hxxps://pixeldrain[.]com/u/c5xbAxi3

Analysis

max time kernel
299s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 06:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://pixeldrain.com/u/c5xbAxi3

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\farflt.sys	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET75D2.tmp	mbamservice.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	mb4.exe
File created	C:\Windows\system32\drivers\is-LBC7B.tmp	mb3.tmp
File opened for modification	C:\Windows\system32\DRIVERS\SET6392.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET7595.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mwac.sys	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET8207.tmp	mbamservice.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET7594.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET7594.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET7595.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8207.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbam.sys	mbamservice.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\DRIVERS\SET6392.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET75D2.tmp	mbamservice.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe

Executes dropped EXE 15 IoCs

pid	Process
3812	SetupMBAM.exe
488	mb3.exe
2244	mb3.tmp
4972	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
1788	mb4.exe
2928	MBAMInstallerService.exe
1492	MBAMWsc.exe
4472	mbstcmd.exe
4944	MBAMWsc.exe
1760	unins000.exe
5112	_iu14D2N.tmp
1960	mbamservice.exe
4268	mbamwsc.exe

Loads dropped DLL 64 IoCs

pid	Process
2244	mb3.tmp
2244	mb3.tmp
2244	mb3.tmp
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
2928	MBAMInstallerService.exe
3588	mbamtray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\U:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe
File opened (read-only)	\??\X:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\PrivateWidgets\is-JQDL5.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-JT9LE.tmp	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\is-TA4U8.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\is-1013L.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-M04GC.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-17SP8.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-SMMH0.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-TUL0P.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-T53VV.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-CJU2H.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-0NFM2.tmp	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.inf	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-V60E1.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-NFNL1.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\is-IVQDF.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-0L0U8.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-V8DUM.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-FFTU6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-L7EQS.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-LLDA6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-L2O5E.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-OLPAO.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-8DJD6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-6IP2F.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-7P0VC.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-RF226.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-20929.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-689C3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\is-U3K1V.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\is-D2O7H.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-C2TSV.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-NOKL3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\is-4JGOD.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-GIQ7C.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-RF3MG.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-HHQMD.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-4PIKR.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-L8B9Q.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.inf	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-9U4MI.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-30GIL.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-FNBQ1.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-9CVIH.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Window.2\is-CIQFH.tmp	mb3.tmp
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-JO2G9.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-KS5VQ.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\is-M603J.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-6PO6K.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-OJHSD.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-HC0AD.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-C3APD.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-3UHHK.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-FPV7R.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-7ABMG.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.cat	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5G7DQ.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-O6RHP.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\is-KPT5P.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\is-VQFUT.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\PrivateWidgets\is-26SO6.tmp	mb3.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
820	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	mb3.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	mb3.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	mb3.tmp

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133357773358990353"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mbamservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EA9E3C-6507-4725-8F4F-ED4DDDE7A709}\ = "IAEControllerEvents"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9F73DD6-F2A4-40F8-9109-67F6BB8D3704}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2446F405-83F0-460F-B837-F04540BB330C}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C871BA6-4662-4E17-ABF4-3B2276FC0FF4}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA248A19-F84E-4407-ADD3-8563AFD81269}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\ = "IScanControllerEventsV5"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAD5232C-6E05-4458-9709-0B4DCB22EA09}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BCAC7E-75E7-4971-B3F3-B197A510F495}\1.0\FLAGS\ = "0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E3D4AC2-A9AE-478A-91EE-79C35D3CA8C7}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCEFCD43-B934-4168-AE51-6FE07D3D0624}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC97FF29-5CE2-4897-8175-94672057E02D}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1691A7E8-B8D1-46D5-BB29-3A4DB2D809C6}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17A7CC72-3288-442A-ABE8-F8E049B3BE83}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\ = "IPoliciesControllerEvents"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EA9E3C-6507-4725-8F4F-ED4DDDE7A709}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController.1	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0987E3-3699-4C92-8E76-CAEDA00FA44C}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F12E228B-821D-4093-B2E0-7F3E169A925A}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC34538A-37CB-44B4-9264-533E9347BB40}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5201562-332D-4385-87E7-2BB41B1694AA}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3CFEBD-3B8E-4651-BB7C-537D1F03E59C}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{616E9BE3-358B-4C06-8AAB-0ACF8D089931}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C842243-BDAD-4A93-B282-93E3FCBC1CA4}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E58D1A-2918-4508-908A-601219B2CCC6}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{993A5C11-A9B8-41E9-9088-C5182B1F279A}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}\1.0\0	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D488C7C-023D-4561-B377-DD9FB7124326}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes\shell	mb3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71B13605-3569-4F4A-B971-08FF179A3A60}\ = "_IScannerEvents"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237E618C-D739-4C8A-9F72-5CD4EF91CBE5}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}\1.0\HELPDIR	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController.1\ = "AEController Class"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\ = "LicenseController Class"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\TypeLib\ = "{C731375E-3199-4C88-8326-9F81D3224DAD}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A993F934-6341-4D52-AB17-F93184A624E4}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\ = "IRTPControllerEvents"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\0\win64	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F275D775-3A22-4C5A-B9AD-6FE8008304D0}\ProxyStubClsid32	mbamservice.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3852	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	mbamservice.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3588	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3460	chrome.exe
3460	chrome.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4192	mbamservice.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe
4472	mbstcmd.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3460	chrome.exe
3460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
2244	mb3.tmp
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe
3588	mbamtray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1712	3460	chrome.exe	70
PID 3460 wrote to memory of 1712	3460	chrome.exe	70
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 816	3460	chrome.exe	82
PID 3460 wrote to memory of 4132	3460	chrome.exe	83
PID 3460 wrote to memory of 4132	3460	chrome.exe	83
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84
PID 3460 wrote to memory of 4548	3460	chrome.exe	84

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4732	attrib.exe
3040	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pixeldrain.com/u/c5xbAxi3
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff834c79758,0x7ff834c79768,0x7ff834c79778
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:2
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Users\Admin\Downloads\SetupMBAM.exe
  "C:\Users\Admin\Downloads\SetupMBAM.exe"
  2⤵
  - Executes dropped EXE
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\setup.cmd
    3⤵
    - Drops file in Drivers directory
    PID:3096
  - - C:\Windows\system32\fltMC.exe
      fltmc
      4⤵
      PID:3776
  - - C:\Windows\system32\attrib.exe
      attrib -r "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4732
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:820
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\MB2Migration" "C:\ProgramData\MB2Migration" /i /s /y
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb3.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb3.exe" /verysilent
      4⤵
      Executes dropped EXE
      PID:488
    - - C:\Users\Admin\AppData\Local\Temp\is-4GPAU.tmp\mb3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4GPAU.tmp\mb3.tmp" /SL5="$100046,75987422,119296,C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb3.exe" /verysilent
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2244
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\BaltimoreCyberTrustRoot.crt"
        6⤵
        
        PID:3400
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\DigiCertEVRoot.crt"
        6⤵
        
        PID:2052
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb4.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb4.exe" /verysilent /norestart
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:1788
  - - C:\Windows\system32\attrib.exe
      attrib +r "C:\Windows\Temp\MBInstallTemp\migrate\config\LicenseConfig.json"
      4⤵
      Views/modifies file attributes
      PID:3040
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\MBAMInstallerService\Parameters /v SetSPStateCompleted /f
      4⤵
      Modifies registry key
      PID:3852
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0
      4⤵
      PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1908,i,6160074574802004748,11928511290803771212,131072 /prefetch:8
  2⤵
  PID:1420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4960

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4192
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3588
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off false /updatesubstatus none /scansubstatus recommended /settingssubstatus none
  2⤵
  - Executes dropped EXE
  PID:1492

C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe
"C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928
- C:\Windows\TEMP\MBInstallTemp\mbstcmd.exe
  "C:\Windows\TEMP\MBInstallTemp\mbstcmd.exe" /y /cleanup /quiet /nomb4uninstaller /noreboot
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- - C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\\MBAMWsc.exe" /uninstall
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /LOG /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Windows\TEMP\Mbam3x.log"
    3⤵
    - Executes dropped EXE
    PID:1760
  - - C:\Windows\TEMP\_iu14D2N.tmp
      "C:\Windows\TEMP\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /FIRSTPHASEWND=$1005C /LOG /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Windows\TEMP\Mbam3x.log"
      4⤵
      Executes dropped EXE
      PID:5112
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /unregserver
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:1960
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe" /uninstall
        5⤵
        Executes dropped EXE
        
        PID:4268
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll"
        5⤵
        
        PID:2256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll

Filesize
1.6MB

MD5
7580437d0fb8c1ae60d96dafb6883d30

SHA1
be89b488b258555a8cf971e4d29c40ce92bf881d

SHA256
3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef

SHA512
e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
4.0MB

MD5
bbf8d1bd3fed70264553c43933c0778f

SHA1
ee482444cd5c8751b1e593f0ee9c4102a6b3e73b

SHA256
541236c5093e7d561049a9aa4aef0f4610d2229ac0f268098d028ac0acd0ebef

SHA512
427d177da0fb71869f604d316d3cf2a49c426d743bc0c48e2f75bf9dc6a574a82a25a1096d26d774c0221da4c9efaa21e2371dea3aaa7226fed0ff6a51dd9d04

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

Filesize
3.3MB

MD5
92e9642560b3824d14886b5a07abc0fe

SHA1
ea27777f0ac8c84d8f2acf14f4f3d76beaa3600f

SHA256
ee7bf546ff261caefe63b9291a359681e8167d3eae48529c8b03df83992d5f3f

SHA512
31c17b5019767980f900d7fc85a2a21e39e01ab52425418c2aef877584c26379b0bd0e79fffc155b14efb7187a7f4d1d6c57420ed83c028ab94574b5644f5bf3

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll

Filesize
3.3MB

MD5
bdb0adcf1fa2d6ad11ca148925fc6056

SHA1
14348951d1749ac6fa25edb26fbdfc38261ed0ca

SHA256
56e54267ea2594d7b2a7b69d751f6aa70e99b7006dfff2f6ab516c83f5a5a09b

SHA512
017658186f962376de6affc45535f9e156f4a11027a8000ae1ed37b0699d598e3b41a3a29c2031982127adf2a575b3978bc7a2183fca822049efa61214b8d49a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

Filesize
3.3MB

MD5
c091823974c144a4ad60253346be986f

SHA1
6268491af4b35824a25b3a879412aa3894073c90

SHA256
53aad200edbab6e1591c1502afab7e2014aaa98e52c4be6bdfdd5332248d2032

SHA512
02fb68f67eb49c7e76f3772ef830b9981487eda9c87243dd8b6b4406a9bcc2de0253ac63271e7c35dc27102211ffc31ef550d5b6d49734dce762f0c47bd563fa

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll

Filesize
4.4MB

MD5
357fc4ccbec4ba925ceec54ba1940de6

SHA1
16ff9d20c00b575c7fe3d19ed47ba2e1c025446b

SHA256
a99c1e7a2408fde154a259894bdce12486ba8aaff9904098c2febf60cf2d0142

SHA512
fe20f82a16001c3919bf8ada707532c7ecc3b0ff01170a8063dac7dbb6dca2f23c18a1fd2894836d1ad9d8cf5efc3f376d1a0536b29b77297709ded9306ab366

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
2.2MB

MD5
9461138ffbdb975a8e125163bf948158

SHA1
8275135bf4ceaf57c5ba8f66dd49d69d992c0c66

SHA256
373cf9d48fbb81f4ff07713428d50a62c7bbc0fc594af3987e0bd655f83ed3a0

SHA512
c0f7978527c24c9d767e58dfb53e346f9d1af1c09674bef723830754125985ae3846da262fad641e8cdc615779a244710fbb8d9e0e36a1205da4392c7782a34a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

Filesize
3.3MB

MD5
441ec847e501ddd547fc10492fd5a287

SHA1
c67e70d2d0ddfb46b4fa0c80856c90feb918dc93

SHA256
3e63054601f976aeda5c2fcdf0d222bacf38f48eb729e51b3392c915b4686e36

SHA512
435241c11918276714079f98c67ebde4834ece5c0ac973594d2f28e9b8d444df1735ceec459a977868ddabb226d5c1e461f2bdd178710761b31bf3018d162356

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbshlext_proto

Filesize
2.1MB

MD5
5265576f992af1de32d79b8570f95922

SHA1
e355fd829c9eb02f56cd60103438164e79643c4f

SHA256
85e2fcb69ee45cb81cfdfcc4ece39caf3fc25a545df30a0f04d6c4c64520db7c

SHA512
fec8316d3fba8470d6d7582f1e494110a6ba4fc30eacaf134f093350361fe789278b13be5ddac23e42b1ae7a1956d0cff8cb702da5e637e0d2621e81d9a16869

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
50B

MD5
f92c71ddf5b699d9bf113cc80d5bc826

SHA1
1a8091b51c8328cffe98958c3098e4b9c1228bfc

SHA256
b110e26dcf57e8d3923c7b0e6a660e06a70246a2d0285fb3fd4a775579dda83f

SHA512
463c8f4810ac52b12e8620d748a8a087ef140e5d6ab6a3afdd1baf28beca17a0b6c069003391c66cf0fd2ef75112be1306201915c6a8942404c80e5b99947411

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\version.dat

Filesize
46B

MD5
8fb6a018f79059337fc548f2994bee6a

SHA1
2bfa752f3c9f4d8f952682614490fb1014c14823

SHA256
4e1a6a6dad48a69944d19afd8258c34f2880dea9b2c0a5515e6f64f1336de276

SHA512
2c2d8b835435fcb9f4e97c354165040417b5e7e37db4cccf9247b8ccb8c7be9b6a7c62b7ef7f6327cc049ab91a408439ebea221ab51365482106ebc6aa7bdb19

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

Filesize
3KB

MD5
4ab0d936d15fad1bfe1c9843c975a5b5

SHA1
c79b4a6d5ef3544bb9428b4fe1aa26dbddbd7f09

SHA256
5dfdd203c6aa96909fcca1eada34ac9f7fff0adf1db655e13753a84958c95874

SHA512
80829716ed63eff784767a0d316eb890f9065a80a8cfb26dfec34422c70aa02796f730b61b24ae6708e66c76a8cceb972a51ec93dfe423fb9c46b51cad79e6a6

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest.dat

Filesize
775B

MD5
b3381f9aa89142e99b7cb53b3bb4c75c

SHA1
6af16450d96d258759850b45c22fe343b8b26b09

SHA256
de77da47eea08b013f3a17511cfbf078110ed62c35cf301d9fa916b7297a0b4a

SHA512
806e9f117ec6d60521fb95dc3da3b575aaba9e5d943817a05d5252d771d58578be64b44f98ccc6a88870936c13bbe02a5b683ed936b9f7df32959214e99f7dfc

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

Filesize
775B

MD5
f3880fc3faa78872a9ebe2130344809a

SHA1
5592ab261f4ec22698106124fa49d335bf7179c4

SHA256
63bc73d9a26148537b51234ed4a7a8d03fba2529e78be052617cee6f06b130d6

SHA512
198fd603d3f45baf95f0515a931c41d528d90a77324822649185757cf18eaa0aa223779f7b52a071358c862ef99593d7fb145d47164c22c2319b452174d0969c

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

Filesize
22KB

MD5
885d647474d6eab46dd4b5197bbcf6c6

SHA1
5a8bd3b8f17b6501354dd646a6baf0a22cb55695

SHA256
1d7f22839b23f76773fdaed74aecc5bafc09aa24cd8500f3609ab2aa09d05845

SHA512
c876d81e32cdcbe244930b6c6a9fe870bb14f8f9dde47300ce08daa05bdac0f8960facbde7f5f78546f5dd777cc0371984cf8dada79bba33c961ca633ae68f99

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

Filesize
10KB

MD5
9a4ac2b44a9ad3ec5cf9534c2acde781

SHA1
a61d029ac93ada329c70633a7fcaeb754a22dded

SHA256
96813f362732ed0516316ae0f3119a6ea6bcefd53c940e59232546600853444f

SHA512
3c0ccc6ed19728f61e9075888427edf9b6bb9d47274b61beb6da9edf52c526848a07d6a559300d5a5696614ffdd9432ff007b1b853e601e4c8f28fc3bd2b51ff

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig.dat

Filesize
514B

MD5
dd15d093dc51c98167f736d69a349add

SHA1
957f340b5f3690bdee750bdbfdd1f1c698ca7be6

SHA256
e54e69d1293b6a7058fc580d749b643cca6aa823d1fc00ae7e245665fc62a7f1

SHA512
467417445c106ebf06620b1c33fadfd578f8cba28465ad09fb5147e914dd3607c420ed79fe6d3be80bc31e45b54bdf8fea17d14767ff984c3eaeb5d9841eba6e

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

Filesize
514B

MD5
98b4099b3d487621c580a0d29c722efc

SHA1
0d533cf45a311b6033db4532448d04492b5491c8

SHA256
4eae4a8483bce998f40bf1247185bf5bbcc9a844d3f1ee2262aad0bd7bebd78a

SHA512
0c6997ed4a7580b6f545a0da91fb8bee2af692bb45468235c646f09acb1efc326a1b20652c8471a136386be712be4a45e953c676aed07726d4342231742954b8

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

Filesize
18.6MB

MD5
be363c81439b1875e81cb6cfbd53f6d4

SHA1
b02017e19deffe541ee7613fa5efcee41d864178

SHA256
fe8b403929c13bfc48e91c5b5ae71d1efb3f52397a4832407914b313b81a0b62

SHA512
81ca1e7996c602fc7ed7c790f16557b4b269e0fce723c22167a0f1389d1ab28d8fccb7ebdb81149f1f8a235e5251738819b8dc24d9200c8f4e5ff8e8f2adf624

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

Filesize
1.8MB

MD5
dd762b25660bc1301ad50631f9dec302

SHA1
8093cd2bd83572646b8d6a9ac55b6758c6839be8

SHA256
6e62ed7029d73f8625db3309bf3146a3a1a793353faec7d1b70f67e71204e936

SHA512
1b0d5fb2d5cc0fb4b3494fa84502364d6582f054bd47d2ba58e2fd8ea00be6a7b660c80b4eac86b04ec8823d04cb611b0e9b46dc16cf9d0353a5a1a9c233a2b7

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

Filesize
198KB

MD5
7ae4464544f8ec6dc2a19d7413fb40a1

SHA1
d6a48e08d9f43388544ced6e6ee0c3387bf358bd

SHA256
bd4acfc46b74046d5fc2a8fe1fc3c88fef43fda04681369347f762e21b7f0065

SHA512
19ef8eabf6b2d7069be05fd33e85d2b0774f67175c2cc033103ff966d15c5aeee815b9457e2acbfa5c188ec4e8bf4f963fa5c831cc054a88a50d0db4759d1041

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot.mbdb

Filesize
9.4MB

MD5
bb2294822ae2c2349907d0b5b7d0bbe7

SHA1
27f10b774ce5a1bf5633a73b2b12e7dc9cf38c88

SHA256
7f9b7a30ad2ed3f40a2285afc1c8526916e7b7a2fcdfd33265e76e6471696333

SHA512
84666ab71397e041a068aeba6ce8deb7d8bd26b8c60d566d3e156ec874cfd7ce95d4a59d7e41a9f0be215d880cda670f4c56e57c1bb53b5bb8288ae4e1b13d0c

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

Filesize
6.1MB

MD5
b48e5f5448fe8fc971128a8686e17e40

SHA1
c8ba1082c02262c881a842fe16b95c3eeaf82b7f

SHA256
681dbb59a2f88a2c498940534761801c341a5c901f2c41b2f94dd8cb42a4350e

SHA512
9da5e8da866112686f49b61ec29151ff293baa810975f6e49019a742630904cfcd706e4a9825c1fedc182e7252c934c0553772bd554cc07f359860cf94b3de0d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll

Filesize
1.6MB

MD5
7580437d0fb8c1ae60d96dafb6883d30

SHA1
be89b488b258555a8cf971e4d29c40ce92bf881d

SHA256
3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef

SHA512
e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll

Filesize
3.3MB

MD5
bdb0adcf1fa2d6ad11ca148925fc6056

SHA1
14348951d1749ac6fa25edb26fbdfc38261ed0ca

SHA256
56e54267ea2594d7b2a7b69d751f6aa70e99b7006dfff2f6ab516c83f5a5a09b

SHA512
017658186f962376de6affc45535f9e156f4a11027a8000ae1ed37b0699d598e3b41a3a29c2031982127adf2a575b3978bc7a2183fca822049efa61214b8d49a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Languages\lang_es.qm

Filesize
239KB

MD5
15cf1cf7b807776cc0b326fb13346dae

SHA1
49729240f86b74067183413aea526e9f9a769642

SHA256
5d4df71edd63c510af04d27aa15aaa009c24e07e53efb0559dc6cc6b67e1c6cd

SHA512
ffe781c632aa839cc66377ae31384bbeb4c4443d1e4875a902a6e1fc9c272ef1b911dfc7a423fb4902dd3033638919934a077639d19314380c5b219b52d102f7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll

Filesize
3.3MB

MD5
c091823974c144a4ad60253346be986f

SHA1
6268491af4b35824a25b3a879412aa3894073c90

SHA256
53aad200edbab6e1591c1502afab7e2014aaa98e52c4be6bdfdd5332248d2032

SHA512
02fb68f67eb49c7e76f3772ef830b9981487eda9c87243dd8b6b4406a9bcc2de0253ac63271e7c35dc27102211ffc31ef550d5b6d49734dce762f0c47bd563fa

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
6.2MB

MD5
f7265b7490428499f2fe409fa9247866

SHA1
aa7ef4ddfa80551e0e636a3411ea28c5217d92b6

SHA256
43a406c74689b72020e4669b45f19d377a5ff3efe79b03af58c2679d14405e9d

SHA512
0b239376a42ea094d2ae202f0c05504de7f8317c414c3aa6f5e4571b435aee2940075f5d88dc89756cb447b96356ee6c4ad44efadbdc1d80a9992d8d21048164

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
6.2MB

MD5
f7265b7490428499f2fe409fa9247866

SHA1
aa7ef4ddfa80551e0e636a3411ea28c5217d92b6

SHA256
43a406c74689b72020e4669b45f19d377a5ff3efe79b03af58c2679d14405e9d

SHA512
0b239376a42ea094d2ae202f0c05504de7f8317c414c3aa6f5e4571b435aee2940075f5d88dc89756cb447b96356ee6c4ad44efadbdc1d80a9992d8d21048164

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll

Filesize
2.2MB

MD5
9461138ffbdb975a8e125163bf948158

SHA1
8275135bf4ceaf57c5ba8f66dd49d69d992c0c66

SHA256
373cf9d48fbb81f4ff07713428d50a62c7bbc0fc594af3987e0bd655f83ed3a0

SHA512
c0f7978527c24c9d767e58dfb53e346f9d1af1c09674bef723830754125985ae3846da262fad641e8cdc615779a244710fbb8d9e0e36a1205da4392c7782a34a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
607B

MD5
ff5bb9e59a9bf141440853edc85fa8b6

SHA1
90e99e2a459d56b506228b15598ae5b404e07066

SHA256
d06fc2d895b91d851954a6d3daa074ac9d2f57f4be36c22523ded2ac4d0cd6ad

SHA512
43b3b17be9bad66720b9fbb41fda07534d9a1d43c11a6bb9c37a244132e30ca511f8da79a305209fddb7e94662f6e5ef8203ce77d565758d27707851387c2426

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll

Filesize
3.3MB

MD5
441ec847e501ddd547fc10492fd5a287

SHA1
c67e70d2d0ddfb46b4fa0c80856c90feb918dc93

SHA256
3e63054601f976aeda5c2fcdf0d222bacf38f48eb729e51b3392c915b4686e36

SHA512
435241c11918276714079f98c67ebde4834ece5c0ac973594d2f28e9b8d444df1735ceec459a977868ddabb226d5c1e461f2bdd178710761b31bf3018d162356

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\is-V60E1.tmp

Filesize
2.5MB

MD5
fad7ff3ad298b98af90ee28e8ac9e8ea

SHA1
8ef1656215747bbeaaabc3ca1a82d4d2de4166d9

SHA256
86f1c7b02c2c1cb100757b18719b1613f9035ae89cf7dd460a39da9f9f163c95

SHA512
812a04bd6e6800ca2f78224356a1035a78b3b4cc5c921c2c1d6a13a8bd5063cae8fd5352e39d2150a6f18790a23a02f4d45079cbfe52f854e006aefb9f167fd3

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
10.8MB

MD5
bc378eebe3b5ad857a0c2a3d6759d1f1

SHA1
accc2aef3f96ba1adfd31ade0dd5716599b8d2e2

SHA256
cb0c0072d1690c5e0a4aae29d13496cd7ecfd48fe618c3ea4b3a65cefb26668a

SHA512
e5941c023524510c66a37bfc55ba6b28f02ca53d4ff6e85016411bfbff0fbd5e3a013fdc77985380f87fe291c526b9db11151ff6e2c0d419a2e37c51d1f9bf75

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe

Filesize
6.2MB

MD5
f7265b7490428499f2fe409fa9247866

SHA1
aa7ef4ddfa80551e0e636a3411ea28c5217d92b6

SHA256
43a406c74689b72020e4669b45f19d377a5ff3efe79b03af58c2679d14405e9d

SHA512
0b239376a42ea094d2ae202f0c05504de7f8317c414c3aa6f5e4571b435aee2940075f5d88dc89756cb447b96356ee6c4ad44efadbdc1d80a9992d8d21048164

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

Filesize
2.1MB

MD5
5265576f992af1de32d79b8570f95922

SHA1
e355fd829c9eb02f56cd60103438164e79643c4f

SHA256
85e2fcb69ee45cb81cfdfcc4ece39caf3fc25a545df30a0f04d6c4c64520db7c

SHA512
fec8316d3fba8470d6d7582f1e494110a6ba4fc30eacaf134f093350361fe789278b13be5ddac23e42b1ae7a1956d0cff8cb702da5e637e0d2621e81d9a16869

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

Filesize
2.1MB

MD5
5265576f992af1de32d79b8570f95922

SHA1
e355fd829c9eb02f56cd60103438164e79643c4f

SHA256
85e2fcb69ee45cb81cfdfcc4ece39caf3fc25a545df30a0f04d6c4c64520db7c

SHA512
fec8316d3fba8470d6d7582f1e494110a6ba4fc30eacaf134f093350361fe789278b13be5ddac23e42b1ae7a1956d0cff8cb702da5e637e0d2621e81d9a16869

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
247KB

MD5
351bf8f77b0a15a7b5a2ae098c52a387

SHA1
be04e8000a3352f41588aa084c2b1ac7ca5145f2

SHA256
a84330df5c4f0e5d6251d311b5dc78722d7724e87daf5de5a11eb73bb3502e26

SHA512
04d062b5b5f5c3285aa9b3fa921905a0ac13b630eb5bf7fa412eaf432b415c3b33dda4fdfe5e73dbcba4575aa3610cbcfeddc498b8439a90415969a9ae1151b9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys

Filesize
110KB

MD5
30531264292dbc7507aa1ff4123f1f39

SHA1
5f938678984b63695b061c43e7c58d59d7035a9a

SHA256
ad27317bfab1d5c1b332000df51336424b4b80af725392eb4a0fe53dc0695c41

SHA512
344dea38a565a7f9fb8349e2a32226526ef8b546598c63a6465093e53e39512b509c7c3774b646231614b665d474c5b104805a4f1dbda173cbced67e06811bcd

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbam.sys

Filesize
43KB

MD5
0987b4bb03fa1f3c0c7d37347b707d4e

SHA1
282b0c57a2b5a2af3c3393e8ccbeccc05faa9ec4

SHA256
edea667695a680b955f42024ad349a9b795a2365c59312edcc3fe5bf362f59e6

SHA512
0bb44543ee6acd08d22270f9d4ccdcaf35e72867d2a12f888ad7f93d77237e83a5df3f140178f787c1a0ebfd02cdf3006066298862a36da74d8d1d8bf3390a53

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
186KB

MD5
0b4a62420642b842df8656dbff663b0c

SHA1
22a89c1d2085a4aa8b1a99f54e2d75fe330067fb

SHA256
acb7961eca32a50fcbd51b194488ddf40e610c2384edfd06235ae427bcb80c96

SHA512
e9ad9be23bbeb1c2fcfc17ce16c48af67f380e72dbb3ba292965e340f2a868402b5812934b56864486cb890af80f5316a2b81cc916da9b01f7135bc02c972bf5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys

Filesize
101KB

MD5
a2814db0a52a490ae674ad06ecbdc4cf

SHA1
88bfe28759135d87377999596286fb5233766d79

SHA256
d3fa7326afbc7a5a94f7a4aec84a51acab89179d7caf0cb5f2af3794e6dba7f5

SHA512
6d3ac4bad74c226063aa2ea951dd72608ac884be0a7d9b5347de2e363811207b5a9ee3e8177ef44d11a6bab6538ae691a4825185784e47aa483c11c17be075de

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe

Filesize
1.1MB

MD5
4fbe9e047364e20b94e885e54d8846db

SHA1
e087573ec32542cd413b98de241f07b6d0a53552

SHA256
011678bfa9d1d8bd25b6131ae5d887326f46bda9b1b82c5795121bfe8b75d53e

SHA512
65870b8b8d1b9b6221701e7af646d26ca14e583663276728f0e962d2a49e3b84b951d248cd9c7f5389c607f9424c2bb9cf8e20780a23a6b659e6f8f1474fcf27

Download Submit
C:\ProgramData\MB2Migration\Configuration\license.conf

Filesize
100B

MD5
a1e5a9e508fc1ffd94da7ff8474cd74b

SHA1
8e24fc7a0d84a58ce19d4d54eea5b2e9a0c6c7b4

SHA256
1b936920211bf35d9bc8cb198ddc582e903a5f5f98a213fbcc50d52e336b5026

SHA512
b2de1aae006ef6f0223dd032ca08714489cf90446c7154de8ae514427017af420abd1b9bf90330f05dcebf83bbde4a57225eda45574dd1be1efb871686e2b881

Download Submit
C:\ProgramData\MB2Migration\exclusions.dat

Filesize
104B

MD5
481e08b086e1663fabd9afa850093696

SHA1
5b283959d8f5d356b25890f89babc22a8cdc7d73

SHA256
8990dd342de96d5849ca93f4bc87a96cec4f33227e440e679668ee11207f3e38

SHA512
e01fb0c54923a11a2956eb5797513c1a6525b9d66b5ef044c646ae957b95e2b16bb19ea1b6214e94f65c30834f8b43d401bbfde1ae50290e06ab73af4375febf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
dd7295d7cf1fa8da2a4677092bcb51c0

SHA1
5f7e4e199ccf3d1f8d31797132b9b42c8d9af349

SHA256
69548246cb6691e0c9818e6526889c4aabc53c45551e182bd380ecb6103277a4

SHA512
f057ee4b4f26cdd8e315b07decaccb6adb593a7b2f473b66224510e1ddd4921342ba91e4c35312dab349cab0e63aeda6b28ec21a6738388ebc5a0c60a62e0525

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
fd82da7c3228a10e3d63ae59b8834b3c

SHA1
ad88e773bec849c161e3e53ddba2b17cf7891083

SHA256
ae30aeac282a33bc01d9edd40ee505072b25a5a3e9e16d1adfc8535aec9a029a

SHA512
e99f7a6f9ba2276e8908c3e7af319b9fd7b50b35f49ddd2f310f726af16d4ceafe53fdc4d4a972b18ea0143c397fdcd660045eb3bfcfc00310127a5ef484841d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
9eae0f5228d518b469bd9e98c17f1f15

SHA1
5247ac29a9e179549492ddac4974e0af153adfdc

SHA256
791baf971de7f25e434f469bdf703fa919ce23e6c62586e593177ef158515092

SHA512
83c9e717c5700cdd78b0bc0f4808020ee218721e44f6120912c8bb5ba59552c6fdd270ec22daed92ba2d56c234d7ced0862e927d949786ad342e0e464c7d164e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

Filesize
2KB

MD5
ecae2c981e37f1c8608ae140fb969822

SHA1
09d94428095e809c0b85c5deed7715955a8d0b9a

SHA256
c0efc14d2d5ab379a8c23d9ed00a6ad75e976a31193c0f2a426fd00ab87987e3

SHA512
7149de4552a7d0251b05e82a59ad7711f30858c6977c36ad5d5e127454d1cb1172b8b3388cd9f91d48eb12b78f0d7338cad8d1778922d91ac1bc72d0f35b14e9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\clean.mbdb

Filesize
3KB

MD5
4ab0d936d15fad1bfe1c9843c975a5b5

SHA1
c79b4a6d5ef3544bb9428b4fe1aa26dbddbd7f09

SHA256
5dfdd203c6aa96909fcca1eada34ac9f7fff0adf1db655e13753a84958c95874

SHA512
80829716ed63eff784767a0d316eb890f9065a80a8cfb26dfec34422c70aa02796f730b61b24ae6708e66c76a8cceb972a51ec93dfe423fb9c46b51cad79e6a6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest.dat

Filesize
775B

MD5
b3381f9aa89142e99b7cb53b3bb4c75c

SHA1
6af16450d96d258759850b45c22fe343b8b26b09

SHA256
de77da47eea08b013f3a17511cfbf078110ed62c35cf301d9fa916b7297a0b4a

SHA512
806e9f117ec6d60521fb95dc3da3b575aaba9e5d943817a05d5252d771d58578be64b44f98ccc6a88870936c13bbe02a5b683ed936b9f7df32959214e99f7dfc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest2.dat

Filesize
775B

MD5
f3880fc3faa78872a9ebe2130344809a

SHA1
5592ab261f4ec22698106124fa49d335bf7179c4

SHA256
63bc73d9a26148537b51234ed4a7a8d03fba2529e78be052617cee6f06b130d6

SHA512
198fd603d3f45baf95f0515a931c41d528d90a77324822649185757cf18eaa0aa223779f7b52a071358c862ef99593d7fb145d47164c22c2319b452174d0969c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dynconfig.dat

Filesize
22KB

MD5
885d647474d6eab46dd4b5197bbcf6c6

SHA1
5a8bd3b8f17b6501354dd646a6baf0a22cb55695

SHA256
1d7f22839b23f76773fdaed74aecc5bafc09aa24cd8500f3609ab2aa09d05845

SHA512
c876d81e32cdcbe244930b6c6a9fe870bb14f8f9dde47300ce08daa05bdac0f8960facbde7f5f78546f5dd777cc0371984cf8dada79bba33c961ca633ae68f99

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\exclusions.txt

Filesize
10KB

MD5
9a4ac2b44a9ad3ec5cf9534c2acde781

SHA1
a61d029ac93ada329c70633a7fcaeb754a22dded

SHA256
96813f362732ed0516316ae0f3119a6ea6bcefd53c940e59232546600853444f

SHA512
3c0ccc6ed19728f61e9075888427edf9b6bb9d47274b61beb6da9edf52c526848a07d6a559300d5a5696614ffdd9432ff007b1b853e601e4c8f28fc3bd2b51ff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig.dat

Filesize
514B

MD5
dd15d093dc51c98167f736d69a349add

SHA1
957f340b5f3690bdee750bdbfdd1f1c698ca7be6

SHA256
e54e69d1293b6a7058fc580d749b643cca6aa823d1fc00ae7e245665fc62a7f1

SHA512
467417445c106ebf06620b1c33fadfd578f8cba28465ad09fb5147e914dd3607c420ed79fe6d3be80bc31e45b54bdf8fea17d14767ff984c3eaeb5d9841eba6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig2.dat

Filesize
514B

MD5
98b4099b3d487621c580a0d29c722efc

SHA1
0d533cf45a311b6033db4532448d04492b5491c8

SHA256
4eae4a8483bce998f40bf1247185bf5bbcc9a844d3f1ee2262aad0bd7bebd78a

SHA512
0c6997ed4a7580b6f545a0da91fb8bee2af692bb45468235c646f09acb1efc326a1b20652c8471a136386be712be4a45e953c676aed07726d4342231742954b8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rules.mbdb

Filesize
18.6MB

MD5
be363c81439b1875e81cb6cfbd53f6d4

SHA1
b02017e19deffe541ee7613fa5efcee41d864178

SHA256
fe8b403929c13bfc48e91c5b5ae71d1efb3f52397a4832407914b313b81a0b62

SHA512
81ca1e7996c602fc7ed7c790f16557b4b269e0fce723c22167a0f1389d1ab28d8fccb7ebdb81149f1f8a235e5251738819b8dc24d9200c8f4e5ff8e8f2adf624

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\scan.mbdb

Filesize
1.8MB

MD5
dd762b25660bc1301ad50631f9dec302

SHA1
8093cd2bd83572646b8d6a9ac55b6758c6839be8

SHA256
6e62ed7029d73f8625db3309bf3146a3a1a793353faec7d1b70f67e71204e936

SHA512
1b0d5fb2d5cc0fb4b3494fa84502364d6582f054bd47d2ba58e2fd8ea00be6a7b660c80b4eac86b04ec8823d04cb611b0e9b46dc16cf9d0353a5a1a9c233a2b7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\tids.mbdb

Filesize
198KB

MD5
7ae4464544f8ec6dc2a19d7413fb40a1

SHA1
d6a48e08d9f43388544ced6e6ee0c3387bf358bd

SHA256
bd4acfc46b74046d5fc2a8fe1fc3c88fef43fda04681369347f762e21b7f0065

SHA512
19ef8eabf6b2d7069be05fd33e85d2b0774f67175c2cc033103ff966d15c5aeee815b9457e2acbfa5c188ec4e8bf4f963fa5c831cc054a88a50d0db4759d1041

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\wprot.mbdb

Filesize
9.4MB

MD5
bb2294822ae2c2349907d0b5b7d0bbe7

SHA1
27f10b774ce5a1bf5633a73b2b12e7dc9cf38c88

SHA256
7f9b7a30ad2ed3f40a2285afc1c8526916e7b7a2fcdfd33265e76e6471696333

SHA512
84666ab71397e041a068aeba6ce8deb7d8bd26b8c60d566d3e156ec874cfd7ce95d4a59d7e41a9f0be215d880cda670f4c56e57c1bb53b5bb8288ae4e1b13d0c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\wprot2.mbdb

Filesize
6.1MB

MD5
b48e5f5448fe8fc971128a8686e17e40

SHA1
c8ba1082c02262c881a842fe16b95c3eeaf82b7f

SHA256
681dbb59a2f88a2c498940534761801c341a5c901f2c41b2f94dd8cb42a4350e

SHA512
9da5e8da866112686f49b61ec29151ff293baa810975f6e49019a742630904cfcd706e4a9825c1fedc182e7252c934c0553772bd554cc07f359860cf94b3de0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
acb0dc386cd6cae361bdeb2597a8d689

SHA1
ae6421b0fd26fdd506a53a2d70d358d1aaf518f3

SHA256
34a211d4236981529a946f6b66b7a016e814468d2291f6bfc53054b67d60b744

SHA512
e76a1a60181e22d9747a2f3729a00ddb02c6569b4fee9f020f361152bc086668bda82840e3f6c3715d149fcaad6c1623ec863ae919b9f69b91d0742e5e06141f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
8ef0d70ff04b471bd7af97471c5d2c3e

SHA1
424badd3dc8056bf3818384bcafed718edc8d031

SHA256
3e41dcf533f3c4a7315b0b49caa04eb0f9a226513634cecb7ea61662f7692d7a

SHA512
e0bd099e8b3ff16e0707f0ab66f5daf23cfc281bad3872423617c276fb0d1ff6840db8ce42e82d7dbd0ac3cb2210dfb8c141c24af413599be17f9d5d6b53e366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
c375475d4a757c067b334dc962e436dd

SHA1
57d1997d9f47d63d6f1da060933a5d6fd09cafca

SHA256
46ce65ad030cff16d3ebd636e9c3c889844d0e742d8a94b0460cba519f7f395b

SHA512
95a3b60a0a97702816d6b6f29d8a6a479f315e699b0e2cc589113a0e58cf60b5e18ace0e82cbb5a7daaeb38a207c50d1d1d0488c950f405e4dd067e04c03a41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
adf01f8a575b7aa6ae647fb3685af1d2

SHA1
e34ef0dfde9364bcc1f7dc0a13190690765f1805

SHA256
2c0274e2fadbf211824b37056ef75693241408bd5cca6228374a29b835691bfb

SHA512
2cf04adeafaeebbd70473451837afe1d2cf9fadb32631615afc3e7b50c05f558d2f0c87c66a14e83bda8a3945eb6a53ac0f85c64a1925b53de6d2fb6f9708ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
84fc11040e2b62ee28b87d0fa266d5e9

SHA1
130222d4ef7cc54638db5c05662aa6ac0e25d2a8

SHA256
09dbc3382beb05e8be43cf421ca45dc73a87e1d918bbb463e48c85aa40138c78

SHA512
a06a5365d5518f608f25dd76afb3326f5cb5995b388a55d976e15645f5aaa1b6429b1143ba0ea0b9b35cec8d53f4f66a1f1be28d58044786b5464f8946e03306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
6a23fb0711b080a753e1054b5ac1331c

SHA1
33331f3e41a9a161fdfdd7222eddf6084317d251

SHA256
1c13cf0c8e9ab823601b42769b144d7e2312f2a094bcc3748a721fc5da1f10db

SHA512
f47bde35d84b889873e703c0d5c527bed44e738198af64aaec18db8d0c6502014634e412ad57b5c1b8a9a572b3b09ea1562b13e586f1fbd157ecbc75d493447f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f20a98568d2c388f12d82d43e953ffba

SHA1
b3c52faaf40c84dff61d95c5f45681ed7546c314

SHA256
67c233eed1bde03c746f373afe1911ac9e56835166a04688dca62497ddbc665c

SHA512
5d95a4f01f1aacc8098c31486215fd52fbfa1646958e38b091695943077e11da9e85acbca0b5648bc9638d57e47669412c1063c34316f1125d1fbff9a3292410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c770523ebd22286ee637f4b355fec93e

SHA1
fdeeececbf5d8e68575039cf41086a1f02231527

SHA256
ed8272c18c43d7580b6eb4eb3f2de764fb100a317596084e6771337fd943ccff

SHA512
77eaf84ca45f423a7556251e18d21c98919aafd0f1999776b318597c3fa4caec0f68846688e531ce015b4ed259a9195bbf36cd94e6662b4c53d398adc16382bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d9b1963aba2c5f177609613d7c9c06f5

SHA1
53e585bf7c5a6f8fda0877153d4e5edea3a16256

SHA256
63254980c55a889d233d6a2e3414f570ccadebe9370ae524ecd596ebe511c5fb

SHA512
e3091359a081ae6fbe2db59b58da625b14cb73cfb8ff28e354885df1c05dfb85e2238fc5f6491061f37b964b7344d2aa8b907c8cab40d65a723beaa9e0b8b5bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d911b41d58eb8a68b1c91fff0057789e

SHA1
7b4246b3cbfb98e5d99fef7d972832046f56cb1d

SHA256
2a30cf372d347f3abc96ea184ed2ebaf2f10c71ee345b4813594f14c396476b8

SHA512
e9e343fd3b738223f738ef12810e5e8540f9db5269624c25a68bc1efe202e8232e7310537d6f2088eb685fa4e1b79e907c7f96b1f25d9db25053d350e6c54dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
760687f3f40b52d9f545dd15f206cb3c

SHA1
d346df2bd0b4312adb1253b7be8b3d451e4905e0

SHA256
e915c63a7bb5e31be09fae7e75b14151ab208046d2a7d42a0d51d2c4e61f336e

SHA512
d921ed52cae4792e443cb6f4ab938d11bcafe7f6919e6e7258c3b7bd9e92cbe7942a51a59ca1de8abb49a41301aa6331d5c219a6b70d8dcfab05f75364452ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
b889f60e53eb209ac1ce781810485110

SHA1
14730849f6f53173b05a2960b14333e295d60e85

SHA256
c7b200d69d76a9abe830381defd7933e13e66f7cbe2fb71a2a57731a177f0b1e

SHA512
f12f9d69b0c843b8c029b8a36817311ec7c15b21f3ebfd5811b175f57710b8c0d436f28b0f386f21bc8a2ba4dd81a1979d9d3f96002fbc9b15f415602f57b1ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
1375b024be71297ef5b0a144163b5c50

SHA1
97288f6ef7238deb31083fde06fc4fa72e36d525

SHA256
ebf784ca23b33822c2c0a4167ed3ae447ea83dfc9a676b63d4779d3f1d8a18e5

SHA512
487cdb1784439e8b2e04ff31897df2cc8c683cb2b9dcb25ac9664f0031ad5f5925de5e239fd3aa93c7e404e601ea021201efe68b2a156a5ade0bb94d76fe3a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
fb7955eec5d22f3a263418f04f43b9d0

SHA1
908d94e1df1374c676d743140f81dd718e85ab11

SHA256
54cacd867137576d806aed78c7e737f62c2ebf354602c3f0bed932c3f50613e7

SHA512
e8c78b26aa0a2b2a0a71a0b4472e7517ff44a4b9c74d5517bfcd390e03cc9a7204567bd7c3f76927f89be139c0b19b90241384d9d3e320622eb9c68fa1494c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584bd9.TMP

Filesize
107KB

MD5
834cf6d868ed94479822200d593cec70

SHA1
8bbd5e1804164399aaca6405211387b6929c63bb

SHA256
2b42911c2491f66db0ffa027d479c8b1593a7c3d144589bc65d93ad4de82c9a3

SHA512
d73af0de38550f4a4da9ea02e8a6878508e059352450d9b3a274c2329ec8faea4fd7d70549b5fb139bb99b981f4a2440e5303f2860b84a56cca99b9a3f90bda0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
e87581bc0c30253c1db4d73960e2925f

SHA1
8fa2a11b190693c5ab735380c7ff631830a5f9ac

SHA256
5b78ee261aec2e40ddfb2ea7bc0bddaac41e9ee7f265bab3485c3a1aad4e5e7a

SHA512
0982690def500801eaf2fa5caf8a65a8e75a46e09e6932815d9f1e5f7052b418f3f1f34d693ba164dd8d16e89e6e6c6113bfccfcf85d385327d21d1e72682369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\MB2Migration\Configuration\license.conf

Filesize
100B

MD5
a1e5a9e508fc1ffd94da7ff8474cd74b

SHA1
8e24fc7a0d84a58ce19d4d54eea5b2e9a0c6c7b4

SHA256
1b936920211bf35d9bc8cb198ddc582e903a5f5f98a213fbcc50d52e336b5026

SHA512
b2de1aae006ef6f0223dd032ca08714489cf90446c7154de8ae514427017af420abd1b9bf90330f05dcebf83bbde4a57225eda45574dd1be1efb871686e2b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\MB2Migration\exclusions.dat

Filesize
104B

MD5
481e08b086e1663fabd9afa850093696

SHA1
5b283959d8f5d356b25890f89babc22a8cdc7d73

SHA256
8990dd342de96d5849ca93f4bc87a96cec4f33227e440e679668ee11207f3e38

SHA512
e01fb0c54923a11a2956eb5797513c1a6525b9d66b5ef044c646ae957b95e2b16bb19ea1b6214e94f65c30834f8b43d401bbfde1ae50290e06ab73af4375febf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb3.exe

Filesize
73.0MB

MD5
89335f24851fd6a2ddbc281634e526dd

SHA1
bd1917098b496aa6c9a1ba7aeb4ab07ab18e1748

SHA256
7ba39952be761505d944cd3f2a3a37f51a1ab769743a97711589e7b41e359331

SHA512
40de47393f1a145861d3efb1b36da5d978b76fce231df13fb72661ca8e98d5d407c8eac6e542f4073c39555133158e8fb1c4b34d24f1d2feb2a1e6d5b4461566

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\mb3.exe

Filesize
73.0MB

MD5
89335f24851fd6a2ddbc281634e526dd

SHA1
bd1917098b496aa6c9a1ba7aeb4ab07ab18e1748

SHA256
7ba39952be761505d944cd3f2a3a37f51a1ab769743a97711589e7b41e359331

SHA512
40de47393f1a145861d3efb1b36da5d978b76fce231df13fb72661ca8e98d5d407c8eac6e542f4073c39555133158e8fb1c4b34d24f1d2feb2a1e6d5b4461566

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4EE527B8\setup.cmd

Filesize
1KB

MD5
85c4cea8a46702787238de08969d20da

SHA1
d38dca0d6201fbd2a0b942fed6c44ca8f04e9fbc

SHA256
913eeec472c03e9c253016213daab7a6a7eb50df7952053bebbd8034ee7ec6cb

SHA512
ba8cd2bb18a79537cfcd9775665debcb10f3599ca9b20c4eec9f8244098a6d69ba36d2ca728aba5ed823df3c29d494dc4899c1a57148c10007b6e665ea833be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4GPAU.tmp\mb3.tmp

Filesize
1.1MB

MD5
4fbe9e047364e20b94e885e54d8846db

SHA1
e087573ec32542cd413b98de241f07b6d0a53552

SHA256
011678bfa9d1d8bd25b6131ae5d887326f46bda9b1b82c5795121bfe8b75d53e

SHA512
65870b8b8d1b9b6221701e7af646d26ca14e583663276728f0e962d2a49e3b84b951d248cd9c7f5389c607f9424c2bb9cf8e20780a23a6b659e6f8f1474fcf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4GPAU.tmp\mb3.tmp

Filesize
1.1MB

MD5
4fbe9e047364e20b94e885e54d8846db

SHA1
e087573ec32542cd413b98de241f07b6d0a53552

SHA256
011678bfa9d1d8bd25b6131ae5d887326f46bda9b1b82c5795121bfe8b75d53e

SHA512
65870b8b8d1b9b6221701e7af646d26ca14e583663276728f0e962d2a49e3b84b951d248cd9c7f5389c607f9424c2bb9cf8e20780a23a6b659e6f8f1474fcf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\BaltimoreCyberTrustRoot.crt

Filesize
1KB

MD5
379a301592736712c9a60676c50cf19b

SHA1
c103790503bf8c2ff3f119adee027ebb429b9d21

SHA256
cc7400692bd90e1b5fc44e11c8dd7c788cbb462f52ea3f3decb579e4d51eb268

SHA512
dec25a31f2930eb575a43e654c29f170c261c1c4516767c0e71cc172ad6ad115914fb58d9cd79f681ff3d7c6baa6b7c0d6de99de09d7582c9807ae436f15572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\DigiCertEVRoot.crt

Filesize
1KB

MD5
d25e0f479b9601edf2c9c2dad7ba2706

SHA1
2f1d0001e47394f4c4deec9645c5f2df99f91a95

SHA256
63ff360aafde5ff959fb9671ec27002f99cbfae4907b410046b6a1b0f51cba9e

SHA512
3ba164dad3cadf1ea9f0c555695e4d39cba47612599f547d0d0d59014577995c0ddbff0ef6a5e436867454da02d500136b54c034c2223586271b26108b2cfb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\mb-header100.bmp

Filesize
7KB

MD5
4f8b110e37a818130310f0c34ec90dc5

SHA1
3bef6199fa0ba4c7b98d9c6a6c5a29c52ef9f3b1

SHA256
db72101e43020be81ff304f50cf593497d66073be946502c16bcd64e7b2adcc3

SHA512
d998b6f09e8750f8f99491e2c2dcbb0cec4a65f8154d795ca070eb131a4f88a30116715b67d1904a0b774e77d0b3ffdb994d10de5688e47f1e2901b10202402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BI1EC.tmp\suhlpr.dll

Filesize
2.5MB

MD5
fad7ff3ad298b98af90ee28e8ac9e8ea

SHA1
8ef1656215747bbeaaabc3ca1a82d4d2de4166d9

SHA256
86f1c7b02c2c1cb100757b18719b1613f9035ae89cf7dd460a39da9f9f163c95

SHA512
812a04bd6e6800ca2f78224356a1035a78b3b4cc5c921c2c1d6a13a8bd5063cae8fd5352e39d2150a6f18790a23a02f4d45079cbfe52f854e006aefb9f167fd3

Download Submit
C:\Users\Admin\Downloads\SetupMBAM.exe

Filesize
261.5MB

MD5
fc6bd17bc268d0664e630a81c58a681b

SHA1
ae37128d013c7eff32c6e3d3f6495f954512e991

SHA256
c2efe64ec9dc3ee747327beb0cac87e3ecc7d26a15e7d223184a3385271af709

SHA512
35cc3b5a30bad39c4a0ae10e1e2bc32dde4a8ab9183882342b45e4ded6a260ca089d7a978961826d25eaecfdcd52e2a69910700f6b426ad735732f65cd185e0b

Download Submit
C:\Users\Admin\Downloads\SetupMBAM.exe

Filesize
261.5MB

MD5
fc6bd17bc268d0664e630a81c58a681b

SHA1
ae37128d013c7eff32c6e3d3f6495f954512e991

SHA256
c2efe64ec9dc3ee747327beb0cac87e3ecc7d26a15e7d223184a3385271af709

SHA512
35cc3b5a30bad39c4a0ae10e1e2bc32dde4a8ab9183882342b45e4ded6a260ca089d7a978961826d25eaecfdcd52e2a69910700f6b426ad735732f65cd185e0b

Download Submit
C:\Users\Admin\Downloads\SetupMBAM.exe

Filesize
261.5MB

MD5
fc6bd17bc268d0664e630a81c58a681b

SHA1
ae37128d013c7eff32c6e3d3f6495f954512e991

SHA256
c2efe64ec9dc3ee747327beb0cac87e3ecc7d26a15e7d223184a3385271af709

SHA512
35cc3b5a30bad39c4a0ae10e1e2bc32dde4a8ab9183882342b45e4ded6a260ca089d7a978961826d25eaecfdcd52e2a69910700f6b426ad735732f65cd185e0b

Download Submit
C:\Windows\Temp\MBInstallTemp\mbst-clean-results.txt

Filesize
325B

MD5
0fe9fe8745d51d6f546781244db85fc4

SHA1
8d5438aeb588ec80baa347273ba3a987a3fd622d

SHA256
ca9b7e4dacb1b4dccd0977a3ef2741982bec86fc38c30a1a3de84fa116419290

SHA512
e534257de504a14e532073eeea237e0fa6ab7fdfce8f176ddaca85ac63d9501212b1086242f2904cbbc1c4fbf0106c47035c5091bf148340f51d2555a2c7eda8

Download Submit
C:\Windows\Temp\MBInstallTemp\mbst-clean-results.txt

Filesize
3KB

MD5
797f5f3d95d665b5d6f1ddee3e7dce76

SHA1
8609e261db37be00201e8a681cbb814de2eaccd1

SHA256
54349abb3f37a4d617ae8db6c443521b61e4168af1921af997028666cd7ad238

SHA512
1791116bb6ea94a60cca86adf5e8007c024cb3cb8333cca4e41d26bc648e47db943e010d37fd6511550a8a5ebdd3eac1e94a1b2876c50558da4c56d8e00e823f

Download Submit
C:\Windows\Temp\MBInstallTemp\mbst-clean-results.txt

Filesize
30KB

MD5
3b07b21a6b35d1f5b99d879b22b07424

SHA1
9bea20b0f24c9ce5d0a7bb545060689e7dced2a4

SHA256
c38b7bde464958ac93739bf646d05c9d397a56f48e1c1da8b4972c85f76a1933

SHA512
999edd674805e46c7f76afe8d1bed8236fd445a77951a727e0f2db577818b6c8790d7b58a9aa43d1ef15bcc231bc19bfd5ccd36f0c28797fcfc7a4697e5d1f89

Download Submit
C:\Windows\Temp\MBInstallTemp\migrate\config\ArwControllerConfig.json

Filesize
243B

MD5
473be8cdf7a4e7e8202b1ed2e65a04df

SHA1
bdcb77b413e587f38b5703d6ca4edc9ab44779f8

SHA256
249952f8d9c15819a8101e94fddf524cbc95df466d50019e8b4d59dcda890965

SHA512
2b70f0d199200f64ec63930b6e0fa4e27e34691cf5fef5f543ba6018b373917afd4efbc328b8a1f2886aef78e6331e51131913315852576872080551660a8f2a

Download Submit
C:\Windows\Temp\is-02LL5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/488-1135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/488-429-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/488-405-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1760-2883-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2244-846-0x0000000003E40000-0x0000000003F40000-memory.dmp

Filesize
1024KB

Download
memory/2244-1097-0x0000000003480000-0x0000000003495000-memory.dmp

Filesize
84KB

Download
memory/2244-784-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-1124-0x0000000003E40000-0x0000000003F40000-memory.dmp

Filesize
1024KB

Download
memory/2244-1134-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-421-0x0000000003480000-0x0000000003495000-memory.dmp

Filesize
84KB

Download
memory/2244-448-0x0000000003E40000-0x0000000003F40000-memory.dmp

Filesize
1024KB

Download
memory/2244-411-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2244-785-0x0000000003480000-0x0000000003495000-memory.dmp

Filesize
84KB

Download
memory/2244-778-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2244-891-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-849-0x0000000003E40000-0x0000000003F40000-memory.dmp

Filesize
1024KB

Download
memory/2244-447-0x0000000003E40000-0x0000000003F40000-memory.dmp

Filesize
1024KB

Download
memory/3588-1200-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1217-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1194-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1195-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1196-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1197-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1199-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1198-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1192-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1201-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1202-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1204-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1203-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1205-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1207-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1208-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1209-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1210-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1211-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1212-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1213-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1214-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1216-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3588-1215-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1218-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1193-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1219-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1220-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1222-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1223-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1221-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1224-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1226-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3588-1225-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1227-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1228-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1229-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1230-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3588-1231-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3588-1232-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3588-1191-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1189-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/3588-1190-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/3588-1188-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/3588-1187-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/3588-1007-0x0000000002F60000-0x0000000003760000-memory.dmp

Filesize
8.0MB

Download
memory/3588-1186-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3588-1030-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/5112-2894-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/5112-2887-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads