa69514cc9d7b4996241e19f58166120b0fd232e57da14bad60d92285aa6f9476765b1045d394ee53a1b0cbe8c541f8a136bbc6b9804f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
e1c81f66705792e723effef415cb312f

SHA1
be07247c39397128bad08a53ced7d3960ecd481f

SHA256
96e40a0fa4b1318f498dd08e160e6498bccc2a8b96af4a8fec9e502db3b4a232

SHA512
b5a96cda9b4c566a116e8e4b14085f997d1b4f8874bfb64e817ed5e4a90ecc23e5f89832a3537ea6e79ebbf8c6158fe27e4a3510837e13041a3d98ec33c31f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
bc3e48d1be0d1f3de722657ce039fb22

SHA1
d01ac15a0eee1729771c2066151c63923d71a99c

SHA256
5ba38a98d79e44bc244f719522a739c8c211bd46a85ddb6040c911b64b6747f6

SHA512
dd20e7d0824729d49cdd3aee626557582fdd1c90529866c299fe496f0187843dc617f8f420789290b67478f81fcc85451cacddd030d72ae8213cd042673cd8d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1014B

MD5
f260a2ec529beee554b18d4006b989a6

SHA1
f655b1af7371c66697a31a6a3de12fee1cb3c9a8

SHA256
e79db1816f22aec261af550b75c917c9a8bbfa28dbb05081ae1188f9a10561e5

SHA512
a59f351f836cdf4b1d80b5c9e2863ab56fabfd821218ae88919f583ac6d5b1550088ffc6e66121ddfed8680049b9e813b439c5608fd31a4e4afbf5706cfc9c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1014B

MD5
f260a2ec529beee554b18d4006b989a6

SHA1
f655b1af7371c66697a31a6a3de12fee1cb3c9a8

SHA256
e79db1816f22aec261af550b75c917c9a8bbfa28dbb05081ae1188f9a10561e5

SHA512
a59f351f836cdf4b1d80b5c9e2863ab56fabfd821218ae88919f583ac6d5b1550088ffc6e66121ddfed8680049b9e813b439c5608fd31a4e4afbf5706cfc9c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
02fd8896a697a584a64082402e06f425

SHA1
1888dca06f3cb73668a82a77b6b6f3a5eb13d483

SHA256
6000789d192e71f4764cc1da2519fcb5966e528e27e4815719ff422daf9d9f3f

SHA512
8a4bdadaf51da67a5d0f65a27a3fba9cb29b116357d0bad9d87462abf87204811f811c8d7c3fc293b488f68b08783285652301d7496e776ea153a5b30ac140c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
9KB

MD5
6a7e70d205d332d77c5c220c62cf9053

SHA1
eb4d7daf5400a535784bd13c2e23ee737bcf7cf9

SHA256
9b4168f003c039c5affb9f6810b801a95a8c8bf37927f5885888d56c4eafef64

SHA512
71674a03bbd93064fdf9673c0de972722e686cb39cb195c21e8cccd32d5a0e7e89fdeb490360786fae97203acb96fb101afcb1df312fdddcb554dcf17b0f401a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL
Filesize
36KB

MD5
c2cbd4dd9706a9df7d29da1c4fd57239

SHA1
f22348477b62445957084bcb11f2cca6f94e27e0

SHA256
e858b86c5cb90858d0d2eb08b9012ea5fb144246eb070206ceea6cfe8adb2b65

SHA512
cac0966f9d06e9122d1af2e5368ca346630053af3337a24997f6e450f66abf7f5db110fe062ffef13a6d40ff841c5e0a9108d733958d95be62b715f5961a5e21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
b8c8dbdca86a88406afbc2933c96509e

SHA1
c6f147d8eb58dbe38c9e09816ba39dd51cc8c5d2

SHA256
e44d913f1650aa651db55e979de2fa6904b5c368bdfc70a196e785812225ce2d

SHA512
a935a97ed70174dac5ef10908c9584895f48c3e9db1711fc05f960a02c9a62812b485a8346303ba2fe89bb7c224c5efcc9cee46631eb9cd29315ceb0ac466cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
b8c8dbdca86a88406afbc2933c96509e

SHA1
c6f147d8eb58dbe38c9e09816ba39dd51cc8c5d2

SHA256
e44d913f1650aa651db55e979de2fa6904b5c368bdfc70a196e785812225ce2d

SHA512
a935a97ed70174dac5ef10908c9584895f48c3e9db1711fc05f960a02c9a62812b485a8346303ba2fe89bb7c224c5efcc9cee46631eb9cd29315ceb0ac466cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
05c0da3fb8d3167e495a784125870207

SHA1
a26b73b873dc10c562f274b031d877480e3c1003

SHA256
e24b9e757fcf0619c1ba31628eda6798d8d781586d9bb41537d71f70d545fd68

SHA512
d523da5995774380772b63dd59737b97038ce407ae56f47f2cb8aa35602cbf9a3b47b240d21cc746533c7aecdc374f1b5ecf4e4cff1cda0d932ebc4fc6044bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
01435ad7b89241ac31fce39b76a81054

SHA1
acaff9e0e6845038df7e2ec2f89e614c99987174

SHA256
17b30c023ed2f23101a76369714e9f540e416ccc36cb83aa5805e3a7ffcd5244

SHA512
9ddd27ae216a790331bd9cabf0e7d38d5cf71d19b246de332bc2b90c3c76ae013087426dfb59adef94fddea8fb78fea68035529fb1dbfa01480fc295551d4498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8c7ba96ecda3841938f1b0ead9e49ff9

SHA1
4c9774a9000581acd77ac153241d5d4e68db3846

SHA256
67bf8348eaa664a0f692d09842cad489d4a94035effbc802786c8f6bb296fe31

SHA512
9abeac53c42c85059aa8973250e0f3423944e575625c2b4bf574a1e39c1d4a264d49863336aad3a4a7d7a9d2d159087b15f34ee0269913e918a1ef2b21f2257c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
08ba2660085b21793bc79cb3639a99a8

SHA1
dcf3af4a02848ba95a0b9f8ecd72f5cff52100c0

SHA256
5d7b3fc820b30f9993cdda9b41b429853b1cd49fb5b012ddf0180f75c046176a

SHA512
f483d5e35e2f28ce4d258d840054521baa5d7e24aa06231ac060dc1185ca11b4a8baa4a1f6365eac0c8a19c4709c0c86c145a62ce2ff8fcaf9525887c2c33aed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
a57aa66c039bf86fc7f606af000e66e2

SHA1
f3f35676196bb921e36dcf9f51abdb410b324b7a

SHA256
cadc7d7dd1a4da9ad0a9412d2b5868d188fcb9baf1585e40ded00370f81c3a1e

SHA512
293c2a4c5965283029d703dc162402e66b8c2d76a6da8feac20422aa760f14091556f6beb42f94bbf85e2a75da1d858a3761319191838cd4d8a6bbd1affc26d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
8a98cb632120dbe1808c584c6266c801

SHA1
3a8c258cfcea265a570ffaea75c464eabc9bc391

SHA256
f85b4a4897b2533e7d2c66c3a91629b7a5b6da71eb5234031b0aff620378322e

SHA512
e8d91f0efaf0e7c0efcc0dfa0c171be3d7a662a396d55bb6a41dc92500728db96871d30b1fef02e1665a8bca336741643ab697a94f10b34f0cfd73fdb809b95c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ad084ab02079b8ee7db6c872379d366c

SHA1
6613fdffb68ae129d7d2fedb4dd9119ec9c912a2

SHA256
d9fd103a4079031711a19f3470dd901099a4b2fd67ffe9e9b90389da90dace67

SHA512
cbf94d8334f5df52af2550ea50035651ce2534fcc00788094d0feebe044384926f9dfb377d15beb92adc9533c8a2ad7161bba7e595a4e6ca61f9cd68d14d16c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f8628d92170eeade717be59c84c38453

SHA1
d7607c6c32897f8db42861da384e81a394c28337

SHA256
84cc0c8d3ca66d6acb6c221d880061fd2d4b61c7808c34682233907edb489f2f

SHA512
644184130a97b31abb8ea94d2b0a365457580d1103c99b970eb539b13881b48f97d1cd3b1d9dcc595e16f19c1edca8b0c5b43db6b3bebf07310155e0a8b5592c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a226238e9d90898f1ea50488243b5061

SHA1
53e5ce91b88d99fbd796d3372121116cb99dc9b8

SHA256
f4ae78f9dd7d67f7eb31ffd225d60c02c48a0cadaa782e77f3357c0ad276aa99

SHA512
76dafa6d4739a221752ab36c0c93d1b543d1d8a178ba541b24bb188bb938e9157f672a805de8c1c3b4ba94adc0861710fbb63cde96c586203ce12045b84ae61a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b643a233f0c98154d897a9d3aa3890e6

SHA1
b4de2c3f48d80e7c8b446dcc2dfe8adcd0c592b0

SHA256
14e2233aeab7e0302119614dad6e28210677dacfdd90516199737c297c203ab9

SHA512
72dbeceda04f785d9b92971eb3c16d3a63517b3b04afda72bcdb19333c9caf14889cf645030bd636683263b97fc1cf61d5f1e82d34d83eb11193762a9f1d2f0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
412a2f8dd413bec07c04dda29dfcfca6

SHA1
eafea34d8c7ba4326d7d8ed83ad84322f9c1ce76

SHA256
f4d40d86736bd3fa5069b44c12c2fe8db970985feb92ff3fa602ed06dcbc7646

SHA512
abf056351ef4b5135742e0542a66485d85520f2481cbd93e9dfefebfb7e1843ddb3779cdbb8e06007ae09adbf567e510caf63bc6743622e784ffca1a271124fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1bb9d319c1c3c5c301a9f33704a97206

SHA1
b6caf81e4d1e97e4de3a277d58f0d2f6f55ce392

SHA256
19a5ee9e8f4b8ca1490b393119904c691590798237892ffaa720f68fb658e503

SHA512
1c98777bf0831f5a93e296e07d819bdbdc6eb6f46507d9484eea57b677b20e75c34e7f6c520e4a47b964f0ad1749471005aa721b4a42b385261e42c31564c76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8ae87209eeb1b6af8bc9f9c20696a18e

SHA1
a4f1c77ac8e067caa64322950a36e6606bbd398d

SHA256
f28fb3420c74254b763a6e1f012fb7b471ba2ec988f19e3fe2829fe6933ee8d6

SHA512
9410858b9b3a1437a544a074631a7e484f7f57a6c3b23ddbb32fa766765974beb43ad9c2c7ba499726a7c238a4615cbd9c6f023fb438e2be228a13cf7b019e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\dc85922e-08ac-4983-8ead-95a0d03e020e\index-dir\the-real-index
Filesize
72B

MD5
6f098f6a82834120e79e6752698e9017

SHA1
3745b3ea99fe08aa6f26b414c37a26b51ac2935b

SHA256
c684c6635d0afa310d6f10501544ad1650551d6667697a4b89acafc2e7c49d42

SHA512
73fab11d8989e3764d88aec1ecd8db1e2751a3d3c82a1bff7eee2121b497a4cc3c0067cb4d6857861ab776c9226cd08f18334f9b7bb365fe5df9e1f38fb6f8d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\dc85922e-08ac-4983-8ead-95a0d03e020e\index-dir\the-real-index~RFe587ff9.TMP
Filesize
48B

MD5
73247d1f72ee1666e753a4c403bc888b

SHA1
a08bbf2d294fd1f129079504148b5b11b06e2a62

SHA256
f4144a5af0ec7bb6cb35247b25bd4245055aa3e5a24bb0fa05516796435fafcc

SHA512
d4963f0acfc1f7a9aa5652a08c13c02f254f4309f5a82bdf07962981c9447565951872302ac935a5001fdad648be9daf742bb894bf4baadf4ae90b69c603ad1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\fe92214b-2070-449a-b8c4-23644ef0a0a4\index-dir\the-real-index
Filesize
504B

MD5
7c1a797658b601a79504d36cd7f88d00

SHA1
10d7b65354467cae388221b32715927c7ee6ed74

SHA256
4ca7a543863541cfae56fee371f9de2b80c6f854e98c896f3b202b2e697eaecf

SHA512
a6a2d8ef570f61081479874d1baabf478408d66974b459a10330081cd446de7f8c029d84c4fd3a9e2dfc0b2f25cfa86b179ec8acb0bfe452057f4ee9113f80c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\fe92214b-2070-449a-b8c4-23644ef0a0a4\index-dir\the-real-index~RFe588d66.TMP
Filesize
48B

MD5
9b6eb36374396e24538f70e17b42cc72

SHA1
1fe8806128fa346e7bfd9e59c9569c922258cc26

SHA256
04a539697500b75355f27ff1f870c81c280f55ea0e346b4845dac60acb8ec0eb

SHA512
b4cb0643b4b052c3535168619d14ea9881532eefc6b57188ab4f3c512fc41db9e7d15e7d03024eb3b608760d4162a7d813e1521f176732614269240f307d6989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\index.txt
Filesize
195B

MD5
1963c058c78293d1d51aff0e094eff6a

SHA1
83f89c25562d296e4a0ad8ce3471596829aae386

SHA256
21c6fe370f8e8080ee8bd6decad85d50c7b76d5cc18c31886778b917f280a37a

SHA512
d7305189cd0ac38458cdb15c0253b003592389413379da9332851268f7a13a6eacbf95bf852cdf021dfae5e0a5112ab327a87fb9265847d3bf56b2c7c3b0434d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\index.txt.tmp
Filesize
199B

MD5
58baf8845c3b8e24be88108c2b5824ed

SHA1
6364126015303301322f3700c3eb68c8c2dd02f3

SHA256
1126d87bc48b113b5c32bdd6c361965db580bc2f8463cd55e0ca9d83162b355f

SHA512
18e1f977db3c1eacaae4983f750b51e036ef5e63e7a87100fa6abb51e4ca0f9ea08a5f19faa364aef6c4d8f7ce3b05c7d0e30b5f14068ec663e5456ded0b0462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\19b6cf247613cc2a293a024fa2e980aae478e411\index.txt~RFe584ef6.TMP
Filesize
110B

MD5
e960cff1df50d7fef76aaa729856cc20

SHA1
2c82ad2a30467ba9ad0e8d52ebceacff17c8e253

SHA256
006c9734a5d6f48b07fdcf70c27ce12a00cdca2fedd14ab03df5f476358f5355

SHA512
a42fa6b15ba9e2adbd6b1f5bbe43624cd5f2d2ea998e7a163704cd9069b16c2195b65aa4409a832fe13704d2b40b5a6d078440b2b47cde5daa4c051740d38262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe583dfe.TMP
Filesize
120B

MD5
69dfccdc35d78a5415f5572350868931

SHA1
4a0a33f1a4a367dae6792de2484bac0c9e912a19

SHA256
317d892ac12d2de7cbcf1e6e8c1842e6e3657ffde1d85edfc72c3e7fe38b3565

SHA512
bcfd9994c1b8cc25aec156af69179331d42ac88cac440bc5feb65c8006e6e8c2cc38f07585bca3045f41c3a7f9ca0e626775a382e71b47c063620084441c8413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
210d46166db30a8d36fab3c1e737299e

SHA1
5587afd3697bf26f94f70f43970d9d84499fccf0

SHA256
c6e8dd431eae72c3793a51feff1774e4e4e4c858d4a1728c7d63aa428f9c7906

SHA512
df8e9cbd1ba14363e53e6d7618ce9d058b755976a141a453286e3eaee8356de77e6c77bbc603321dc1070f7aff194ea6e659c0a6d58043c3b933737e53d9fd8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588d66.TMP
Filesize
48B

MD5
9e66d806db9bfcafb9797dfdfb46fcb6

SHA1
83ba0b3e9bac787600049efdcd146e8a9c5f27ec

SHA256
bc5c51d5ee8c509a784f67979b240433a29eba2ab3251f95ef4a60855ebbdc85

SHA512
a711146e985389b591051369a8640aac46ea1ae4a843148cd7926b6b59e9f3d49bc178d9d4ae6383e1d356b0447c84a0a7bcdbfa706e926696405e86326ba658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
320B

MD5
43a2355591dccaacde878e7f541143f6

SHA1
8a5083e3f59508a81984c869ab6c8fc00e00be37

SHA256
5c4cca320c3374557d93df5e86ce69d452a873716aeb44b80767fa102e57f970

SHA512
3fcfbb22f6e27ffa5919097cd83c2b11e076be26856bc3c04a96848dbc1031218b3704d6028e223293920df2fc56c4c844364a5632389bef66ea68db403bab47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13325379881978503
Filesize
2KB

MD5
1944f2e7fce03fcc5a01a9732e1aa169

SHA1
ba7b9a9040399c02c2c994e89a3811fd453e3ca5

SHA256
8a13d7eb6a215fd2f8487b59caebc4e43a3bc3f52ccc92964616c94d1f3604ee

SHA512
fac92600d0e0d9bdd02ab0e6b7e207f55e69ebddd38c26e86ba12563f40feb15fdf8a07b95acc8015d60bb8c22881f037d3db10d0e4205b7106a1e814996c607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
c347ecc1a8408f53f8223db597a51ad1

SHA1
441f02631a3556d8f106dbf053308185b377b859

SHA256
685164d94c64ce29f981183623891be7f987d26fc9418780db43c06de136580b

SHA512
47e3dfc92470284a498e4d7422549a17c7ea97b8a4a0065f6dc58ba6d1994c70f0d8196ff9e9beea390c3796df9c15c5858ff9c49f0793c5ea63f8e3029c2ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
Filesize
6KB

MD5
4a9969b9ae1b9da0d1dfa5e03ef6be1d

SHA1
b85ed2c4da702c4ec6e64be72b37f0f5f66ef5af

SHA256
9fbd836ca91956b05503415d067dd79b60757c90d84d88e0c4720b13bebce132

SHA512
f547a07ba13f35960ff55cc8bf1d2884d12b75d6a5a8ef43b86cfc39ddf638cff25eec233e75e78af7d48fef6470d418dd1c2b409476875018811df8c7bceaf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
324B

MD5
e9894f596ee72b69cc5146d4af7ae8fa

SHA1
157def47ff8cc32c69b065e3abc620d9ab9c3d0a

SHA256
79367251f5ead3d333e787dc3963b590972ff712474b5835204d06900e7ea95b

SHA512
efed93d19da548acd74180e8b94cc2493e7f39fe60b25bd09ce13c285ce034ec9210cd0eeb5ff25583611f3fe7350b1fede8e18a4afbc0d69b25cfa35fe52669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c6a3d87c-1665-4d7b-bd1d-aa308d00f56d.tmp
Filesize
5KB

MD5
ad084ab02079b8ee7db6c872379d366c

SHA1
6613fdffb68ae129d7d2fedb4dd9119ec9c912a2

SHA256
d9fd103a4079031711a19f3470dd901099a4b2fd67ffe9e9b90389da90dace67

SHA512
cbf94d8334f5df52af2550ea50035651ce2534fcc00788094d0feebe044384926f9dfb377d15beb92adc9533c8a2ad7161bba7e595a4e6ca61f9cd68d14d16c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
Filesize
883B

MD5
eab0603b022f3608a597f141fcca7833

SHA1
ad9d35470cf29dba0fe8ddd6c104251ab47620c4

SHA256
867bd360a5537d49743189cb71b0cfb8659d0a6be9e0e89bb162727532ca1c8c

SHA512
8cdad58d2f3eb65ef7658c2c8e55c7da364cccfe0837e2205c9af9a21a3924e3d9c335f606cefdbfb5964cf4c9da1fa55e58c3fd4acf2e9b8495441ee852db7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
Filesize
317B

MD5
830bee9e48a082d8cf252d0d9be24476

SHA1
2835e1ab816b850ac569b757e5f603379d94952d

SHA256
40a2e617d15be254092bd652c883a9513cf0cbf993ee318a777c733cb0fb8928

SHA512
9720b0be66946783b8572275bfe8bd528a0b353492182bbdc2dbdb56e97598f87f2c97e586d9789dc1398739e319f7e79fb46474a893a080ed9f7c5e59b8ced9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
855B

MD5
f64fbcc19142fa9521157de6e610a300

SHA1
9eb9c61dbac6295b242116c6c08c8dfa37c69218

SHA256
313d6940fc59bf97153e24674b1b751350b50edd248b232468fae02412af3e11

SHA512
8a4d07d35f89ca43fd1d645bd9debb4c26f3bae69592b0910bca9bb0e4b3da53dd6c2a99fde613e3a23519f5b5e59a80d3175a53cf3c5870186985a16bca0c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
Filesize
335B

MD5
2aae7c0841460f3070d081289157ca3f

SHA1
948459506fe5e691800f0365891013894580a180

SHA256
d428de15ee271dc0757c5d6f68e257819c5a2ec27ab38bf374476eef57dd7f72

SHA512
2066da0153063c824abc9565c66b59974ca27a4b3cfb4279ba915c9b9e41a5ee26825fd89cb53cd283a69e6f90d47cb02c24e66aeb41af61dbde8eacbc2c0ee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
f7640e14da61b694e2a012e534c16208

SHA1
02ca437b69c94e98f49194383eac91023b79a77f

SHA256
c12d134860d9e7a7d1d7e79e4860121973a0461cd65bebb973337ef2c1f2bc12

SHA512
fea2cfa693b3fb087ee71fd50f9575c23185877af7b1c3351feba8dcb52f702bd5ac211edaf484293d2479279f42d2202f6cbcf1135d4ed82fffc430cff237f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
f7640e14da61b694e2a012e534c16208

SHA1
02ca437b69c94e98f49194383eac91023b79a77f

SHA256
c12d134860d9e7a7d1d7e79e4860121973a0461cd65bebb973337ef2c1f2bc12

SHA512
fea2cfa693b3fb087ee71fd50f9575c23185877af7b1c3351feba8dcb52f702bd5ac211edaf484293d2479279f42d2202f6cbcf1135d4ed82fffc430cff237f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
a4bfd7a4eff2402086963916186688aa

SHA1
1111aacd1afdaf586c860941043beadb16b99638

SHA256
b620b7753d76a9afe31a4a434b03d09e0b2e4a23c13297468930149ab0eeb192

SHA512
8927cb5434aae7fd1e9e68ade61045be18030de528de4d07ed01b08b20e7416f22120bc94c8a24223fa4f3cd92fc574d339b3cad0ec934d64a01e395002bae59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
56bac5969140a8e5bb31e849378569c0

SHA1
a4ce06dd6ba9b5a57b78d142e62388fecb5ac391

SHA256
f85893e788c96bf3bd8d8dd3dbf26cc4bbad2a6a1d64962e8ef895688f0e274b

SHA512
9cea02e7335ab3c9758d920dd9b4f17d80fbafca52c823121cde1c30b9295d8738ac65f368b8c3356e729374b984d2f7212d17c7fe1e20a15e615edf35ab1345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
01c3d5108b2e43fb3dc7b0a49583aa9f

SHA1
fdabc449687d5ccc6af060205e37b191fbfc962d

SHA256
a1696f77e6f43f56c847073aac6a116bc227515b1b1393636871939e579c13fb

SHA512
746eabb89657822a7c0f4013c31dee656f544c366f37bdbec69aa93bd32f9e51be5b493d4c188ec56d396b9a33ff24d94a2d8233f07b66e5364da1aaac646039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
449f5d5c25803f80d9b52c67d5e219f5

SHA1
14f7b5c81fa599431a9afd99d48c6993d79a4110

SHA256
9d46b2ebf600b48051dc05d08cee060132a6d0653b3c9ef4211ac6ff3ce1cd46

SHA512
624f142f9e88218e0f69d08932796306b9ba2941895aef53234d75df23ee9093cc0fc75d3e8101bc2fccbce09d7f0b9f0cca85ff28d3f84162f77b40d02c780d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
132KB

MD5
b9bb707986df7ef2329a6cdc201832b9

SHA1
4a2d9897766e360d34630a3573bfc520d8cee8b9

SHA256
5687e2fba633e7183ef827da1b1ad0ca0db809af8f68e469af8219d0f30a972a

SHA512
fc8495092fad821f20c5e9b2b1be8c4977db1e8fdaebf19a79610d528ca7548bc9c8c20fbe87eb62d652f50c3dc71d59a55ec2be7e786358f8fdfacb05409a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
113KB

MD5
f82594079218323963e37099a6621c97

SHA1
c1631f59e0545da1faf416893417020f30c5e87a

SHA256
12b0c0a6a8b9b7de547291dde2973118adcd91253fa7d9f5cdc79a5647ed6ce2

SHA512
0388b8b47682cba14aa73613b6a1dfc1f094e0b6b72bfbb0d5bf1c54527b1eba2fc33a81d75e9dc2ef5923e754207d2db81530a9e5798670df2bf53bbfb9f925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
4B

MD5
a623ed219fd30f200560e7b8df04c9df

SHA1
666a296735dd0aa84bb3bceabf9739fad532ca21

SHA256
38440b2699f82a2b2823419ebb1aab0f8da6fb36ee344ec9df1e0f449f33a776

SHA512
d5824ee834e049f182ad709c61be48f8e385fd210f69e42551842c40bb61e39edf53cfe9e9659ba938fc50f9c248e1955884e107dcdfe617397b802db98f0aaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\H63C81AS\__bundle[1].js
Filesize
16KB

MD5
0d2154d70c76fc5344f471a8f6eeb327

SHA1
7e691dc7fb01b930ed550d22c74fb11a9bd87d14

SHA256
5526e08d2c2b8b3ed189cdc1c8de9d4596ecac1c8e7d0a70359715c403929d75

SHA512
6cc7078bd68925adfc434f5db24ca13071a90c2381c8545a3f89129cc5e016acd6fb6a0891a0afa9bcaa524a2817ac0b75f4d7ce5ec320ba23d5acf7ccfa1c11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TYURQ4C0\favicon-196x196[1].png
Filesize
7KB

MD5
e06f9d74dba1451d6cab5edd1581645b

SHA1
0f1352f4122ca56f7c4e93f207dd88c4758fd86a

SHA256
77e0c50614af96211739874ab95a3e7958a7bb4e956fa8bb431c6e6fd653aac9

SHA512
d5f0a7bb3026bb12be4101e4ecf23f954695af4696c63afcedbfb40dee3bc74327c72a632a6ee0e3e21654867a2c2420d60718f6c54af37cb4662e5313e317e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkaye1ek.kbc.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
9KB

MD5
7fcc55eee2ad6bec6ea92865fabd18ec

SHA1
5566b545f9cb17dbfc3983f04f62a2e2214dc2de

SHA256
04aa567f4bdbf4df5505b77a334a38625ee6cb9e717788e043583c713f6ba197

SHA512
4ccb0ef83f1864af4d9a474f5c996a95343aa296548289d1746494809f3a425deda1a17713ccc4cdd0fa3606e6d777d170f77b28caa036a8658e9e23d23187e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
387f3c345f7125c563860f58169d1b16

SHA1
ff15c879885ccdda99a51d22f86e62d7d03d305d

SHA256
d39fbae191b061ce03b14bcbb9030a85b511bc724a9a8fc16bba5527cd60e1b3

SHA512
b21e80d54868a2ce95aa13e8125ec85e739f55ce6661613e6efa13bc88ac5aefc9fbd25dd092c861454827dd47c729470d995e897b1f3f48e6757e2d784ef87b

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe
Filesize
3.2MB

MD5
914a13f7792bcce4fc4c25521b20ea26

SHA1
42346e66275936b249c4a2bf0ac0f04d79a9c1b1

SHA256
d8532a471399c1b6ca15c543c55162f1938be82ceda2044b0f46b47989d668e1

SHA512
7bd9f4b722940a18cc41d1d1afe73f0d74bc1f38e6b708ab9270448591305b0331a450b1ed05baa4c6e83f374c50dabe8d34848c032336ca76cf35b08d86045e

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe.WebView2\EBWebView\Default\Code Cache\js\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe.WebView2\EBWebView\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe.WebView2\EBWebView\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe.WebView2\EBWebView\ShaderCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\Desktop\ValyseOfficialRelease1.4.1-b.2\bin\Valyse.exe.WebView2\EBWebView\ShaderCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\Downloads\FRSTEnglish.exe
Filesize
2.3MB

MD5
5a07604884b47a9a2c5bedf14cf742fc

SHA1
ad02eb996205e3d88cdb4e3b007492f618897c1b

SHA256
8e07c5c499bdbe215b86153a4d157c6275780115062ce46c7f728caea7ef1bc2

SHA512
a24b76ed5e9593ce8fc0c2066929304adf27e6bbe37dca61a03c82677cc6f56bb2866140c1f62fc0aecc1cfbc249a146eefafa3b65b4fccfe3dd4eb5e52891ab

Download Submit
C:\Users\Admin\Downloads\MBSetup-01908E66.exe
Filesize
2.5MB

MD5
1ed0d8b2214a5d067d5422145689f747

SHA1
e671419cc7957c1118b9bb84251a40c03351f07f

SHA256
06a4bacdae17ad89c8fc93fc4ebf6603ca406e8bcc51f3fd32f700d18436be56

SHA512
e2a686efcb1bcda6b55c5d10654124fc2b27c426a979929a1e9de171794745abc9f0cd9dbd302a4e02d95269c7abee5dd051c1687e8f794da317b3fc4bf665b8

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
181KB

MD5
6ca8a22b6cd94b0f2d3190beb909352e

SHA1
0cc08aa61833c412cfe2489b0c4a0bdfa1673b05

SHA256
0d4081bfb0f3c66526e087c58f35d1ad81f7e4f4220ff7d0fcf55bd03e395e5c

SHA512
61f5ca82df0bf372ca0b741d2c23d38bd6e2a9700ed62ce3779e0820295ef177a7609a5ee4c0a76495b8d5bb3619041302926f15bf4685d2a27dd6d49b7692e5

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\ctlrpkg\mbae64.sys
Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\MBAMService.exe
Filesize
8.7MB

MD5
df6a796460b0f70a9a42cb1ab98e7ffd

SHA1
657c2c3cdef7325c6331f377fe0227760f6bde1a

SHA256
676f3c56d6e5c8dddd7f01d5d10baad352683a2cb8b9bd4ce526a7629fc8fa43

SHA512
21b399a76845f81ceabc60d2225ddea30296f3ecd52a3668e60a51d9593c9444596b8ec041b53ae8d8f6f18ee54ab23db8678945e832355e9e76a6fbbfcc0b87

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\mbamelam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\mbamelam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\mbamelam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\servicepkg\mbshlext.dll
Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml
Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTempd1aee1eed59411edb55076a232a3e020\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml
Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
\??\pipe\crashpad_3312_HHSZZCCQFVAFOZVI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_5060_UJHZECTRCCKIQPVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/948-5997-0x00000169DFE00000-0x00000169DFE01000-memory.dmp

Filesize
4KB

Download
memory/948-5917-0x00000169DF820000-0x00000169DF830000-memory.dmp

Filesize
64KB

Download
memory/948-5964-0x00000169DFD00000-0x00000169DFD10000-memory.dmp

Filesize
64KB

Download
memory/948-5999-0x00000169DFFD0000-0x00000169DFFD2000-memory.dmp

Filesize
8KB

Download
memory/948-6001-0x00000169E4B70000-0x00000169E4B72000-memory.dmp

Filesize
8KB

Download
memory/948-6003-0x00000169E4B90000-0x00000169E4B92000-memory.dmp

Filesize
8KB

Download
memory/948-6213-0x00000169E5CE0000-0x00000169E5CE1000-memory.dmp

Filesize
4KB

Download
memory/948-6215-0x00000169E5CF0000-0x00000169E5CF1000-memory.dmp

Filesize
4KB

Download
memory/1588-794-0x0000000009100000-0x000000000911A000-memory.dmp

Filesize
104KB

Download
memory/1588-766-0x000000000AE80000-0x000000000AE90000-memory.dmp

Filesize
64KB

Download
memory/1588-795-0x0000000008F90000-0x0000000008F98000-memory.dmp

Filesize
32KB

Download
memory/1588-796-0x00000000FF680000-0x00000000FF690000-memory.dmp

Filesize
64KB

Download
memory/1588-792-0x0000000008B70000-0x0000000008C15000-memory.dmp

Filesize
660KB

Download
memory/1588-769-0x000000000EAF0000-0x000000000EB0A000-memory.dmp

Filesize
104KB

Download
memory/1588-770-0x000000000EC10000-0x000000000EC46000-memory.dmp

Filesize
216KB

Download
memory/1588-793-0x00000000FF680000-0x00000000FF690000-memory.dmp

Filesize
64KB

Download
memory/1588-776-0x000000000F9A0000-0x000000000F9BC000-memory.dmp

Filesize
112KB

Download
memory/1588-771-0x0000000010080000-0x00000000106F8000-memory.dmp

Filesize
6.5MB

Download
memory/1588-772-0x000000000FAA0000-0x000000000FB34000-memory.dmp

Filesize
592KB

Download
memory/1588-773-0x000000000EC50000-0x000000000EC72000-memory.dmp

Filesize
136KB

Download
memory/1588-782-0x0000000011450000-0x00000000114C6000-memory.dmp

Filesize
472KB

Download
memory/1588-767-0x000000000AE80000-0x000000000AE90000-memory.dmp

Filesize
64KB

Download
memory/1588-765-0x000000000AE80000-0x000000000AE90000-memory.dmp

Filesize
64KB

Download
memory/1588-791-0x0000000008B40000-0x0000000008B5E000-memory.dmp

Filesize
120KB

Download
memory/1588-774-0x000000000F9F0000-0x000000000FA56000-memory.dmp

Filesize
408KB

Download
memory/1588-775-0x0000000010700000-0x0000000010BFE000-memory.dmp

Filesize
5.0MB

Download
memory/1588-1226-0x00000000023F0000-0x0000000002402000-memory.dmp

Filesize
72KB

Download
memory/1588-777-0x000000000FB90000-0x000000000FBDA000-memory.dmp

Filesize
296KB

Download
memory/1588-778-0x0000000010C00000-0x0000000010F50000-memory.dmp

Filesize
3.3MB

Download
memory/1588-779-0x000000000FFA0000-0x0000000010006000-memory.dmp

Filesize
408KB

Download
memory/1588-780-0x0000000010040000-0x0000000010062000-memory.dmp

Filesize
136KB

Download
memory/1588-781-0x00000000110B0000-0x00000000110FB000-memory.dmp

Filesize
300KB

Download
memory/1588-1981-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1588-768-0x000000000AE80000-0x000000000AE90000-memory.dmp

Filesize
64KB

Download
memory/2196-2004-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/2196-1990-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2002-0x0000000007370000-0x0000000007402000-memory.dmp

Filesize
584KB

Download
memory/2196-1999-0x00000000062A0000-0x00000000062AE000-memory.dmp

Filesize
56KB

Download
memory/2196-1998-0x0000000006990000-0x0000000006EBC000-memory.dmp

Filesize
5.2MB

Download
memory/2196-1997-0x0000000005C40000-0x0000000005C48000-memory.dmp

Filesize
32KB

Download
memory/2196-1996-0x0000000005C10000-0x0000000005C1A000-memory.dmp

Filesize
40KB

Download
memory/2196-1995-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/2196-1994-0x0000000005D90000-0x0000000005E40000-memory.dmp

Filesize
704KB

Download
memory/2196-1993-0x0000000005BC0000-0x0000000005BEC000-memory.dmp

Filesize
176KB

Download
memory/2196-1992-0x0000000005B70000-0x0000000005B8A000-memory.dmp

Filesize
104KB

Download
memory/2196-2001-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-1991-0x0000000005B50000-0x0000000005B6A000-memory.dmp

Filesize
104KB

Download
memory/2196-2003-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2000-0x0000000006EC0000-0x0000000006F26000-memory.dmp

Filesize
408KB

Download
memory/2196-2008-0x0000000005910000-0x000000000591E000-memory.dmp

Filesize
56KB

Download
memory/2196-1986-0x0000000007BE0000-0x000000000807C000-memory.dmp

Filesize
4.6MB

Download
memory/2196-1989-0x000000000E9D0000-0x000000000E9D8000-memory.dmp

Filesize
32KB

Download
memory/2196-1987-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2005-0x00000000074B0000-0x000000000754C000-memory.dmp

Filesize
624KB

Download
memory/2196-1985-0x0000000000BB0000-0x0000000000EE2000-memory.dmp

Filesize
3.2MB

Download
memory/2196-1988-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2009-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/2196-2010-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2011-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2196-2012-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/3340-2014-0x000000000AD40000-0x000000000AD50000-memory.dmp

Filesize
64KB

Download
memory/3340-2015-0x000000000AD40000-0x000000000AD50000-memory.dmp

Filesize
64KB

Download
memory/3340-2016-0x000000000E1B0000-0x000000000E500000-memory.dmp

Filesize
3.3MB

Download
memory/4468-5590-0x000001BEC9F90000-0x000001BECA550000-memory.dmp

Filesize
5.8MB

Download
memory/4468-5891-0x000001BEC9F90000-0x000001BECA550000-memory.dmp

Filesize
5.8MB

Download
memory/4468-6014-0x000001BEC9F90000-0x000001BECA550000-memory.dmp

Filesize
5.8MB

Download
memory/5072-119-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/5072-118-0x0000000000840000-0x0000000001EC0000-memory.dmp

Filesize
22.5MB

Download
memory/5072-122-0x000000000ACA0000-0x000000000ACB0000-memory.dmp

Filesize
64KB

Download
memory/5072-240-0x000000000ACA0000-0x000000000ACB0000-memory.dmp

Filesize
64KB

Download
memory/5072-126-0x0000000006640000-0x000000000664A000-memory.dmp

Filesize
40KB

Download
memory/5072-149-0x000000000ACA0000-0x000000000ACB0000-memory.dmp

Filesize
64KB

Download
memory/5072-133-0x0000000006E00000-0x0000000007428000-memory.dmp

Filesize
6.2MB

Download
memory/5072-148-0x000000000E380000-0x000000000E3B8000-memory.dmp

Filesize
224KB

Download
memory/5072-146-0x0000000006890000-0x0000000006B48000-memory.dmp

Filesize
2.7MB

Download
memory/5072-134-0x0000000006730000-0x0000000006760000-memory.dmp

Filesize
192KB

Download
memory/5104-6202-0x00000291B44C0000-0x00000291B44C2000-memory.dmp

Filesize
8KB

Download
memory/5104-6084-0x00000291B3150000-0x00000291B3152000-memory.dmp

Filesize
8KB

Download
memory/5104-6159-0x00000291B4410000-0x00000291B4412000-memory.dmp

Filesize
8KB

Download
memory/5104-6207-0x00000291B4700000-0x00000291B4702000-memory.dmp

Filesize
8KB

Download
memory/5104-6161-0x00000291B4430000-0x00000291B4432000-memory.dmp

Filesize
8KB

Download
memory/5104-6135-0x00000291B27C0000-0x00000291B27E0000-memory.dmp

Filesize
128KB

Download
memory/5104-6129-0x00000291B3830000-0x00000291B3832000-memory.dmp

Filesize
8KB

Download
memory/5104-6086-0x00000291B3310000-0x00000291B3312000-memory.dmp

Filesize
8KB

Download
memory/5104-6081-0x00000291B3130000-0x00000291B3132000-memory.dmp

Filesize
8KB

Download
memory/5116-5885-0x00007FF8A3D50000-0x00007FF8A42BB000-memory.dmp

Filesize
5.4MB

Download
memory/5116-6263-0x000001F1FAAB0000-0x000001F1FAAB1000-memory.dmp

Filesize
4KB

Download
memory/5116-6265-0x000001F1FAAB0000-0x000001F1FAAB1000-memory.dmp

Filesize
4KB

Download
memory/5116-6264-0x000001F1FAAB0000-0x000001F1FAAB1000-memory.dmp

Filesize
4KB

Download
memory/5116-5886-0x00007FF8A4A90000-0x00007FF8A4EAE000-memory.dmp

Filesize
4.1MB

Download
memory/5116-5887-0x000001F1FB0C0000-0x000001F1FB500000-memory.dmp

Filesize
4.2MB

Download
memory/5116-5889-0x000001F1FB500000-0x000001F1FB700000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads