7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

Analysis

max time kernel
55s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
16-01-2024 22:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MBSetup (1).exe
Size

2.5MB
MD5

1e885823577394ea61ea89438ffe2954
SHA1

e53e96f7374790bdad8a614949b398b055c3a27b
SHA256

7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
SHA512

73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
SSDEEP

49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

MBAMService.exeMBSetup (1).exeMBAMInstallerService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup (1).exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup (1).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup (1).exe

Drops file in System32 directory 1 IoCs

Processes:

MBAMService.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MBAMService.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TextFieldStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\PageIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\TabView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\DialogButtonBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-heap-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\StatusBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\editbox.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\StatusBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\libEGL.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\JumpListDestination.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\TextArea.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Drawer.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_pl.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\Control.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ScrollViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\arwlib.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\BrowserSDKDLL.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\StackView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Pane.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\AbstractCheckable.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\BusyIndicatorStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\GroupBoxStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\TextField.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Action.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ToolTip.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\TextInputWithHandles.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\StatusBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\WidgetFontDialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\MenuItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\BusyIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SelfProtectionShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\EditMenu_base.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\SliderStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Dial.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ToolTip.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\dialogsprivateplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Svg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\TextHandle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularGaugeStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\CheckBoxStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Label.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\ToggleButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\GroupBoxStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwipeDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\CursorDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Page.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\MenuSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-file-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\qmldir	MBAMInstallerService.exe

Executes dropped EXE 2 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exe

pid process

2072 MBAMInstallerService.exe
2560 MBAMService.exe
Loads dropped DLL 2 IoCs

Processes:

MBAMInstallerService.exe

pid process

2072 MBAMInstallerService.exe
2072 MBAMInstallerService.exe

pid	process
2072	MBAMInstallerService.exe
2560	MBAMService.exe

pid	process
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe

Registers COM server for autorun 1 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAMInstallerService.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5083B4CA-BBA6-43DD-B36E-DEA787CA0CAD}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08927360-710B-483B-BEEC-17E51FF84AF9}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA226B90-F6FF-4618-8AE6-1114E82CB162}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44AC1571-055F-4CC8-B7D8-EA022C4CC112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19184D37-6938-4F54-BAFD-3240F0FA75E6}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C30B7D9-82A1-4068-8A5B-F4C7D5EF75A3}\ = "IScanControllerEventsV14"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\ = "ILinker"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01222402-A8AB-4183-8843-8ADBF0B11869}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDF63EDA-B622-44E2-8053-8877E33BB49A}\ = "IMWACControllerV19"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2650A9C4-A53C-4BEF-B766-7405B4D5562B}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3968E6D-3FD5-4707-A5A8-4E8C3C042062}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2E404A3-4E3F-4094-AE06-5E38D39B79AE}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AB5C774-8EB7-4C1B-9BBB-5AC3E2C291DD}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\AppID = "{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A30501F-26D0-4C5F-818A-9F7DFC5F8ABC}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0EB1521-C843-47D5-88D2-5449A2F5F40B}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABC1D1AF-23ED-4483-BDA4-90BCC21DFBDB}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B14402F-4F35-443E-A34E-0F511098C644}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4163399F-AB08-4E5E-BE28-6B9440393AD3}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1861D707-8D71-497D-8145-62D5CBF4222F}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71AC94F2-D545-438F-9156-C231B7D94A56}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19B9825A-26E8-468B-BD9F-3034509098F0}\ = "IMWACControllerEventsV11"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController\CurVer	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77B440A-6CBC-4AFD-AA22-444552960E50}\ = "IScanController"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE77988C-B530-4686-8294-F7AB429DFD0C}\ = "ICloudControllerV5"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5186B66-AE3D-4EC4-B9F5-67EC478625BE}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DFD7E94-47E6-483A-B4FD-DC586A52CE5D}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615}\ = "IMBAMServiceControllerV7"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE6A4256-97CD-4DBB-9D4A-3054B0BB0F8B}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{115D004C-CC20-4945-BCC8-FE5043DD42D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E3F0FEC-3E40-4137-8C7D-090AFA9B6C5E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DFD7E94-47E6-483A-B4FD-DC586A52CE5D}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D482C3-B037-469B-9C35-2EF7F81C5BED}\ = "IRTPControllerV6"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CB653AC-F9CF-4277-BFB1-C0ED1C650F56}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34544A67-823A-484D-8E18-371AFEAEC02E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71B13605-3569-4F4A-B971-08FF179A3A60}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{115D004C-CC20-4945-BCC8-FE5043DD42D0}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\ = "IRTPControllerEventsV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6696D5DD-4143-482C-ABF4-3B215CF3DBFC}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F22E03D6-F159-40A0-9476-16F3377B58C9}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19184D37-6938-4F54-BAFD-3240F0FA75E6}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDA4F172-98EF-4DF6-89AB-852D1B0EC2D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA5CFCA-E804-4A2F-8B93-F5431D233D54}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BADF77CD-ECCE-4B36-88FF-6A2804FFE307}\ = "_IScanControllerEventsV11"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A62FAD-6FA9-4454-8CEE-7EDF67437226}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{115D004C-CC20-4945-BCC8-FE5043DD42D0}\ = "IScanControllerV7"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFA1689-38D3-4AE9-B1E8-B039EB7AD988}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MBSetup (1).exeMBAMInstallerService.exe

pid	process
760	MBSetup (1).exe
760	MBSetup (1).exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe
2072	MBAMInstallerService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MBAMService.exe

description pid process

Token: 33 2560 MBAMService.exe
Token: SeIncBasePriorityPrivilege 2560 MBAMService.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MBSetup (1).exe

pid process

760 MBSetup (1).exe

description	pid	process
Token: 33	2560	MBAMService.exe
Token: SeIncBasePriorityPrivilege	2560	MBAMService.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

MBAMInstallerService.exe

description	pid	process	target process
PID 2072 wrote to memory of 2560	2072	MBAMInstallerService.exe	MBAMService.exe
PID 2072 wrote to memory of 2560	2072	MBAMInstallerService.exe	MBAMService.exe

C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:760

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
PID:3648

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
PID:3204

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
PID:4156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C0
1⤵
PID:2828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a22855 /state1:0x41c64e6d
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll
Filesize
335KB

MD5
aad2bd7122137fc440fba5c7ea30e17b

SHA1
e6f3817008b901a97d20db6e93ef24287a5bfc7a

SHA256
1ce67d1cfa510fe831adb76845727245136ae64ea773775d9815eeea7272f873

SHA512
eb1338727cd54877073eb304441d46f8c3b57122055f108c798d16a83f71971b26a6aed64c5ebb052806693d3daf48fe48dc12debe2c4a144a4487060cef4efe

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll
Filesize
824KB

MD5
4d652e264151ac39f76209e449abb292

SHA1
3b3304745288083573c044d71743b41f78e8937a

SHA256
16e30956186bde29c74f5caffc76bbc958f41e234b8b7a5876611a7feea84391

SHA512
38b63d8dee3f72e83d8af8ae95fd4d220c56848e89b822b19f46c2c9bcc80951322cdd0f7343efe0af1dc42beb8b1c7e319b9b4fb82e3925fac7ee3ffc6219b8

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll
Filesize
467KB

MD5
f755ab8176d6df85471e69389f8d7f2a

SHA1
973b0dc0b805a5d28cb97ffd65399feab844fa36

SHA256
7bfe1608d432eeffc64623c7f261eb56a94444b79604b4366118e04f418391f7

SHA512
b0dcb1d84fd758433d06ae199960f4731b6902d13de0184a19b2460c6e20c591ea3a46c4460c9fcd60e0641aea1e9cbc5501c69a561980be75f03f6bb9c8ec23

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll
Filesize
467KB

MD5
b0fd2bb69d3e4abef62b3d9c4f5a5895

SHA1
3fd36dd9870aa5f97740590f5d71237812811eda

SHA256
ef281fac2e183a1f38bdcde7699789440981f54199d58d8debc5101dd43a0ace

SHA512
e2a2bcc2c8f948bccdc74341e0861ddf2e3351594d61948833d9dc6f3012769f1886a3b66fa3bc55f54c515524190d31f56057d12d7f0ad097b3c06d67732aff

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll
Filesize
870KB

MD5
819f095e25751231ab76271e3705c839

SHA1
2dcd3b1dcb515cf3337a175fb760a4512fe9782e

SHA256
974dcd8a5f4876cc9f4403e6b51add0ad7a0b5391b9fba9267a5bb4da6249a2e

SHA512
c0ae1dcf4e738482e8c38caa1e27237db0e8539b7c0ad272777e4a68d6889c9d6cdeda625b894b7bacb979837fc27165edcd9b223df3bb5de9c1d6611b70d693

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll
Filesize
465KB

MD5
d8e59141f1b351023fcc4f76ae9502ae

SHA1
7ae75fdd82169c923942eff49a896c5423aeb351

SHA256
60bffa339d90ee86d788e1918978c0d151984576e62d704a1f0258fb0d69c88e

SHA512
20d73f6c9a32a0e4fea862596362c0dff513c2fb1e7cfead3bbefc81582c806b0a3e42519faea853b5f958b3118903d2209384ad8fa3dc44e57cc35ea54aac86

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll
Filesize
2.6MB

MD5
f306adb3ebdd2782f515d43d847adba9

SHA1
45d2f1f5e4eb86cd420df250bdab319096cab635

SHA256
ec0d1b517ec05c4e296517219fcafcf05b455c5d6c2ef70865899fd0559eff55

SHA512
834e81d4e3771d870f544e2d9efb165862dadbed0b8c0632614ed40dea520ecaa6afd340d0263dafa6556fb08029bced042ebf0e00353b945338fa86ce54c947

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll
Filesize
1.3MB

MD5
1986b643e262b76ec0345661f0402327

SHA1
f9fd776b4ae05bd0382616c64dc98621cc6fd41e

SHA256
24b79d75f51d9f14a425e9987e5eec67a68e3cf0130a37ef74809eefb4af1e93

SHA512
1056017f3869d496b7e407cce819f5c8b6ae2d9e52e0276bf4041ebd8ba946b2236497781f5ff4226a8cf763da71b9ff5c66ee6d6bad34dff0cafd84c0d0fbdb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dll
Filesize
64KB

MD5
3037e31d7a8b9b7419f227a12e19f91f

SHA1
d8584864c7c612f19378a3effc8fd17fa224a302

SHA256
5bb2760e7a675ab9fbbbf207eb8d71f91d591dd205ab00f3de9556aa8092e286

SHA512
1f1e3d11c4ca0f88f965edb1f677cc14475e95dae98945f1349be0254fe60c46c784c58e4aff57bded3cbdb49beac46fbf5b4b0b5fec419ba7ebc905094e8a04

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
Filesize
813KB

MD5
f12e7fbbfce02e26c258f4fccfe8c916

SHA1
7be8be3fe5d12b2a6631d20b7a364c3efb68f196

SHA256
9a86d1ef12aad30f2cea6c124121de4b4be32247b25ddb806549525b518f7f62

SHA512
3ce1febd7bfdcef34b775eedd1bbc5c7e0b1d0eb6dd3338507641a5436c4fe4825dd6efbc17e797e37dd66a7be26bc389252fcc39cdafe41f74652aafb240c3c

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll
Filesize
288KB

MD5
65bf5d41b734a6ade63d13eb0a32eb4b

SHA1
7527ecbe71b0239893be6d7fddce54233f71f639

SHA256
d722e55b73e8ad32ac8438861685fe213b8a4331e5df8a410b66a681b19f862b

SHA512
4721b1fa3478ea1f7e245ea4130451756737ba9a2678d8176e29dceaec3333de2a20ec0f4d6ac5091fa69ebbab7def9fe0d2e43848dbc1849b7ec245bdb455f0

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Swissarmy.dll
Filesize
401KB

MD5
8db5679b5ecc2b316f006755f1ba8800

SHA1
a2e96a5dd6704c6a52ed2aef0a1c27787757e6ae

SHA256
d7019403c5bd9e736c9270a027c266048767dec596e610634d8c8f904cba3752

SHA512
6460e819e80f092ae8e4ffae29efd36031195b7a793ea7e1f8283ee2c1d8b27066463ffa8a112456f7e66224a9c3630a3b283d4214d158057a5e9d9200326ed5

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SwissarmyShim.dll
Filesize
653KB

MD5
469bf0451df8321b2fd5e537f6fb5224

SHA1
c150c4c7c51457ac32b183dc9588e6d771d93370

SHA256
731fcbbb9475038efb742e978da4942b8b743e433249873512023b1c4c80a42a

SHA512
904429d325bf5a68994eab69ea824e5452bf6304b4bd163037147a694b47496d447fa4e540b01cd67efe0b10654af2ea8786192c2830be57dbb2755e745f932b

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll
Filesize
845KB

MD5
870f667d96335b15d444aa73477109ef

SHA1
7d01aa14e3da1fe34c368fa7c35a40abe9b49657

SHA256
abac493d069388e4df9aa1ab103695fbadab6e0f5e4a9900dca9a69416609cfa

SHA512
fb3be8ee9b683467a0c3901dc9b876ada88d3bc04eaa321205bc9e0917a95b7828900bedc753752617c3c1fbaf42ef5236e8b3f5923a0cf02eef86a2d3e329e4

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll
Filesize
2.1MB

MD5
6ea5b2750149e6af1ebc980d1c9de27e

SHA1
b7eb2bbc45415801e16da8f88fb73e7d0b280ff6

SHA256
96f1e29367910b135ee17a7e75d97d6e8c6e8809504d2fb33a0cc338b634c3af

SHA512
8d9021ee5d2dd12f758299438dac5cd28052ec0639160c071d69780f33caec5885885c05128636da42ec854d0f7e5129945c4a6b1aa069d24d19b1009c931666

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
Filesize
780KB

MD5
64c33dd9162e15847f01e0f9713c0603

SHA1
5b8de8326e27abd0bfb96a7e87de7679b9abc026

SHA256
a08c9fc3a79506b7a7a5f65ea4c87ded930fc47b8dfd047b764e6edead2f1779

SHA512
0835916e1a41e157232d72255414d3e8ea88fb86c8aa5ac496f2178a59668502be2e99d4d35ccac01371aa317777c7ecab32d11080bc188addaef45af9f8670e

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat
Filesize
74B

MD5
06c4b6a669d23864c284ae03481bb816

SHA1
daa6ef50625576907dd1fbeb52823278d41512c8

SHA256
c7871ef2ae5feab275dfa1fe7a10138240bb7404af93a8bbbfaad6a31a18c806

SHA512
fd58c75969b3ab37b44da71b6ad79e59e47da7a7c9fe2dd29681aa845696a5834dc330e282495396e38e1e9bb9e8f5da5690d27e11c55a599877d9dfb737e345

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr
Filesize
1.0MB

MD5
3828469019f49a678f3efed46aeeb4c8

SHA1
be81a094fc9db4a2fd1bf00214540b70499e4ef6

SHA256
83b0b85a6938a95c904e494cfcd973cff6cc923c7bc613cee4e888b2e154a12a

SHA512
412785e141f1f922b14259739784ed664aa4437b553aa55f0a147d72f5d41ce1cb8d3517b548fa791b59747b2ac1d5c9be9310074fc294c9a463381c5298dc3c

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb
Filesize
10KB

MD5
76048661997370418a7cada36893ac17

SHA1
d7ef6a1c21f3e36bfb95aeaac213bfe0dcc4f2c9

SHA256
fa80405b455abd60803d3c6fa94781a1bc4b5a8bc249a69923053af59d5fd10e

SHA512
aa5d85d27f551ead938d47d4cbba68ffd52c60d130347f247816e8576457632e8df668bed3174dde582423fcfcc2c78c54e4ebc51899ee2247da1a577385aa2b

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat
Filesize
924B

MD5
fae650fe3326e178ba93ebbecee76516

SHA1
7fdace66eb57dbfe97559f90471db1bd0b46c026

SHA256
1437d78c8c60abec6b85dea89c88c053dc9e0081b69a14d094911ff67a36b69c

SHA512
e21819022e02e6d91435a886d0b45ad77778e8ef04a3e583818ed13c6dda42f1808045c2180c15f8e3bf9289d42b5ab875aba5451685b87e131c3e73b9027312

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat
Filesize
514B

MD5
5b3427da3b2f1b966f9057e20a12f38e

SHA1
b8e92893b2a82df703f0c5019df797aeb40b3685

SHA256
d28ca84a5c3a3c4c1de91767c699d6e83bd5088cec70df1195c8e38bf9d45c04

SHA512
9b6e83dfb776178517307ecf5c65a482a07419910c3e1a8c4e61814ca5323500858e65a8c7b84ec263186d4e9c8918de9ba6682c831a6f6be8853851b8881589

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb
Filesize
2.1MB

MD5
7f5b144b2c018ef9d5462c48ce12ed02

SHA1
6ae3a4b07fb26f48b4a723fb22bf3cd8117f87be

SHA256
acc29912247bd903e80f13353af73523a0cc8552b483406655389ed25c80335d

SHA512
b943aba585a461dd11d4a6c1a19ce7c57d419706f20e0d70c38c3375fc5fabcf208158335242d36afd29f3c27f7b509213372bc39e415645b0f8b5d9f25146e7

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb
Filesize
997KB

MD5
c83a8e8795721f2bccc4dab90941d88e

SHA1
a4b2f1a3048489d1f12ebd3f608a8dd07f8b3bb1

SHA256
d47e8acd4c6f01f905ac096c110a1d579aa68242ee346deddba05106774a7c40

SHA512
2ae00562deee402a6129daa51e61ce7791d81da5ef6bdfe5bd66dbf7671352c377f5c0a638df4d8cee8d5ec56264dc3ce356a455e0d9999ce4512af02ee1c57a

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb
Filesize
177KB

MD5
732b8aa706a4d4b408131b0c087e7ee5

SHA1
8793cbd65b5ca8e1f99a82987c316e5858fb0976

SHA256
8c646dbd758ad30b92bac206bd19f72a97a864665e4d5c83b43778cf5a2679a2

SHA512
7b9b0a459a7f703b946fb4bdbf185c941c90c84b005310a225d38f86c82a84a81bf20b7d4a43d85865e2793cef0e9898729d93f607890d4083bb641f32d11d14

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb
Filesize
1.4MB

MD5
45b775e7c0c6a853cda49ba58c8a236c

SHA1
31f8ce8d26ffc8abc62d192aa1eb51f56b9b6317

SHA256
3ad6dda0ed9d05994a0c0f628e62ec0ea87a2d9cee1b8e988151f3dd9637ad5c

SHA512
3372c9302936b227ff5b4aae8c9a53286e3260b17804193b8282bbf137afe825676fd9eda523923e3d2dfc3e1beff41d27c438de53214ac6fc8ba0474eb6a48f

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll
Filesize
175KB

MD5
fdc7364396615fbab7fe13fb6e9a4f57

SHA1
f915a44a26e3ee9460113a1a0e9a53d3d97288aa

SHA256
8ec89047a781c41990fa9f39ec7ecf14382eaa86b0fc21b2826c4be28ee5fba2

SHA512
34fc7a498774a5ec2b4b7470e1cc4859e23644ed8c31e052ed238ca1f289a38e665b1c8312b255320cf40baf4f40fd312877ba88d822a26d662b2764b1698c88

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll
Filesize
682KB

MD5
67c34cf7f6d30038a7f03487b16fe2fa

SHA1
11385f52411d4632c339065162801901726b4203

SHA256
1dce0f8f2ef1d25fbeeb12238e2c7ada5ecd8e9e0520047565b3f5ea46a8283d

SHA512
31e9c8c269c53d193ef7c1fec6437212e72a55a52b883bf0ea6fd213ce4b5769bc58c19984b9809723779240ffc829eba7c1631eb4a57670d0f15b4083b8bbce

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll
Filesize
366KB

MD5
c0dc186ee1c2d78f9f07a13b9e00a668

SHA1
2ca8bba7423fe23282bd6ef66bd3178e7833b670

SHA256
6f76e0757e62a9cfd4f7b22ba510042e285d2b99de45c475f5bd58f36eefcdb2

SHA512
2c4a4bd1dfd9b31ce174539f26ba97d1dc80dac4709ee9cf1df8b6d6afd134948e0ec33963ac99e8f6ee64f5243cd2c68d917f2f886275ca59c80ccec1804977

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll
Filesize
483KB

MD5
57ea3b2211d9519511253d71ca48e553

SHA1
497e7959efe05804ca686ae33576c09dcb5ec739

SHA256
66254c9097683cd7e0f1e00fe5caced02f392e5cc4ad2d1c8305ab3202a01d89

SHA512
43d1642b8f61654d3f6f7e0e779ad764aa3ad729410b9100f44e53dc21d321437fee2927ff4653206474d54b350c705a393451ba29a06202b8127555a9610b95

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll
Filesize
382KB

MD5
9ae705c8ff3ccf530733aa7dd2fdfa8f

SHA1
9be7a8c441bb3279a0203b8862bb4152269b47b6

SHA256
adfa1fc29887951646bce1ed23d99c35e38f08f0ccf6e96afd551664d19b8df1

SHA512
e7abda8ffcd1ba2fb047a933285c870519ad83c6f16a1d09db34410b45890accf3420880f968e872160df155e37015da8b52d0433506bb87184d235376a077eb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll
Filesize
957KB

MD5
9c1ece8627cebfb3372b4cc4e68d9bc8

SHA1
e9a9fac891512d1d91dc9f8e16409fd657eb599d

SHA256
33e203f9bc9aba5ac8eab76e2a03cda435c1303ffe7b60f8078116cb4e6ebe44

SHA512
864d8e28b14f5a6ba52e784100f19fb76835a05d26b1cee979802097fb583c55695b38affff0d94c984acedcbd10ad5fa8d4f905a031a35870307ef599bd5d7d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll
Filesize
2.9MB

MD5
76737d5d5454e75c7eda5f48b2104a2d

SHA1
75ac801c1edf43919deacf0725045c5e91df679e

SHA256
96c0b5a8706a65bbf8592fb6fd20ad9498542cb41433703ff6cec46153d2b892

SHA512
a1b5d831effa98890fcbd9b7d9cba3c61748d748e1584595beba42c6e3fbc58c47995af7a8c479cff08808fedbb25268ccdbe3fbadce4f12b246ccef52159879

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
880KB

MD5
93e793ac13a2355907bb2fec0663307a

SHA1
f702e112618175e8e474a6fc7daf0dd275fcfd46

SHA256
e69a4fabb8632bc00cfa51d72cc37def075bb9e40fa43e80212a01170231cf49

SHA512
27282cb7832e8e49679a42c9d9baf492fbac32f85713fa3c5216084bc3e34b037e6481daed4f7c1630464ef711ab33607f4aa12af41372cec65718b071fbe3fb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
8.8MB

MD5
17335e02247b13ab0d0ed5be8180a4da

SHA1
e8392ba7536bbe531e91c520ba37ce49ba48c203

SHA256
055549f2b36f55fb00307f42c8d877ae7b5979c162d6da86fe2f35c21983d39b

SHA512
d76ce8e032f1a8b899dce88a14d36fd2c5f0719fbe2d1940260c12d2b969953239f576b286119a76fc9212d0e33724e800d11692224bf2e4522c575feaf8a91c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
3.7MB

MD5
1800449605ae60b52493bdc80f67cecb

SHA1
dab705aba74e34d97e9629694450558d414a5f16

SHA256
316e2a1672538f05699c12dd8b02dc1f2990d6feb0e3442ff335ce0416e33c8e

SHA512
415793b396d9339ba91d06edc6d83f5c34f1783dce58224399051722d692e8ca48d20fad77d924befee345a1d82660d916cfea4c820935d67bca1c0dc10a0a18

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
5.5MB

MD5
4bee69db4112e5b138f9c32ceda68a9c

SHA1
088476370ba026cd5754b6ce7dc308065234da3f

SHA256
c9cacca9fb0cd42a04130cd18a4e812fdb9512a0a5c89631fa5443052d9232d3

SHA512
c5ed1f532df4f6373a45b320a0d59c7d954246da010a6c584cafe3a35ed212a7956a62cb0453ded96c0249937fac10fa5b22455b192860e34022a47d8e8ea913

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
1.2MB

MD5
1eaa963cff2d96f00fc416d0d5fb11e3

SHA1
9a52fdb0ed020fc5ea6bec85c6b7004fb2801cf1

SHA256
5050bd5fb050863f0a5bd38f086b590eaba99e84025230cddd2912e1612be385

SHA512
4c0e69f0165c6edbf58aecb1ca7c02ebeda97b2d3bfc874b99b3895cf937ae72b6a665fa12b68c5646d7ea9e5e3b55994a418efc08fc4744e67b01b0a7d18b25

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll
Filesize
453KB

MD5
90c8ed74bfd562aade7ed9293bc34368

SHA1
91a1341f1a8aee73c2c70aebfd0b175e6135ba83

SHA256
b6ff252d74738e51808d7460bbd76d47b07c5c17985d2aeb429d599968825162

SHA512
7d8fc14346728f276b54b4132772d7321025e4ac883cf3e71dd08dd23484c23a8746e3bd3e2491fbdb2f15249c03474a5ed3310cbfd824b57cd6096e130ba037

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll
Filesize
459KB

MD5
5ad2dca0431a15004645a58937b46f5b

SHA1
721d48fd943a6f9d8d3c4fcc3e4fff1ee833e61c

SHA256
af50651ffb69550dfa2bd34d490ed697404aae3d83b62160ead405a0259bac57

SHA512
576e4fc03ab93f28ec29adf4fb6ade28d9e21c75d0608782f0d43be77fbd355287dd205627a62f99f6f4ac3daa998eca10f7c32577b9a0bcd6fa0e23026c7ebe

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dll
Filesize
54KB

MD5
9f9b216ea16a3c6c649b8d320e26af6b

SHA1
316ff9dcbba76a3e28f37bc74d77905bb0c4ce9a

SHA256
86e2f8a1d712ae823d51a4ab797bbb5883b856922156ff09116ce44e62e834bf

SHA512
0af94f27c1ee1fa011971cb2ed36ab6799fbb11c3e4b92c89d890fe0b4fe28c552f54aadc2f92f43bdc11835aa108302415c173df4d53482ae59df863990b3d8

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
592B

MD5
19f473f8caa527d0ca9868b256f5174c

SHA1
15aba70b172716bd73e4517cb8916d17fa527898

SHA256
4e44afa216b795af1127e91f1447c2c20cf08d5f5717cda0804ff3bf7114b73c

SHA512
e989aebebece055b70160376d56efc7ad669e111e1abc4fd48f3bd9a2ce118173005c18e46f3a6fc2db248589582dc3e85e8043668315af7baa15e8a879bfd18

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
654B

MD5
64f6a7402f2a71581c1f66ac2999ceb2

SHA1
eb959c9c38c7b9603da698b4fbaccbd962beb6a6

SHA256
f15a074e0359bc618957d09666fc96523925094e99e2c2f5b4dc74928430639b

SHA512
e2a3efba3e547bdc60e91256c4155fc11d9490c358ac4c282d24afa0d9206131ad83d43a506b9a3583812d6941d1e13f216d7bfcf093ff9ea2159d3ba0f44e1d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Swissarmy.dll
Filesize
415KB

MD5
5ea2754f11edea01dd9c27351fe3ae51

SHA1
64ae6f10ac031ded9a155f8d6817850524ce5dba

SHA256
c39389f9d12cc9f4f6ef19d3b7b1ca5f49b613dd61f641c79b4365f8c4cca258

SHA512
b7ddb95b2ea6e20a9383741f728d64904e371efc2d5dcae6e2fce09932c1d3c5a6339b89f6fe646e63b5419f3686679e6ac1691c33a21debdb4da591b7e8b8b2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll
Filesize
339KB

MD5
2e827adfcb92840917576764605fbd85

SHA1
ae7fe0ea0d829331460f9548a78181628af2c9b7

SHA256
464f69b501d5706c89f8a80878be2941b5f158c4b3e208aae3b6dd97c746b077

SHA512
3abeb4de7ee6f6bdce1d1075581d04f134dd6bcc03a5d9b4c7d288974ed9cc0e2f84a0bdc3a046471a68460f1c012a448d9df67e5a78c156c30f95cf7d773c77

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dll
Filesize
1022KB

MD5
d810f9a9858221a0bc05e10790069215

SHA1
3ef0fbc63e7f107ebf27385632c1b52fe443195f

SHA256
cbd2e6eaee4e7e6393a4508b408c7e845c56d42885e19624937a10bde718dc98

SHA512
37b35ef3aa8b6926b7f2059c1afdad1d3382ab80d283f6cb9510f3de84994bbb1d31e693bd46a091b2a71b6d81a0226867be4934d2a2e1e88de60c7607e4d139

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll
Filesize
2.2MB

MD5
aa2db1513dacca2486d527d4d88c69e3

SHA1
6f11aedaa5ef102cfade87c381c600b877043cc8

SHA256
c3a8a3495166e710de0f355ea0a474cd9a39b68c5e5a8ad37aa9cdf488a0b52d

SHA512
fdb5c79c4000271a7dbdd55a28986c0b22faa1199a19c93586121a28117ae03acccb13724cb85a4f6d38a57a172255692bbd807019a00b5c004a558e937e6455

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat
Filesize
8B

MD5
bdcf0c6215e107670112af05c22c7b37

SHA1
e6cb8f72c2dd147eeb704cca67b5d93c6374d9a2

SHA256
ecc6741b9d906863ab55594475e97d1acad054c632504acd17178b0ea91fa76b

SHA512
4d72e1adfe1ebf478a751e810e8fe381305bf8305a7915678b68ed3d229245ccedc89b06f4c1cf4f6df4922628b3e4ab6a4517c8f0b5aaaec2374f52d162de6e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe
Filesize
521KB

MD5
c73cf5933052fa81871f80d217a7a04d

SHA1
03b133638b2265a21243a56d9896254fb32e8f73

SHA256
adde6757edb5ee0574ab28967a137da1ca6238f1d822a558ff97e6fd814ba713

SHA512
eb02949ff73d6dc9a995c716c1ff46234694485f54222ddb9bb6d1aabba2107d6924a826597709444e23d476ff980a9452965367bed8be36ba1ad1484b840ca0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Filesize
677KB

MD5
5ed7fda84e2ec0fd155b41be1e55cf24

SHA1
e3a98c316aaa8da30abb5e98012c3d340956a1ac

SHA256
bdde5d42f5c5789abde4ff522ada1d778ee74dc4483f703bb63bae495f126bb8

SHA512
f012ab29a263810cd0c7c322787a112f215786447e3977e0e02ca225d6d4ff87607927f6be5e20cc15adb08a5a87bae2fd615135c4d371c6b5e5e590df0a4516

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Filesize
251KB

MD5
2d77105c2778fab31b174dbe5a20d775

SHA1
0de316bac67599fdc521bc5d4fd0723c73f3c3f6

SHA256
cac65883eead45371e152fa7917d8fa0d5e0577b6445361b9e58e0ed214ebe44

SHA512
34c62d509e8b871bdc530b87af9e89b3fd9752a947fe8139097b3aa3bb852c5b9b4cd8437e6169e0bcf1086c427001ecbc0f253c0694e919226feecd0983ddbb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
126KB

MD5
e0782eec00a2092c3b9a0791b091b156

SHA1
c49f78a12f39d4e1e40d465401d709becbd1842c

SHA256
34c5bbb4cf3ce6caafbb80d85970698f2b99d920d501cba67ed8f2531b212a62

SHA512
7fbcf260195a108d4e24de1ab0e24c158de9413e3e20d004d7c279bd450df52b80e9b5a51f4f6790a270d18be51283f16bb4102defa3b18905770b3fa783418c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
72KB

MD5
4efb7c0a6b145737b6ec0836d5249bb0

SHA1
d66dd7bed6f010ab32baae9acbf44ad2bb5b1226

SHA256
5b2a3d4e4ea675f1c0a85e4914dc199b77b9c84ac8dd940a0a17cb68cb06ac47

SHA512
a76f0de0c390253eb30ba842336a152f9c12a829af88b3be083e8eb88ed8e8e1f1a4a70423839c655ce56268813b9d7600b790a7faf03f4ab4945212c738fa2b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll
Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat
Filesize
9B

MD5
f726542aded84023a13eb78929733a4c

SHA1
a6e6cc94faa58f8f9de95d6fcdd6a7ef8a86565c

SHA256
ca8a93db9b23da70acf8913f25b52c74ba3cb9a705de99e8cffeec3053c97316

SHA512
a0c11b133436d6f186c7ad44e307b7c7190b7c685c9e750e4d8eeb90e1c5efb9a6397ff575c998cf3d334a670b331b1ac5e30d6524e6c051e9a3fa5ddd367673

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat
Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat
Filesize
47B

MD5
01e54f23700f1253fa0e7d87114595d8

SHA1
3c96ec53a570831afcb44b4132d503e2b779025a

SHA256
680ace2b46a1b526d214a29a377caa0268b1be0783c0b3b5f84b3dbdde2f266f

SHA512
c857b5493709a86685fbb59a72bd9f5512738b50f54db5e07d25cf8fe85300a2eeb8f270ae4fe53cafb527bbfc6e01fe7230972259d499e64aa7a22303647732

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
1KB

MD5
52d231207b0ffdd7aa87206ee14df452

SHA1
ce1492ff036e9b79d9293432daa187c1e3e5c8b0

SHA256
bbe6e187091bf48e649e6e43d6ff2ecc31cf216009fa24087fe964666822111d

SHA512
836f06de5357f6d8bae7047b8d06e3edf5519f997a5f4618d0c4092e13e48dd49e4d2fc567f5c054da3ff53ade90342f7a9625790937e6e6c256b29bcd74bd7e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
47KB

MD5
3708f4614f2fc34f095d9331bf458352

SHA1
565234d9f896c06034e0970e84d235410917a2b0

SHA256
d776000a84836ba5eca42f5b1c3f3aee41efa42d9927bb9cd552add01849ef28

SHA512
8b8d1f5e154cf7a828d4573ddd9e1aa1570c088b647818fc44f7fd5bae9974b59d4c86d056fe370e4c42c817b028dba8772f6cccbf2b772249d024c86230ca90

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
cdd419e384f77656c4928baadb6e748d

SHA1
124fce859f9b506a90f40415b12149a68d9633db

SHA256
fdaf002f91b4292acd6a25468dc82e1f2b84c1f4134db2cf44ed5f20a32b71b5

SHA512
1abeeac9c9336d5571c5a4d82ecb65ac136d476d9f968517e3c50532417982c78f1137b7291e2bc77ffe26f20307dee26a6ed4784e2e4419e5c5ce7f3870af0d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
f547b97e085b87678ba9f7838503abbc

SHA1
66b545182975fc2d3a30769c518e0bc169306569

SHA256
20e01207d0006a3dda0e8cdd0e4e257d3e5a6dc83c50248e9855fcc21cd82db8

SHA512
830d681f106de482ea66801e513b04d93c25cd8b4c4da12efdf225fa28f1fd30f96e01fb7ab9bcf8fa16f568922e30dac5ca8a56540184d86116b14177f022e4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
607B

MD5
8799a2dc753a9b16779623a8bd408dd8

SHA1
5c8746e4ed112d4e963f87b4424fab8b5576cde7

SHA256
9f4515d577882e4974a58e0249a0f307e725cf135a9f9ad7d3138b1359426f82

SHA512
a4010c9e8746ab64bfb29f79489c9900cc88519534982b3233e69c2b191d1d6a7b9ec4c890f591d00c8aa1cf88c88275475b339bd0143c821696f9022f0e7477

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
847B

MD5
6b8958878961f1caaf43d868c63c5fef

SHA1
c35ec072d97db62c230df87dc712872a24dfe0b5

SHA256
a41bfb55030bd487287855d5c3ea2918b6bd6132852778483c9c2fdb8f416165

SHA512
55ec6177bf6fd244e51c12968cdd4b4f0c28add019ded7f5114aa8fad45d8d2c4015e684081a241c8e227ff4a8ad0474cff3b6e23da13b9fb4f16255e4226a23

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
846B

MD5
21f08f1e42bbae9a3cffc68511ffe603

SHA1
d9abc708baad4304b4fe04de2ffb99ce71ee2ebd

SHA256
33a38cdd0eeefd6450061f867172b1bc26361ec989fd732505b8f0a811cb9a46

SHA512
65380ae25f86d4523ad9e36ccacf58c487ff9b641c09fc372fdbbd602204efdd57b5aca6f6cd2ede40235a13d1aff6d87f04a2f345e313a6809a203a8235369c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
825B

MD5
a7fa5a56f3e2e9280f58a941d2395e22

SHA1
508cea4be35a8157d0d9cd203a1555aa667dc9b4

SHA256
556e4b47f30bf5e4b41182ca1c3f8719a7eb9ceb68d14c1b9562b928fe7aa705

SHA512
7785b478bd023adc87f180c92cf4286c190a376b3470aee5d50334abca4e2131896863b87cf2216e036e7dc5b5a8c6b371af3afd9eb68a67aae168b7898f9a6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
15KB

MD5
a0f2c9d59e8aaa92162bb8ca73299846

SHA1
dc1b9e443ba1e71bc7b30a602b1be3794d46ceb8

SHA256
3ea287a41026a985f32457a76ed4724a4253d5de1647aa13cd2cc76c11110734

SHA512
9b66d2594e7c274c12e17f2b6856536c13773f372b64d150aa8d50f33cb9721f415023caee1aac294808b2a467546404b9911b7f1bb972d6658ef232f8b40e80

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
15KB

MD5
232abb47e1d0955b0bc39fcd3c0ef67f

SHA1
537b30e3b8dd34d55150926ac10b20a6cbceb4e0

SHA256
c36785ed6db4504de7871b7c3b75a9e524e2924d91d6a99f4d748132976c9fa4

SHA512
7723b4351176a13921ae05964d9ec03ac7bdcaf1c77ae60c7d9e7e732de6434f22c5e04a72605dd92c3dea944e28576f02f3481ed42ba8aea64c0f0f9a8dcb9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
15KB

MD5
b89cb29671d230ec9b53bc7aa7874e7b

SHA1
d43f8e688636d481dc14da41d3f984c2037b9e52

SHA256
c858d866f2d214a81c628fe470adba00eb4b3cabe6618fb2c3ceb11fb23d2383

SHA512
8f1d5536823839ed9f277f2dc592a61f79076625f0de568d3d8666d97d0630e24b2e7c547482b9ecd6793c8151d381496be76c4399c12bbf14793b2a980db7ed

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
1KB

MD5
829ac20b04639e8b42d6083eadeb5874

SHA1
5b4de254062e344227226d8b227190ca0640962e

SHA256
4be3dfb2d9d38981f2a987f74a5265bb9ecc583fdfa6c283f5044606f0dbde71

SHA512
5233f08a73d22502f53500927c0ee52316f130cb7a05b0eb1cfb686d21cc16f0c2d5cdabcc0f1cffa87df486fb780e0661fa89684660fbfee2f0e08a0e7134f6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
8KB

MD5
e4a7ecf6e39b01149c23fa70e750083c

SHA1
e6e123961c220f8230f78f5829911f17e1d2ce31

SHA256
1140eaae23b2751c946ffc56c36a629bcad4164cd22f522cc26bbe57382b409e

SHA512
bc6f9b4f73ec1796882886d134b711c5272537e7c1505235f12b0bb0a813f79590e66d29f87d4b42204cc2da3a5dfaa80f8fcedff6bf41d1e32b71d2822dd16e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
10KB

MD5
b0ebaba4864b406843b618c41513c21f

SHA1
5e47c271f1988145e9346d8f918a2faa94c05e10

SHA256
a288dd50c325f2dc9a234b62c1458838b98be771445027a2349cf89d3191a70d

SHA512
fd3e06b9c463f0505744ae68465dd5785f0ba8fb4412ea1c072d0d6d262d5c1f7401b6565624188fbeae18bbf705adb2185576fdda40c62bac19d25cc70a72fa

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
1KB

MD5
5042f88be73c0fa65eed10a110fa3c85

SHA1
965b3787261e116df99cc3296cea5fff90a062bd

SHA256
4e61944539c123a8845c7d4b18b4e93b20e190e286f98bce343bbbe52a232828

SHA512
d6d6c5f73dd6727488d80fde3e7cfc0359eb47198e3d04af664071779fc3dad484ce1e5d406b189d0a497a7fe78e09730defb87afe2dd18be70909b33c604856

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
1020fbd8f2644b56b5ad18164825bb4f

SHA1
8fc25d2f0f6106dc3d527e8a9b863de13e7d9a1d

SHA256
e8a8369cb420f689af2d5d2d6395c931289bd98ef38154039af2b9c58da6ae17

SHA512
5e203e67a2b368b3a9e26f091996509a3fa3f8334eec3b5b0d44d16d918bda54f758b0f9d4df10923fa6697de9bd2c665d85a780baa7607ec682ab08983f8025

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
903B

MD5
ac6fc8136c6cb68eedaf6eaa1734bf0b

SHA1
3c2292df12485b959a10e7c4dbd5451348212913

SHA256
0e5c3d56a70e454ff2e717ee49c1f039d16b267d31b9f01fa7e328b564d949a2

SHA512
04aba5dac8e90e92d6afc002a99ab0f0bdf968cc576311c876668cae46479641341b26de0e451bc2569d41b46eda9fc6cc3077a6e7e4e6ac21889104aa751481

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
25f262143fd40edf01a53b50ac309c2c

SHA1
a9f6a995fa7168a967d857d6f84e6cabeeeb4dd4

SHA256
0d23dedc03dc4ed9590e6f1048a6280d77905697ba5fed9142618bda6ecb2624

SHA512
43d59e6803b81c4bcb427a144dea510a78c675482179e7556ee962ce181c6b310f944ef23f4f04cc74476f822e42eea0e996449a4c24be0ae50791685e4f5137

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
2KB

MD5
bdf8ac4538471d649f077bc6cce3010d

SHA1
867f4e3f30451fb30415d099749d10c2f438c9d7

SHA256
d8df2d315410f7b842feffb565a182ba1482ef88810e6fbe134f48272dad967b

SHA512
290c49d0b466bdf1f43304e604f87fdf9af4fc5cf2f717543316372322478b970c1b45cf1ce2396d8ef397e494bc6514e77e5964dd7c5935870d136a2f394f91

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
4KB

MD5
ed0d2a5f70966e7e3434b037e96b3f74

SHA1
1d2218acb17a911eed48f6d792b52fe0c4ce21d9

SHA256
91815bf8bdc52901b4d7910638e9fc74c0f374f0a11e7a5afffc6c7fb0e3cd43

SHA512
c4eac4ac4a248c42b8d2e496e5f7770696c790690516114e898e0fdc68eedc39279284a7502c348698d58d865cabeb3c4590ac4046bf713b34dd36d789959c6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Filesize
11KB

MD5
be49dba7759088bdc4ecdeacfadff906

SHA1
d7df8b41d1de2e9b8d8f5422fcfc7586bdf64d5c

SHA256
6a979eefbbd235752ec2c7e460e17527fa566e0f43d3928493e4100143c5152e

SHA512
3d6dd90f597f94958552aa965aee88436dd89edef8c96f00338d953027b625ebdae22e2ec4ce24b751560d6d19bf9542220dc13563b43d815619b96515796433

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
6bf62d7a1d1383df211c5d0faf096c51

SHA1
8968136c28f46fe3575c4e87d31b23a4f6ea474c

SHA256
7f4b3ad2010998a98e62a61e5295cf46e975c7c465616c4758efaf91f85f1e52

SHA512
07068dc1dfd9178501528e27b162a2b6d059cc4d2a1aba22edcadc373bc45fc7564cc54229d3f458901afea5def28e4aa8d0ecddad90184da4200cf2e3f9bb2e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
ea72bfe87131f7ec8048c9d76a64b774

SHA1
4b4eaa535de404f09758332d7baeb774dc5c380f

SHA256
b191ee589e8ec41479079073a1128df62e90bb81640fc28bded0850c32263c36

SHA512
eb733da8e008a4463ef4c9150297936b39d1d9dc511227edf3c9e25b23447dbff375e4b3711c1d8f01193526dd3d5030e68da961b90d5df772224f055a0d507a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
eeb8469e2eb0e96f42507b452fc03851

SHA1
085a1a030b3de6e693bd254e2a67ca9aa3acd03d

SHA256
78d712430f94a1710e49299664574c69bf241e4d1552f2c7965ba65f171abbbf

SHA512
1a73bfd666c08c9b4bc5072a61c9af82ccd8f9b33002b7c887c610aeef2582348d9d9a82e82b5f768449b6056b79725ca2b927ba9ff2e7710a3abf44a948c6c3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
742da6143a6108f60d424de347d90cc0

SHA1
0001a8b83dbe928212fe5b8ea7a034be15dc526b

SHA256
e8404e039fd38f57fe85bf22df0027cb4d34a12ebce2a2138879fe3d03ae24e5

SHA512
7e542af54a548f135a53b5b1505607c4aac4c2a27e6dfef0c7a302ff4d54b2ad3a859f95cdfe8049d45a862a28b0e2c6c4554e08cc55820324463437975fb17f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
55bb379111e3e9c5234acea783436dcf

SHA1
fa3b9ac86c45d331f8e23be5550881301d7bb679

SHA256
decdfb3478f20b639b10e55562088b804c7e8c94a380761c28cc0cf133493310

SHA512
66a95d094dd030ffc1d528b76e57a61e7b4f2892b3f7de381b5dabfca11f8f542cfbcbf9a69d20f142366d5d4f056dc63b262d4983f0857ca094d36f4764ed54

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
f26da7fa4d880e99514f8d084015cbd8

SHA1
b1bcce67d402f0ac8288ce8530ebc76837a8ea9f

SHA256
18f6f8ae732da4fdbe82741c3b6b4b5cd0bd445a5c4394f4226ab9d9c5acedf4

SHA512
fccb4102fb84af75d2b780f096ed53c1798ba3d47326e20adc54bcd0e4e1c4605227d872c25b3db4372d96809a1f1ddcee1ee01dc2d5a8310257a629a157550f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
a557cf6081b34d2c39295a67f684d967

SHA1
f825bec5d691bcbfea965de3e348ef3ff51e002f

SHA256
41dcda70e600acb1b6f63f3b4203078881d7bad53b06bdb41687af99ef80e0b4

SHA512
8f25197ca4d9d8e2877e9b6f92f17b2967498c4c773353e0f9b60828626f20d00e87b41932336f8757041912e5073f6231da961700fcb48c43f99894603cf881

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
6c13c74af63cf544f2d329d92051c43c

SHA1
194e7ddd067fa001bb00374fc7701eacaf6cedff

SHA256
72d5caa5f4cbd0aeb5d22b8e9ad13b0b96d40a9bcbec0dacf6086d1230f7b7af

SHA512
87d3c0f74b292e3cefe951f9400f6b67971caf6bf28f892056593e32ecf9aef245130b47a9aab7f169ad6b6d963f9c5557390d3c28414354c4772032757de17f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
1c72a138ea2f2dda516362ca430529bc

SHA1
f3b2651955b8aa92185099fd972c5031b88a72ee

SHA256
b7d958411a82499dc4395934a51767b1b4d12488d0408eae23b42aa204916d36

SHA512
1acb719bb1384dc309b23584dda7becc3891bf3d46406c4c8f8b130145b5b309f74490063cf2fae62e4e753048dd3ade7fec8d81bfc7ef34da2dccdfdc5883f8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll
Filesize
934KB

MD5
dbb66f444064f069fa714bd9e6e3bf7f

SHA1
860d08d9ea5dfb31d479ac7cb8010e9649a5c7a1

SHA256
a9e2825f71e6190f5e2a9d87486ad5350cae60395e15de212a868a34fc9e7a24

SHA512
c006e52c525e0536b7b6bc213eee82f0864ff5adba7a6dfc949bebd6999980fc34bd0f1f951fbe9803f73358b45471a4709108c4ce1035504df1f69b5b91ccd1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll
Filesize
1.0MB

MD5
2ffdb98cb400a12b885a38e8669c6ab7

SHA1
868b7c0ab808e2ecf29c393e24ad5e2e2170464b

SHA256
19150ccbcea859da8883a2f658cfa0aa21053b53f4dd0082f18a840e6da4cf67

SHA512
288311167e4633fdf76140e5afc8c40bb751aba99974e783176af8db2b9d512d3093536ba4aabaeed6c4ac91b2db57fca836aadac05b9e40ecf8afe72ca28bc6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm
Filesize
337KB

MD5
8338e4326e3d5cddcbe4189e118f3899

SHA1
671bd14ac1add8a5cf4156313991af4b6c5ced34

SHA256
9583482864c5f4ff4b24857b2c89808f2ad82c3a4c9d7bbeda4ef1e79020444d

SHA512
5e58637a0dfa00a08691b04f89de60561359b0635e70b6ef3943507a9479622f2dd3271dfa30543bffca6ff904d03fd4669d48cde75dd5494758a2768f7860e3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr
Filesize
1.0MB

MD5
35d940e0944e48056baab6b305579485

SHA1
d576cb8ff8d576291ac62ce9649d1b5ab7b3d34c

SHA256
d56c633be1c00bcd01a57f2b93a7b7af021fddc90b6811b2172ed2fbaad9bfc3

SHA512
b8ab35f2f85a7db851b4ba869319a5c301a69cef50b6cfe5254d98729583a5b45770b24f50928293a6a6942f1668dc8b218766f45d852aa3648265ea093fd271

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin
Filesize
1KB

MD5
86e218784196fe0b6472cd0f20a85069

SHA1
8a5404e5b49624a5a6c289b299f98c4b72720968

SHA256
9aa9ffbaf7126a0b23ddacfaf7f576c85b5a3c3a7d57eac636e73af8842c0902

SHA512
1db35f7d6414fb6ceb486c0361ad394dd4f75d73925b17ffedb07d20b2cc264da33a1e9ff2306dc87ddba81099d5dd2c06b0e399de912d6bfa464c62c9ad777f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe
Filesize
812KB

MD5
36b7c5c9edfb990b0c45f3d8a220b94d

SHA1
d4f307f678e27ab5b13345aae0adb142e8df857e

SHA256
71d2518b9f9c3d6d1211df4d199933996e18088e1daa9fa9c3559661462ac9b4

SHA512
eb97d0353e8df81043acaa122cea8dca4f50b983de072e68bce91fe3ea01fc421780033a33b12bf8ef648383319f8e9aefbbe87824d60872e79a375e319b25cd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb
Filesize
1.2MB

MD5
2b6aece7e3730da8865874b29a205b26

SHA1
21784256870ce8263d4743b767915d32b6535317

SHA256
b27ce123babe21faca3c38dd3b938f83849e835fc46ad3d20654aede6cc4e5ca

SHA512
52e1b2215246fb631d477b96609c9d7d727413798c71909855d1618c0d25be9fd505d952a3aee07bfd2e7345c87a95deef295bf42511866e1e0bbfb918033e47

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll
Filesize
529KB

MD5
37e9fb570154468c7c8a676358454896

SHA1
402a452bf54c8848017aaa0db2226525132b7bb0

SHA256
dd26f9c6bbf80594b8f607be97420c9d75fbab4f3b06e7fb9e2dcec30bb0fd75

SHA512
f28913a24c8d0f76633f015bee7c9791dc0a10ddd903c997f7f69f6d5fb3b3987e01268b839da0014c30005658f40a448810d58329b068d6d4e8c29091180caf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb
Filesize
859KB

MD5
f40a2f22d2bc94005dcf0ac685fb55dc

SHA1
7048a32ccc5ccdcebc7ede0344f8ad28698cb52b

SHA256
43eba41c610fe320e88b6a2116257ca8105b6552ee8d1073847b35a31b13b533

SHA512
b715d3b9867cb7342ac61add6091c19af2b80e72d7a4d4ee365da44093574a5453f9a029e3c352b7bff40d24fd263aac9787e1089dcff8d93da4ee96f1812e46

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb
Filesize
1023KB

MD5
56a5f180b6e587cd55b46645c10bc2e0

SHA1
d93283f934a0374c968e5fa5fa2c9ab51511a144

SHA256
11a38210437617d26b0bf18f1727447a8e518f7e049443c5db65eb80be5b0804

SHA512
fa197ae16bb8005bf8e7b195e0f4472c49f3f5b26af006ffe67d118b351280b4a71028cb307301915526b496d53abeacc417392f3ea9d92132c8d130b3f4648c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
Filesize
2KB

MD5
12bd2e4c8b33ba6c09162a2d9f0e4175

SHA1
858901265eb5ffa1a6aac4839dfcb3ae2b9f2771

SHA256
924c5cb54f3aba89a8259ea2833386e56246bd3fb656aef0bf7626b13d5728d2

SHA512
c57ac1a66507ab863b33ae89060e68ff66fbe1da68eaffc0b1831a9e73a3799a998726a9002cd1f8618d9134e46347cf985ac0c771b5bb2c09c4583e1a61c37c

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys
Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\7z.dll
Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\ctlrpkg\mbae64.sys
Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\dbclspkg\MBAMCoreV5.dll
Filesize
6.7MB

MD5
d7aa4188a5f44b98274c3f3ac29e6cd0

SHA1
6d6f54ff1ca9532ac75790bb9b16cc29fdc6215e

SHA256
bb9cf3a83c7a76592f0b412cf0c11a96faf3584fc7e3f5e46662670759ccbb5b

SHA512
2e65fa315bb6b06f291f812a90f8a045a567702e9b250fdde324524aaeba39b24eb1df7ec9065cf35d59912972b7ba6f2be64b7a15a8436874722bc3673000bb

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\servicepkg\MBAMService.exe
Filesize
9.0MB

MD5
732197b86b24b54d0c38ba4fc8cafd25

SHA1
a1431cba5eb0ec353586457bc39fd1af87801313

SHA256
dc803f356dc58973bae6b3e549fede269582426c8b9fcc3e69c06798ea8119ac

SHA512
6993d1eaaaa09a94982c54a6e5d1698fe251fcd8970c0f37b0cf8a9228758114427af2d9ec731e50c2a3490369568ecc0b5baf4dd4c572b05216be42a8fa6fd6

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\servicepkg\mbamelam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\servicepkg\mbamelam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\servicepkg\mbamelam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\servicepkg\mbshlext.dll
Filesize
1.3MB

MD5
d77863b36edcfa3c6114857240d43771

SHA1
4f60a49ad678806736663a0204fa1d2ed72b3456

SHA256
cc52942b054ea13419b631104c153cd5863c0bf1aff2cbc3f3ac5fb7ee8674d9

SHA512
118d9bbffdab336618ed7a76825323981d1698a25cf2b92dba857186bf9162fd596aa0675d969490df311ae2f45c5705450219b0a83a29aa70105adb9bb616a0

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml
Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTemp4cc2919ab4bd11eebb69d62139be032b\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml
Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
memory/3204-4038-0x0000024D39BB0000-0x0000024D39BC0000-memory.dmp

Filesize
64KB

Download
memory/3204-4039-0x0000024D3C050000-0x0000024D3C490000-memory.dmp

Filesize
4.2MB

Download
memory/3204-4041-0x0000024D3C490000-0x0000024D3C690000-memory.dmp

Filesize
2.0MB

Download
memory/3204-4037-0x00007FFCE9360000-0x00007FFCE977E000-memory.dmp

Filesize
4.1MB

Download
memory/3204-4036-0x00007FFCE8DF0000-0x00007FFCE935B000-memory.dmp

Filesize
5.4MB

Download
memory/3648-3151-0x0000025723B00000-0x0000025723FE3000-memory.dmp

Filesize
4.9MB

Download
memory/3648-4034-0x0000025723B00000-0x0000025723FE3000-memory.dmp

Filesize
4.9MB

Download
memory/3648-4205-0x0000025723B00000-0x0000025723FE3000-memory.dmp

Filesize
4.9MB

Download
memory/4156-4599-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4607-0x000001DF10D60000-0x000001DF10D70000-memory.dmp

Filesize
64KB

Download
memory/4156-4595-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4110-0x00007FF71A560000-0x00007FF71BC24000-memory.dmp

Filesize
22.8MB

Download
memory/4156-4606-0x000001DF19A60000-0x000001DF19A61000-memory.dmp

Filesize
4KB

Download
memory/4156-4593-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4597-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4596-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4594-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4113-0x000001DF10D60000-0x000001DF10D70000-memory.dmp

Filesize
64KB

Download
memory/4156-4605-0x000001DF19A60000-0x000001DF19A61000-memory.dmp

Filesize
4KB

Download
memory/4156-4604-0x000001DF19A60000-0x000001DF19A61000-memory.dmp

Filesize
4KB

Download
memory/4156-4603-0x000001DF19A60000-0x000001DF19A61000-memory.dmp

Filesize
4KB

Download
memory/4156-4602-0x000001DF19A60000-0x000001DF19A61000-memory.dmp

Filesize
4KB

Download
memory/4156-4600-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4112-0x00007FFCE8DF0000-0x00007FFCE935B000-memory.dmp

Filesize
5.4MB

Download
memory/4156-4598-0x000001DF19CD0000-0x000001DF19CD1000-memory.dmp

Filesize
4KB

Download
memory/4156-4111-0x00007FFCE9360000-0x00007FFCE977E000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads