7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

Analysis

max time kernel
97s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
16-01-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup (1).exe
Size

2.5MB
MD5

1e885823577394ea61ea89438ffe2954
SHA1

e53e96f7374790bdad8a614949b398b055c3a27b
SHA256

7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
SHA512

73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
SSDEEP

49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

MBAMService.exeMBSetup (1).exeMBAMInstallerService.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup (1).exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup (1).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup (1).exe

Drops file in System32 directory 1 IoCs

Processes:

MBAMService.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MBAMService.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SwitchIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\PrivateWidgets\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ToolSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_pl.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyleHelper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Frame.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\slider_handle.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\StatusIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_it.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\ComboBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ComboBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\PieMenuStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\BusyIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\warning.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\qquicklayoutsplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbae64.sys	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MwacLib.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Charts.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\MenuContentScroller.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\resources\qtwebengine_devtools_resources.pak	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-interlocked-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ScrollViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\GroupBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\ToggleButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\SwipeDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_en_US.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\ToolMenuButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\slider-handle.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ToolButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\settings\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SwipeView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_cs.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\FastGlow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\StatusBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ToolBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\MenuBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\ColumnMenuContent.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\qtquickcontrolsplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ApplicationWindowStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ToolSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\TreeViewItemDelegateLoader.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Page.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\StackView.js	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TextFieldStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\DelayButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\qqc2materialstyleplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5XmlPatterns.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-math-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Tumbler.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\PageIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\qtquickextrasplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\TextField.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\CheckIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Switch.qml	MBAMInstallerService.exe

Executes dropped EXE 2 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exe

pid process

1108 MBAMInstallerService.exe
2452 MBAMService.exe
Loads dropped DLL 2 IoCs

Processes:

MBAMInstallerService.exe

pid process

1108 MBAMInstallerService.exe
1108 MBAMInstallerService.exe

pid	process
1108	MBAMInstallerService.exe
2452	MBAMService.exe

pid	process
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exeMBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\VersionIndependentProgID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Programmable	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController.1	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\VersionIndependentProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ = "MBAMServiceController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController\CurVer\ = "MB.AEController.1"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\ = "CleanController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\ProgID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes\shell\open	MBAMInstallerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController.1\CLSID\ = "{F415899A-1576-4C8B-BC9F-4854781F8A20}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\AppID = "{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\Version	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\ = "ArwController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController.1\CLSID\ = "{BF474111-9116-45C6-AF53-209E64F1BB53}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\VersionIndependentProgID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\Version	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\Version\ = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController.1\ = "CleanController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes\DefaultIcon	MBAMInstallerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID\ = "MB.MBAMServiceController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController\CurVer	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController\ = "CloudController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController\ = "ArwController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController\ = "CleanController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController.1	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\ = "AEController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\ProgID\ = "MB.ArwController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1\ = "ArwController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\Version	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController.1\ = "MBAMServiceController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\VersionIndependentProgID\ = "MB.AEController"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\ProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1\CLSID\ = "{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController.1	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\Version\ = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1\CLSID	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Version	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController\CurVer\ = "MB.CleanController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\malwarebytes\shell\open\command	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController.1\CLSID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController.1\ = "AEController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController\ = "AEController Class"	MBAMService.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MBAMInstallerService.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMInstallerService.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MBSetup (1).exeMBAMInstallerService.exe

pid	process
2476	MBSetup (1).exe
2476	MBSetup (1).exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe
1108	MBAMInstallerService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MBAMService.exe

description pid process

Token: 33 2452 MBAMService.exe
Token: SeIncBasePriorityPrivilege 2452 MBAMService.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MBSetup (1).exe

pid process

2476 MBSetup (1).exe

description	pid	process
Token: 33	2452	MBAMService.exe
Token: SeIncBasePriorityPrivilege	2452	MBAMService.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

MBAMInstallerService.exe

description	pid	process	target process
PID 1108 wrote to memory of 2452	1108	MBAMInstallerService.exe	MBAMService.exe
PID 1108 wrote to memory of 2452	1108	MBAMInstallerService.exe	MBAMService.exe

C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2476

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
PID:3036

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
PID:3836

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
PID:4052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll
Filesize
204KB

MD5
1173980311efdcf2cabd04544c677e62

SHA1
f227aad9026e1ecb3a05d56e92eafb5b1604fcca

SHA256
8268dc5a6282fc46b12a1f020d4d623d8f0daf76cb26cb88a97ba4af561f0551

SHA512
18b79921d00dd0f797c8f56a179c10c00e5b89fa6e9970f50998ef721660b756d0998ab071af5e92711f37848c07965c6e4aae23053e85d9bb525d1881498051

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll
Filesize
156KB

MD5
139ebccf06b8c0d980f663345a9b2cbf

SHA1
5d44825baba48e131c68034489601babd7257e6f

SHA256
42561aa611c28968af461d661bab967ebad2bcc85932cd277c06bbe35b118559

SHA512
70283193106d25389f598e1e7a93b99448df569b6ad511b9231a83825e8457b698aa3720a4f543e3314632c7c673daa98dddfc658f6908da2c408fbd6984c5d9

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll
Filesize
149KB

MD5
420fc864dbaf5d19aaec37f7a74c1f18

SHA1
f5094908e86c59cae30f8ca80c7f35f5cf1ce6a6

SHA256
10b6156ce7b5f9a623f105828bb3b7e829f1f40fd7312e7c52e5a98a505ee469

SHA512
59b682ae0c275753c09aca6bb9f1afbf1d770fcadaad0696a89cef1fa8bb1b5bb54ad2ac549dec146d10afd43cd922232575eba0a949f850b9adeb133b34a3a2

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll
Filesize
117KB

MD5
89dbafaaa88da3482262915f320c1722

SHA1
1e3c774652d98575cd1aaf702fd4fa7cacf03a1d

SHA256
d20bc9dcf7070e2974958d0ba2ddfd0b9f6f8a3ae2ad904d042562542934c0fa

SHA512
73c32b1a906ee9d76a045a6a907af40549cea2b490c60068ef2573ba4fb9aa36566b5b669f5e0369396bd9860e0ac1c590c68b7eed2ed2d8061c67dc55af64fb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll
Filesize
181KB

MD5
4c5993a7308f8a47142fe740b030352a

SHA1
9286f7cf32d7c27f835cdb3ee1e0461c80e43711

SHA256
fc339b089410330bb23a5dcd17f32d7ceb123273691e35c08a5fa611c397f9eb

SHA512
8d7857caf6d877fee53b5c5c396a5cab62d03e14541b1ce0725270707a8baa5ddc1220e3e63f8d71f97d91eb80758eb69984a71c1d9143f2e5f69c98ef7fbc5a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll
Filesize
174KB

MD5
440ed8f441886a4695060415df2349aa

SHA1
e25e724e7b6ea7e93b28468d29ec4f978d3e80ef

SHA256
5c4e089b143f1c2f3ed7998738fca91f78cbf996d1d4d3a442ddb813a2f2f0f3

SHA512
39c088a07d25504d0098045baf3a31790c935463faa4635b7926c3936e967c63702c44f2288433f8ec8e4df6fcff6b813f54cfd7078c4ece37b4281de8d8088f

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll
Filesize
1.7MB

MD5
8f47d90193a0995da993f0d7cc63a5e9

SHA1
4c4ff8c8d115f7b4a06aecb1035eca9d5f091c59

SHA256
312e7dbd4a02a515bb7d41fd3f9eb6389990c63d997a0777f790fced2da3b311

SHA512
31bf5cd9873317c4ba303a8ae33166975904dc8f0ca7ae68b365ed7397b5cae0c2e1fb6e7439d888cf3e60cdaca4ee584f4c8c95cb675effc647d93ea667dd78

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll
Filesize
211KB

MD5
46da110537b0bd18c7381a9be0a526bc

SHA1
28f1afc4c040859abae17b259f490998dd83e3dc

SHA256
0ca33df062992f8d8704d67220b1f3ebe2d8863efc969c618e0e8cfb44122634

SHA512
e9dba1665c3b63e0e08aae4f1f0a4f209c84b6f1183e4fb86a1607fa826bf6e429b705f8fecbbb79698c0c622ebde177778c14f846f1060a71646139e7088c56

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dll
Filesize
17KB

MD5
b871866ba6a13ea393549ccf56bf8434

SHA1
31add40095ef03a8a12de5e37809649d535d1dbd

SHA256
a49b679b6abae0ccc1b6002e399d0777d82a0022cf8012e02de70fd8e7aba361

SHA512
59bdd4b000238b880f1f2094a9f23256c84328bf3ab9d3acce4b733ddf4b0d64b4dc82338b257cd4b7b7a53ac5189ed4700bd5403271d0b4e67117029145c701

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
Filesize
3.0MB

MD5
6aff5c3b774157836b9aeb1c60a933ab

SHA1
b9f105ddccd7f4237b36b9c505a30bb9afbd876d

SHA256
de6ef7ed90e07cc076911ca99fe76c838a87b9581e1591c7d0deebacc620a4f2

SHA512
6747add254169f42b35e97f12dcab182827f282655679cdc9216377daff5755c53216cd2b83ed55cfc28b5482fd1e71fd13643efe586b315e2bb8f2fc1123537

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll
Filesize
92KB

MD5
6c698c08865a1b7c2b534782408469c6

SHA1
d6e251f9a68ad9567efceb8037005b350a29ec07

SHA256
ea9b443e151ce70081db227c49818b83668ef1001db5e4272f06e42a1f851e07

SHA512
2c77dd1eeda0b9716664ef97d78dd13ceecea1426fafbe3c99c2682409f550c48ecb5709978f15c428a37e645232ab451cc2fe2639b666e2f40a0593526d0adb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Swissarmy.dll
Filesize
150KB

MD5
f73c9f5e64176da76af8bcd1bdab542b

SHA1
ba862f3d2a22f2e9fc7aca1a43c2a0e7d2a141f3

SHA256
4755649f87bc72f6d9b8a46c699f49cd196b89fb52b3971a482bc0a9f954ded7

SHA512
460abf934d0e8ae886e7b58b576fd659d3b8c60d1c29c806973f83accc43b61fa186028d5115a0f56e6b799c8e5e5da393e7e570cb7ae2c6ba494c5e2013f95b

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SwissarmyShim.dll
Filesize
113KB

MD5
094fb78efaba3bf6cc0e180ad9bbe3e2

SHA1
a506d2dfad15edc13f105897f038a5b6dab80675

SHA256
731ad2002de507a0917fac8f4613aa7a88d39c6e086bec9d743602dfaf344a36

SHA512
2a45805eab0cff0b2f69b6877a3c072e4b68d089b584e53c0b9fdd79265d2a019c80f4c9595866f6a9800a7268682dcdc7481e8e845b38d4f9057bf2cb555d09

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll
Filesize
265KB

MD5
250bab7f9f1c0c0abe69bcaa288c4b00

SHA1
008c267fe0fb2f398400b146ff69a252645e9298

SHA256
82c91d7b13b59803ba470e80d462be55fa38f91be6ebea40666d147a92db0907

SHA512
6421fd96ba5e8b8950d3ab16555f9260a6087089cf9300066e85a27e4af9199d7a84bd892933e36305611e5b7003d86fb5c60464fbaadf28e99fffcaf4df17fa

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll
Filesize
23KB

MD5
9bf5783f63a234b0947c1fc92509df34

SHA1
d84d1de8143aa4ed38fcec1ad45ee7e5a588c8a0

SHA256
cd49cefcc9a28f6c5694d14ffb66fd21fc0a573041ed61d4ed3a4b43417952d8

SHA512
336f14f531b3b044704b7a82dcdbe3337f9c7720d97f29be3e50fdfa9cdf8b0f4c774445063b1c3563514a508099f1d415d3c42898a4c61965f924ce74aa652e

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
Filesize
118KB

MD5
303a40825dd46eb1860bf3ae0f5ad323

SHA1
5db014cc0f61aea05f517ca82c366ac504e6a2cb

SHA256
5cf3ecbddfefbdaa0bfbd903f86210f8ce33e1e14e8c19daa2a7214c460794c0

SHA512
c3fc6e4a150d46076a6e902ee0e824f86dbdc9056de865e6ffbb4b4ba86ed77a8afd0d5dfd7e8a5f097d2bec27187aac54b8976e63d8b63bcf97203084979510

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat
Filesize
74B

MD5
06c4b6a669d23864c284ae03481bb816

SHA1
daa6ef50625576907dd1fbeb52823278d41512c8

SHA256
c7871ef2ae5feab275dfa1fe7a10138240bb7404af93a8bbbfaad6a31a18c806

SHA512
fd58c75969b3ab37b44da71b6ad79e59e47da7a7c9fe2dd29681aa845696a5834dc330e282495396e38e1e9bb9e8f5da5690d27e11c55a599877d9dfb737e345

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sample.dll
Filesize
358KB

MD5
b93f655b75aec3e9da33bd2090bcf898

SHA1
60ea9632913bd19b65daa8f727a0ea7571d3d28e

SHA256
68e21bff471a00058cb074cf7384e58be6715a305478eaad5ca7d66ea2029a0d

SHA512
0d1df4f7345d90ffe0616a9928ddf9101606844e8d3e9939824995620e73093dc0b61ae74937d464de19f839d5257e32c00f0717560aa668e075708b3ce8693a

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm
Filesize
337KB

MD5
8338e4326e3d5cddcbe4189e118f3899

SHA1
671bd14ac1add8a5cf4156313991af4b6c5ced34

SHA256
9583482864c5f4ff4b24857b2c89808f2ad82c3a4c9d7bbeda4ef1e79020444d

SHA512
5e58637a0dfa00a08691b04f89de60561359b0635e70b6ef3943507a9479622f2dd3271dfa30543bffca6ff904d03fd4669d48cde75dd5494758a2768f7860e3

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr
Filesize
128KB

MD5
49185bdbc17f9443d389eef05de84dc9

SHA1
d680d3a589cd0e336ad002f9622cb17a6a4c3260

SHA256
83942c60210318a688fdffdc67924ec34d9eb82e2b7779a4107a55b2b02c0248

SHA512
e5c57d8ce4807c3ac54903b1179fa93bcdee7f2a7971608fe9c9c4377323002b3a98237ca695a9f5bb540b2b22d84c7e7430d96f109a8ee0281dc1c3b06ddf92

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb
Filesize
10KB

MD5
76048661997370418a7cada36893ac17

SHA1
d7ef6a1c21f3e36bfb95aeaac213bfe0dcc4f2c9

SHA256
fa80405b455abd60803d3c6fa94781a1bc4b5a8bc249a69923053af59d5fd10e

SHA512
aa5d85d27f551ead938d47d4cbba68ffd52c60d130347f247816e8576457632e8df668bed3174dde582423fcfcc2c78c54e4ebc51899ee2247da1a577385aa2b

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat
Filesize
924B

MD5
fae650fe3326e178ba93ebbecee76516

SHA1
7fdace66eb57dbfe97559f90471db1bd0b46c026

SHA256
1437d78c8c60abec6b85dea89c88c053dc9e0081b69a14d094911ff67a36b69c

SHA512
e21819022e02e6d91435a886d0b45ad77778e8ef04a3e583818ed13c6dda42f1808045c2180c15f8e3bf9289d42b5ab875aba5451685b87e131c3e73b9027312

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat
Filesize
514B

MD5
5b3427da3b2f1b966f9057e20a12f38e

SHA1
b8e92893b2a82df703f0c5019df797aeb40b3685

SHA256
d28ca84a5c3a3c4c1de91767c699d6e83bd5088cec70df1195c8e38bf9d45c04

SHA512
9b6e83dfb776178517307ecf5c65a482a07419910c3e1a8c4e61814ca5323500858e65a8c7b84ec263186d4e9c8918de9ba6682c831a6f6be8853851b8881589

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb
Filesize
325KB

MD5
b25b3a60b27812c0bee1fe79fdce6019

SHA1
13d0ccba0404fc66474a425f9f001077229b0757

SHA256
45ce74b7e37242496a38e6a25c0c12a65b928f2c3106ac8b2b50e859fcc478bf

SHA512
7d90b76134ad8aa2103f22e3612fc6d4599ba8aa651296c508b2309be842a466463c94fff7d67a4fac82ab73bc468dcf078bec113dd0ec4e745b92828836e566

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb
Filesize
57KB

MD5
eeb4d7c225c5de26f89b9223902d29c6

SHA1
4e023f1943e6f0340847af4a6e26c430e5ac84f3

SHA256
851629c25b14217c3eb6f788131634055c77fa690f99ef16150a9a4c07a439b0

SHA512
273eda1b2ca20955572f23a683eeb7533d2e3db684db69b7e0c042873b0ca756c2ee3c926480037aeab689999ab904a8b0a9690bba1a48e507861f141f2027a3

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb
Filesize
1KB

MD5
efbc5b7a75db8d4191d91d8eaba09f6e

SHA1
a93f51c48c71584bad1411a5cddf1ad025b68309

SHA256
c10053bc77a84343efb127ca08f3033f1284b3a623557ee40afcfd7fe01859ca

SHA512
9ee9d00ebc0818026ce3403171a5d2423621bb41f5976ef676a8723cd32123a00e50948ae944d8dc24ee618efa0e48b4dd4e844069819e5a24a26723343e1146

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb
Filesize
375KB

MD5
3a04c5f9d7610cbb588a86dc90a78317

SHA1
d50f646d59f1cabbfe2e057e47591764fe1b08e2

SHA256
207726466893257b9d982d5c5af92cf4a8ab36dec7854e97099bca8fa2678d2e

SHA512
35cf85674ec42785d03740791eca52d3887bef357d5620757cc1206634a3c97afce9a7448080f3e5e1f861c7a2122fe199d037fb5956e86e2d8a918b940c7180

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll
Filesize
368KB

MD5
2e50089dfc56b5f136acbd111259117e

SHA1
8e5543fc3aa933947c4e9cd53af04b11be5a4dcd

SHA256
ed0b74097a7414fb70f000d01139ff3548150954f5f4aa4dee4f5c0e97a88bde

SHA512
9a108f0ea0d09107648a0286c511f4ae95dec9f4bcf8eb03df1a70c0ea36d86d718fb285e07ae6cedf8bd92d72873ff1d6875494ac24ccee47433ff86911e381

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll
Filesize
136KB

MD5
4a682d39961c5be2ffad98488d4c16ab

SHA1
720151970c1c594c056a761aff3ef9b41e9a88de

SHA256
7a70ad522fe802a67690b0397f69ac3691d26e52c6f99864912ae4b895ad90f2

SHA512
7de2a243792ded64a7acdfc77412a5dabd77a6f88ce5fed6cd62d18bd6e26505af2cd6a79f2fae53acbb2703600fb4c6dd43f326d08707633457723cebaedcfd

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll
Filesize
89KB

MD5
71610b8e26441366c27e02bc1ad6f0ab

SHA1
11a7fe971de290bc5ecbe249430315b88674ce10

SHA256
db337b1ebe2e3cdad78019d8519851bc36dd4e9d1ecfc2ea6f79bfab922c0233

SHA512
614dc647ccc46a4d731c87c6ecc10fa982958718378b7d18548c35be08e3d7909f3b06534aca6473bf6fa89abe3751c0c17ab99ea9dda9602a6fa25ab4d64656

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll
Filesize
64KB

MD5
3d3c397d49837d57c6e6874086f35007

SHA1
f42eb8c8a410692b9830521d0d270dd9f42ba783

SHA256
9b476e836d4abaa9e7637bef03c64f3f215f56e85a572ddc861951ef33c92dad

SHA512
915e0e5df883a44531be00198935baf3591533a90455b2b342510c43fe029273ac0e7d986280dc2c3713ef0ddc10cb07273637eba450e294bfeb305d39eee1fc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll
Filesize
485KB

MD5
8e36ea9ec339a9587cea548e65185eba

SHA1
d08872bf2bf7888e03a567b00f94b25dfe2ed094

SHA256
7a83bba9a9bda8a70ce52ab12247889ea946dcb360409365ea21fdc1113cbbf3

SHA512
f5e671f5278176c6998d5c86d42fd0749b791f8ca7d81a0d056285d97977cb65609bff207b350046b9adfa096cb0311e7adb29a57bc935dcf2353d220c80c1d7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll
Filesize
1.2MB

MD5
89dad9c2741ccee9602c2bc824b13920

SHA1
c22fecc535f81507eda73ea88e388b400c01242f

SHA256
1f494ef24f1a2bb08534ff056a8f4e6a775e8ed534647f2f098f479b35137d70

SHA512
67029566c01c35b0c83ffad07971db6ba101ad1d6d8407b350f65ac2ef6ac6f83db0f14e174dcd504bd247aea4226c6d1abf7e300dd17864bf1d9a54ae5d9e1b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
33KB

MD5
6127f412926a12ed94fab9b691a19d92

SHA1
eb69aaf336f13c353c98d4f612fe08f1be8be1a2

SHA256
ea9f4881ebe95c90a684a8a09e53215fa1aa7671b65a0a07ffc0c9f1b24cf860

SHA512
8a60c9944b47b4abdf77472f6cb7c0e1bc453b49e8d241ec9bc8b939612f5dd48f334ad538a491100fe2eab478d2ae6f9ddd8fe2ea638c4659d029d6b6cdbf7a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
8.8MB

MD5
17335e02247b13ab0d0ed5be8180a4da

SHA1
e8392ba7536bbe531e91c520ba37ce49ba48c203

SHA256
055549f2b36f55fb00307f42c8d877ae7b5979c162d6da86fe2f35c21983d39b

SHA512
d76ce8e032f1a8b899dce88a14d36fd2c5f0719fbe2d1940260c12d2b969953239f576b286119a76fc9212d0e33724e800d11692224bf2e4522c575feaf8a91c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
5.7MB

MD5
139cb928778e1cd484a144c9469c065e

SHA1
d632183219aa81db64e776e89dee1cde2acac9d4

SHA256
c80c5f2ba8b8f80e718cf3bdf5c7acda45980b4babad89b8fa6f7c580a18c293

SHA512
4f2ffa889861c531a7eb5c920ef694fc1fc08a5e309226b38dea30e767b3b13537ec159f570ef377311f72b052d05be5fac732bc5cc1b8f2f8953563f7e3f754

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
5.5MB

MD5
28b5d2f51faeb704f55ec26d600613b5

SHA1
b9f0726f759320bf6067b0641d146bd8f5465df8

SHA256
a4c99df9eaf5fc3606ebe87ec8d10b8fcc200fb8673c2893762dea89c2676f94

SHA512
1d15f074e6e8dc25b8b3d71516e81f0887cabb4049ab134fd113387ea411f957937891c7b86ace24a2f1ac2a2b9a942c824f0e90dc263205b28274e9bd530490

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Filesize
1.8MB

MD5
f12ccd542690e0f410a87522bfdadd92

SHA1
eede2494d8418cc219f425f7670b1ef0b5f004e2

SHA256
5d2bd8a884746e1f0ec6af8fbd1389ab4a0a4624c13cc577732cf0d489d246b2

SHA512
7ca5cda73c5690e5913e1a2f2fe8b582a18fe54993b4520f512980dbff2f9887fdfec7a71f4c60b0cb887c4187b30a2359b1a47110e904d4a9eae87c2c3b3273

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll
Filesize
205KB

MD5
34ccc7f79130f9303f1838a1dfa22112

SHA1
7b732b0990f0e3a92cdc07a9d5737bef43ed06cb

SHA256
34bc3e84fc14034b4800de633bfcbddad5f25686d2393f6ce7e10ba6ad817608

SHA512
b06fa0220aa60509938fb56575d89e074e8ae140ecc27e572c20b1552a6782c11994369e6c558042ebfbbeab08af0d1fb92f798873ee008663044b606167048b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll
Filesize
2.1MB

MD5
335398523f0ac93dadabd4410754e556

SHA1
32e4ddf6633e672681d1a37d761b708714491ac4

SHA256
cd3a68723496c1fd23e5e26bcc73f08813b9af0b6fc05cb4a478f432503f1112

SHA512
38e1ba94bf473f019ea702f22a63155a672491bdf24f5b16d223edb4036622aa83356b30d8cc69c3c6658939b3ee00111b349c9cb10b2c09d079bae3d88db7ee

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dll
Filesize
104KB

MD5
7498a18cafdbdea8dec90b88052ee586

SHA1
64dc3d0be492102cfc3321ab526eb35950e4153d

SHA256
ad01f87b0b96bc234729ddbdef0dc836ced4f1a01e9bb86ca2b133c515967edc

SHA512
aee9ac169210d2881d1fbede047e0d237c23314bb8a0fae02b0f1e6b22304af022309d0cbac0c76626809cc36d8a9f99860e33b5bd4b715aa8dceab19c5f18db

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
592B

MD5
19f473f8caa527d0ca9868b256f5174c

SHA1
15aba70b172716bd73e4517cb8916d17fa527898

SHA256
4e44afa216b795af1127e91f1447c2c20cf08d5f5717cda0804ff3bf7114b73c

SHA512
e989aebebece055b70160376d56efc7ad669e111e1abc4fd48f3bd9a2ce118173005c18e46f3a6fc2db248589582dc3e85e8043668315af7baa15e8a879bfd18

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
654B

MD5
64f6a7402f2a71581c1f66ac2999ceb2

SHA1
eb959c9c38c7b9603da698b4fbaccbd962beb6a6

SHA256
f15a074e0359bc618957d09666fc96523925094e99e2c2f5b4dc74928430639b

SHA512
e2a3efba3e547bdc60e91256c4155fc11d9490c358ac4c282d24afa0d9206131ad83d43a506b9a3583812d6941d1e13f216d7bfcf093ff9ea2159d3ba0f44e1d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bak
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Swissarmy.dll
Filesize
11KB

MD5
11683f5279250cd7723dd673284d327e

SHA1
3713562b90a3a32cabad25b2b440b7eb135029eb

SHA256
56348c736ff64091813fdf42711019720999fdbc4ef6c65c5d3ebea1d7288caa

SHA512
dd181c29fbf404e4bea1af001168b512ab67882015b8a21e3bc514c39a328415154aa287be486d5a0a2b3e0b85177e06436fbeffe6386130c2525a534e071d1b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Swissarmy.dll
Filesize
142KB

MD5
339f9bdda088f646e2ffb3ed6d46be36

SHA1
309b05e298dd8a4945fdc6e81a524c6ffe559add

SHA256
8df279b2ce07fa373951bf6b22778c6ed217b913b4e0207c0fc948c05b89a60b

SHA512
4d9c310e35a443b9bb9586f35ce0f54217bcd5801522ee78688eb05b9a5be30d23701758a8f00258c184671b7e6a5bdf1f8a73911cd61789c287f10ef67e51f3

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll
Filesize
89KB

MD5
c3941b59c90ede9703bef2b717e130b3

SHA1
e7b7dc4e9cbf2ac2a93e5cbdfcb5cfa70c8ffde3

SHA256
751754758e6b794f53d521eac0311421fef2d4552c54e82f00741c7c6e94e784

SHA512
21005eea87a8609167be7cad5dd999d9bf7e49c742c6293a91a39f61c7cf41f5ed99152b56ba6e1e7b8bf153c010ab48d0c39e14c8c4a1f2015f16d5a83369ac

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dll
Filesize
319KB

MD5
c5ebb30b0dcd89d5031fd6ba1026bf1f

SHA1
0853e5b2463465fb1b7e13bf2556c9885aea14a1

SHA256
66fa78d85cbb22c51033a452c0e631f13c3e24b8dcb39c5cb0901acdf2ec9fa9

SHA512
e38adfede91ccb747b186bcfd13a38b9ca71662033856e4d538e595a63efa10da8550949ff41519bea8929a73c242ec96ce6bcf2570a967e515d64077bf9c003

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll
Filesize
285KB

MD5
f663c76ffccb33e04cd40d64d05e6a47

SHA1
a46c683f3c0fe0f2a21169303fa3b065b458153a

SHA256
55b1857313fb79cd560c51e01a304817b4af04978047e672ddb9f0bcc6a6080d

SHA512
c1fd2be1bf1459513291285307b2359583700f1da0ab3e88022d0657efc19b5e11f16be3a3de3596cd449fddd7f182015455eceb638618374c8becb98fdd9a8d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat
Filesize
8B

MD5
bdcf0c6215e107670112af05c22c7b37

SHA1
e6cb8f72c2dd147eeb704cca67b5d93c6374d9a2

SHA256
ecc6741b9d906863ab55594475e97d1acad054c632504acd17178b0ea91fa76b

SHA512
4d72e1adfe1ebf478a751e810e8fe381305bf8305a7915678b68ed3d229245ccedc89b06f4c1cf4f6df4922628b3e4ab6a4517c8f0b5aaaec2374f52d162de6e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe
Filesize
33KB

MD5
6599246924143afca6a5cc1904f897a0

SHA1
9666596e8b6b29358b5e379a7224b232018c893f

SHA256
d6a464a444f9d09c042e94ae2d7e9ea33ef329f8006fcaedf7870e3ce3a577ee

SHA512
212c898c275e0127b46b751004d29b2393b071efcbb3550ec2469a58667607f75429653e6cbc0d87bc89e7e2483bf9e4a231147503fa7a9e4cf3dcc2b39c76ca

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Filesize
57KB

MD5
3d251d9ebad45aa70e9d5c5deff7277c

SHA1
b52cfc4ebdf4f1a3bc1af494d828d5de3c6a7762

SHA256
862c4176cf758079bc4b3b79de8224bac8216a31950afe11fdc1c8c671f8ed67

SHA512
26ffb07843e9282e4cde8df88c9c3218b8f16d651234a06bd56dd8f6d45eef6d1a5b7de195903204e97a0ee6df03e257b7645d8cc445b0b9d76749b5c6f02d72

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamelam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Filesize
1KB

MD5
c356d1aceffd21a7e4cc2894ab3897d5

SHA1
fd86cddb962fdf14ac5304c62c1dd5a2700e878d

SHA256
13a3b5ce9989b0a62d2efe9e1666957b8709c79a71adcda9083106fbc87ae9a2

SHA512
d440008a574f671a4a3433945f9648112cd2ccecd0534f96f8edef8da08b4ea0dbb385a8ee857c6138a467576e196d00db59682b2cb7487f502b5e1a7232378c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
1.3MB

MD5
af34b6f8984c4a49287ad8b4c09251d5

SHA1
b895ec63b4a936d4fcf7d189932fdf75b52c5265

SHA256
b29315320d9cab233c29a7b9a020f809c94783ddd1bf0558e68d62237f71306b

SHA512
62b61985d8196c6f37a22deaf3a62df95e5de238c27638f384a077ae532fe4b817133e5ed299fe801ae6e3a2c2848ee0ac19c7488cda0d2e2e81c297dd5c0fa9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
1.3MB

MD5
8894f500bb20cb74298d4bb53973ab23

SHA1
c2b176d6a8ff7eabdc67729a3aa570dfa7d03b05

SHA256
0826b3fddac3ce91e71e0f18406f735cbb26d173209b05be3b4c7c87505ed97f

SHA512
69b547ba6e9575833dba2dd6160977533e41d6289bc416f9044eb509c00ca50146e94bf12128ae8068691d7bd87114ba3d748bf461d391f1d983652327fb4772

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll
Filesize
114KB

MD5
16663d125398773a90d0a53333b7cf5e

SHA1
f92928ae3c9292588547ceaca1cb1d372bfd7936

SHA256
38e6811b47262101759aa51a631263d9e3eee5d211164318a751e078afec4cbc

SHA512
091764b8ad80aa31eea0bbd91ee505ebdea2654bc8aeaa3081a061d0d37ab13d27dd203075fd0de10c6687591aa0e36139a38af846c4e34e6aa67ab81dc277df

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat
Filesize
9B

MD5
f726542aded84023a13eb78929733a4c

SHA1
a6e6cc94faa58f8f9de95d6fcdd6a7ef8a86565c

SHA256
ca8a93db9b23da70acf8913f25b52c74ba3cb9a705de99e8cffeec3053c97316

SHA512
a0c11b133436d6f186c7ad44e307b7c7190b7c685c9e750e4d8eeb90e1c5efb9a6397ff575c998cf3d334a670b331b1ac5e30d6524e6c051e9a3fa5ddd367673

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat
Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat
Filesize
47B

MD5
01e54f23700f1253fa0e7d87114595d8

SHA1
3c96ec53a570831afcb44b4132d503e2b779025a

SHA256
680ace2b46a1b526d214a29a377caa0268b1be0783c0b3b5f84b3dbdde2f266f

SHA512
c857b5493709a86685fbb59a72bd9f5512738b50f54db5e07d25cf8fe85300a2eeb8f270ae4fe53cafb527bbfc6e01fe7230972259d499e64aa7a22303647732

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
1KB

MD5
52d231207b0ffdd7aa87206ee14df452

SHA1
ce1492ff036e9b79d9293432daa187c1e3e5c8b0

SHA256
bbe6e187091bf48e649e6e43d6ff2ecc31cf216009fa24087fe964666822111d

SHA512
836f06de5357f6d8bae7047b8d06e3edf5519f997a5f4618d0c4092e13e48dd49e4d2fc567f5c054da3ff53ade90342f7a9625790937e6e6c256b29bcd74bd7e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
47KB

MD5
3708f4614f2fc34f095d9331bf458352

SHA1
565234d9f896c06034e0970e84d235410917a2b0

SHA256
d776000a84836ba5eca42f5b1c3f3aee41efa42d9927bb9cd552add01849ef28

SHA512
8b8d1f5e154cf7a828d4573ddd9e1aa1570c088b647818fc44f7fd5bae9974b59d4c86d056fe370e4c42c817b028dba8772f6cccbf2b772249d024c86230ca90

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
cdd419e384f77656c4928baadb6e748d

SHA1
124fce859f9b506a90f40415b12149a68d9633db

SHA256
fdaf002f91b4292acd6a25468dc82e1f2b84c1f4134db2cf44ed5f20a32b71b5

SHA512
1abeeac9c9336d5571c5a4d82ecb65ac136d476d9f968517e3c50532417982c78f1137b7291e2bc77ffe26f20307dee26a6ed4784e2e4419e5c5ce7f3870af0d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
f547b97e085b87678ba9f7838503abbc

SHA1
66b545182975fc2d3a30769c518e0bc169306569

SHA256
20e01207d0006a3dda0e8cdd0e4e257d3e5a6dc83c50248e9855fcc21cd82db8

SHA512
830d681f106de482ea66801e513b04d93c25cd8b4c4da12efdf225fa28f1fd30f96e01fb7ab9bcf8fa16f568922e30dac5ca8a56540184d86116b14177f022e4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
607B

MD5
8799a2dc753a9b16779623a8bd408dd8

SHA1
5c8746e4ed112d4e963f87b4424fab8b5576cde7

SHA256
9f4515d577882e4974a58e0249a0f307e725cf135a9f9ad7d3138b1359426f82

SHA512
a4010c9e8746ab64bfb29f79489c9900cc88519534982b3233e69c2b191d1d6a7b9ec4c890f591d00c8aa1cf88c88275475b339bd0143c821696f9022f0e7477

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
847B

MD5
6b8958878961f1caaf43d868c63c5fef

SHA1
c35ec072d97db62c230df87dc712872a24dfe0b5

SHA256
a41bfb55030bd487287855d5c3ea2918b6bd6132852778483c9c2fdb8f416165

SHA512
55ec6177bf6fd244e51c12968cdd4b4f0c28add019ded7f5114aa8fad45d8d2c4015e684081a241c8e227ff4a8ad0474cff3b6e23da13b9fb4f16255e4226a23

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
846B

MD5
21f08f1e42bbae9a3cffc68511ffe603

SHA1
d9abc708baad4304b4fe04de2ffb99ce71ee2ebd

SHA256
33a38cdd0eeefd6450061f867172b1bc26361ec989fd732505b8f0a811cb9a46

SHA512
65380ae25f86d4523ad9e36ccacf58c487ff9b641c09fc372fdbbd602204efdd57b5aca6f6cd2ede40235a13d1aff6d87f04a2f345e313a6809a203a8235369c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
825B

MD5
a7fa5a56f3e2e9280f58a941d2395e22

SHA1
508cea4be35a8157d0d9cd203a1555aa667dc9b4

SHA256
556e4b47f30bf5e4b41182ca1c3f8719a7eb9ceb68d14c1b9562b928fe7aa705

SHA512
7785b478bd023adc87f180c92cf4286c190a376b3470aee5d50334abca4e2131896863b87cf2216e036e7dc5b5a8c6b371af3afd9eb68a67aae168b7898f9a6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
15KB

MD5
a0f2c9d59e8aaa92162bb8ca73299846

SHA1
dc1b9e443ba1e71bc7b30a602b1be3794d46ceb8

SHA256
3ea287a41026a985f32457a76ed4724a4253d5de1647aa13cd2cc76c11110734

SHA512
9b66d2594e7c274c12e17f2b6856536c13773f372b64d150aa8d50f33cb9721f415023caee1aac294808b2a467546404b9911b7f1bb972d6658ef232f8b40e80

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
1KB

MD5
386458abf756f6b81a2c8037692ff95c

SHA1
326c4bd1d435cc7aa72a2d6da50026869e8c711e

SHA256
8c9efa31d4d226ebc9305c26b2db295148cca872488d56575bf7df881addd6ea

SHA512
bee4cd40bf3f3499b6c7a2a84379806901df50a8bf4d80d240ee2b61cd92498362d2010e9ece99d4ac7bd0bb3120f3632270f11ae41d5a6783518ea9e57ea5a8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
15KB

MD5
4d5b4d7ae6efcf10357194e2639a3f41

SHA1
fda33937b7eb080a262a0bc8e70d854f492d10b2

SHA256
a56363fbc4f4b60bd027a60a3e60162553e771bd1f4287c9497c3e97243393aa

SHA512
a98a0546abec02db94645372de58aa47e6ee432916305ec392bbf4456014478c3b2cb08aa3afbe4ba3f8d9ba8aaffc8faa3aea88b4806f91cfb60d4b4ab55fb1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Filesize
10KB

MD5
86ffe5d0761ece2c12a2b0b38a983721

SHA1
b60bb8eb332745b54613c7e139a97c5b9a7f1ec7

SHA256
0fc9dc5f3693e909267bfd941e1d6a373ea20925366325fced0f9b5b667f4c99

SHA512
28bf4c2daa57bcbd25a92a50099dbc37b68996fb9786fb27543fd45aad8830ea33e40060550e4749d8111ddf8fa7ff7f7fc8e24eb026bdd455aa09ccfa27b79e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
1KB

MD5
5042f88be73c0fa65eed10a110fa3c85

SHA1
965b3787261e116df99cc3296cea5fff90a062bd

SHA256
4e61944539c123a8845c7d4b18b4e93b20e190e286f98bce343bbbe52a232828

SHA512
d6d6c5f73dd6727488d80fde3e7cfc0359eb47198e3d04af664071779fc3dad484ce1e5d406b189d0a497a7fe78e09730defb87afe2dd18be70909b33c604856

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
1020fbd8f2644b56b5ad18164825bb4f

SHA1
8fc25d2f0f6106dc3d527e8a9b863de13e7d9a1d

SHA256
e8a8369cb420f689af2d5d2d6395c931289bd98ef38154039af2b9c58da6ae17

SHA512
5e203e67a2b368b3a9e26f091996509a3fa3f8334eec3b5b0d44d16d918bda54f758b0f9d4df10923fa6697de9bd2c665d85a780baa7607ec682ab08983f8025

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
903B

MD5
ac6fc8136c6cb68eedaf6eaa1734bf0b

SHA1
3c2292df12485b959a10e7c4dbd5451348212913

SHA256
0e5c3d56a70e454ff2e717ee49c1f039d16b267d31b9f01fa7e328b564d949a2

SHA512
04aba5dac8e90e92d6afc002a99ab0f0bdf968cc576311c876668cae46479641341b26de0e451bc2569d41b46eda9fc6cc3077a6e7e4e6ac21889104aa751481

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
25f262143fd40edf01a53b50ac309c2c

SHA1
a9f6a995fa7168a967d857d6f84e6cabeeeb4dd4

SHA256
0d23dedc03dc4ed9590e6f1048a6280d77905697ba5fed9142618bda6ecb2624

SHA512
43d59e6803b81c4bcb427a144dea510a78c675482179e7556ee962ce181c6b310f944ef23f4f04cc74476f822e42eea0e996449a4c24be0ae50791685e4f5137

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
2KB

MD5
bdf8ac4538471d649f077bc6cce3010d

SHA1
867f4e3f30451fb30415d099749d10c2f438c9d7

SHA256
d8df2d315410f7b842feffb565a182ba1482ef88810e6fbe134f48272dad967b

SHA512
290c49d0b466bdf1f43304e604f87fdf9af4fc5cf2f717543316372322478b970c1b45cf1ce2396d8ef397e494bc6514e77e5964dd7c5935870d136a2f394f91

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Filesize
11KB

MD5
be49dba7759088bdc4ecdeacfadff906

SHA1
d7df8b41d1de2e9b8d8f5422fcfc7586bdf64d5c

SHA256
6a979eefbbd235752ec2c7e460e17527fa566e0f43d3928493e4100143c5152e

SHA512
3d6dd90f597f94958552aa965aee88436dd89edef8c96f00338d953027b625ebdae22e2ec4ce24b751560d6d19bf9542220dc13563b43d815619b96515796433

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
6bf62d7a1d1383df211c5d0faf096c51

SHA1
8968136c28f46fe3575c4e87d31b23a4f6ea474c

SHA256
7f4b3ad2010998a98e62a61e5295cf46e975c7c465616c4758efaf91f85f1e52

SHA512
07068dc1dfd9178501528e27b162a2b6d059cc4d2a1aba22edcadc373bc45fc7564cc54229d3f458901afea5def28e4aa8d0ecddad90184da4200cf2e3f9bb2e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
635381952403df4c6f6b4d7a46000132

SHA1
8bf4c95cc5dc07154659478f90fff06370e144ca

SHA256
a2b7e06209ef3f6b2d68dac42d1ebd3f3b95939f67df2a69e1f1c75524986b63

SHA512
39cba7b71efd797fcd22b34f677b79ac7b07adf74f63fa117edeae8036361804f107c22bc92a75f1bdbabf2fc511577dfe9fbf74452588fee7269639a94fe027

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
89724d79d8ea909a4866c457f82f65a0

SHA1
765c31fcc7a99efd0f392765af1705c1e6a5b075

SHA256
3ab7e088be52d4faf4abe3054e5bc6697583923b208710918cd79582a0452f31

SHA512
5e73b5b9c8fdf8838b4ae7e73368a29223c8547eb213ec4dbb560f7430e6874767ca71170803db8e59c7593ae005f939dafa051bcc400bc8e490ffa3509a1d6f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak
Filesize
1KB

MD5
d0eb982790af2160abadea4af0c65a33

SHA1
f2ab26e8469ff45403faf641afb0255ffd622434

SHA256
50219dcb31cd87dbadfb56f42c3867b6cf32b0fbb71d8cc43e5c8ae27a279446

SHA512
380263b9e5aa16b278fb67ff41e34226b14ae4cdd6a4d6e642eae57ac7e7df092314f36408f3fae8b2c37294fcf80c5b8f87ba83185510c6da5fc55ed904ce23

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
55bb379111e3e9c5234acea783436dcf

SHA1
fa3b9ac86c45d331f8e23be5550881301d7bb679

SHA256
decdfb3478f20b639b10e55562088b804c7e8c94a380761c28cc0cf133493310

SHA512
66a95d094dd030ffc1d528b76e57a61e7b4f2892b3f7de381b5dabfca11f8f542cfbcbf9a69d20f142366d5d4f056dc63b262d4983f0857ca094d36f4764ed54

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
7421f5979a389501e6986704d7731b5e

SHA1
f41ad615685bded9da027abc998b55d2adcc10f6

SHA256
618943f9f27f9ccdea0758e75cfd1efd4da6d8b6b74c76274b4a8b199b0b89d3

SHA512
401f55f4af34e2f83f7759d0b99e151c43a2e6d77bd75305318e1d75720a327ad0c0a61b4882eb10b41b46a1d0f5e161e13f1221caab123f7ac3e4e76282935f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
610e2892aabeeeae698a2f76d4eac98d

SHA1
7ba63f832066d472517bca894efc4240a1c3becd

SHA256
409e97a3e7027826fe666a97354ee7764548b90ebfd47c9eb400a69d5fc45d47

SHA512
60caa5f44120b78388d6786f5fa47974e44a12b60717d391b2558b786fcf6ccb814e47c30cfb64d6ff110237d549600ed6728c665d1fa549ac9f0c76a3f3b3d5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
6c13c74af63cf544f2d329d92051c43c

SHA1
194e7ddd067fa001bb00374fc7701eacaf6cedff

SHA256
72d5caa5f4cbd0aeb5d22b8e9ad13b0b96d40a9bcbec0dacf6086d1230f7b7af

SHA512
87d3c0f74b292e3cefe951f9400f6b67971caf6bf28f892056593e32ecf9aef245130b47a9aab7f169ad6b6d963f9c5557390d3c28414354c4772032757de17f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
281635098fa23f9a6bbba7c1d640daf7

SHA1
61985ccfbfb1379231b07d3d5f688e2514d43a34

SHA256
1c220d353deb25664540786bd5acf1bdb1fabeec5b48811b3f27774f89e7d852

SHA512
6962bef0654f5bc00054018bcb7bfdb185abde0f40cd408b568c951d61c391b4d6dbd462939e8d50e0e3a13ed0a53ccd9e88e53d1cef3ea8de7041ad2aed7b32

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
f1ad08836a2058040e4943af26647434

SHA1
7e998f1c6b7a41fb6b08c57263773b3a700e0ce9

SHA256
1949d3b04aa96da352c232ad67abf219e33a6f6175406ea31c4758824d230bca

SHA512
ca7acdf576f4222765389bc079f998539e540eab1378413a0c42ec04e5fd34c31e8c5c2cfa1c6236bf38f2769d303ed2253edd0cce65682d9f825eeb089261e6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
cf1c07ed329f5de1dcf26df5f96f95ce

SHA1
578fa1be6bf99819bc6039fc9c67c577b61dedce

SHA256
2f82d16a95caeb8115043f0c3b3242cf0efa7be03967defab486abbb0379b6dd

SHA512
d211db424efa78165e6efe7eb22c43ecafb447f0433f1745c9e87d04dca54e9372d4538e092a6d5f655b81ce5a99a786388a5ce69eefc1d05bfbf726bf97c3c3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll
Filesize
213KB

MD5
03f6184ea5160ee7a207006a0d50d083

SHA1
66fd7a617469326a6a396ed4d53f47b77ec6243d

SHA256
86e21c86b4c8413558950cb9eb8d9145470b41ed679246cdd41449526af012d5

SHA512
5fc625abffb2415ee82de94a06921743b6833b13d9f94ed57d3cb77f8d8734716269de6b68d7116c22ef5b568ce2a6f8e54090b8d7e3016193e62f7f42877ade

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll
Filesize
200KB

MD5
7466470054cca77d4b58bafaf9fc4dce

SHA1
8b1bddc41edac221001c5fa44704ebd4d18b424c

SHA256
35499cdf14d268d5600534006b5808ba24c513de90d33cf8b8678455b2249a69

SHA512
f757c2a36c758c6dd7e8971c0f5b2f727e0ae1c2e76ec4d6b842bdab7d61df15cefbd1e0d38e4898346b54fc147d6b37302d728eb51808675b40824edebd47c8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm
Filesize
161KB

MD5
d58c756848cb9bbf85112bfa0c4309dd

SHA1
3f11f26537384a522d49b4a7fcc0accf377c20df

SHA256
e6b759628478eaade970fcc0baf624290e67f5744062c220be55945a3e6b4434

SHA512
bfa264ee0016e3db43640e1e5d6b75fc21a314a1141b170f2cd5283e3005b4c504524734c607ef27354bc59d60bb3c8a084198a1a00b9a29f5bd41b59c3de011

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr
Filesize
225KB

MD5
900e1087fa3c8b16cc92e04c82780699

SHA1
cf8f58ca9cf1f4da164e1693aff9f2d03a025477

SHA256
3babadbd7fe1149393122a54d5932d505dc0a0eb2dd9119459e23cfcc253dcec

SHA512
60a7d3612a5e3f4d8595f0a47a14049d360ebfec0f436b7e9998e0cd40916582c53572f08547add669b4aa7f0a10779cf4458f7f7f93219ebf77da03677792d5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin
Filesize
1KB

MD5
86e218784196fe0b6472cd0f20a85069

SHA1
8a5404e5b49624a5a6c289b299f98c4b72720968

SHA256
9aa9ffbaf7126a0b23ddacfaf7f576c85b5a3c3a7d57eac636e73af8842c0902

SHA512
1db35f7d6414fb6ceb486c0361ad394dd4f75d73925b17ffedb07d20b2cc264da33a1e9ff2306dc87ddba81099d5dd2c06b0e399de912d6bfa464c62c9ad777f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe
Filesize
271KB

MD5
671029ef531b7b6831e2dbde63e66443

SHA1
9b0d7920b8cb7e94686c5fa62082321f0fc1a3c5

SHA256
a03bdc4e723e7cad3e72319e9c15bcaafb742183a5aed5171a4a63210f6fe991

SHA512
8b29324b71dac5d5f2f54a2da160cce0d85912bce3db2c5a3541bcfcdadd8643ce14edb4d41f86db0167cf1cdf624b22edbd3d9bd55071f1ed5155f2b35d1023

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb
Filesize
374KB

MD5
84dc7a81bc24fd520e6b4fe25a81792b

SHA1
84f5d8c25eba02bd1a5129b5cd9e55c63d45fa8d

SHA256
c257a5054a06e209775ab58a6dabeb9568a5a4b7b7f755cc9a488ff3a9321818

SHA512
ee58a050945235f6decbe0c0ba7bd5a802901d7ad44d23eaf7fb16db2d652eacd27ba1d437190763ba4e8ee79bf8db30faebabeb8ebfe10e560be86c031c6b96

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll
Filesize
461KB

MD5
c5926fde9759558d40d58b129d1ffb2b

SHA1
cf03ec6d831920808bbfa9cc25fb48cf3b4b28b0

SHA256
19a0488bf6e50a84a7394fc4576df84ac00750538de3ba7782197d4a030d7665

SHA512
945c33cc1f4068d6ba237b249f62e2b5096decd4024f169a6828d14797762c0914ce546b3449b04cef69d14c3619fff428b6cbff9237e2efee6a95dba0da9318

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb
Filesize
224KB

MD5
7794685e757c30de8931a599bc71ff4a

SHA1
26496c97d8b8d552cd2de8bc2e158f930d7eedbe

SHA256
1a88604bb8299b378654720d5e24eea487a68e9e42a3aa4d8cf0b55296c4997d

SHA512
de7807d8fbb274d19cbbea0a461d83185ab0df2dce7beaffac7aa8ac8d92cb3e03cc4d92846c2b15ca8d8251544691ff89965f0bcdbb275a578525af98947fb5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb
Filesize
177KB

MD5
732b8aa706a4d4b408131b0c087e7ee5

SHA1
8793cbd65b5ca8e1f99a82987c316e5858fb0976

SHA256
8c646dbd758ad30b92bac206bd19f72a97a864665e4d5c83b43778cf5a2679a2

SHA512
7b9b0a459a7f703b946fb4bdbf185c941c90c84b005310a225d38f86c82a84a81bf20b7d4a43d85865e2793cef0e9898729d93f607890d4083bb641f32d11d14

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb
Filesize
242KB

MD5
654f2e7e83ca87fdcf98a2323c4acf3e

SHA1
a8158b206ab9d77fbda82667e821cf343220821c

SHA256
bedc4529c48e71959fb510726c37b627b44b00a455183fb7df5174f4477992ac

SHA512
4513a084db0779a26c9b31a41119e17c93eb35c79c2d94b28c35e08aae5015adf7c1ec71c52641f430818c630d494a63e912a21f5baf1edf4ed412258ec079db

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
Filesize
2KB

MD5
b82d4f63edd45de24180e62e2677c05c

SHA1
9cba9f0082dd322f35df40b92293a7c6408674bf

SHA256
2f72d32c72c2a6bcddba3747521f41d817e2c18b6bfde1770f2b4db256c96baf

SHA512
e31ffe1d5fecbe57a091a92f3ea4e8229eedf3b81174355de30693e8cdc3a307d6f4719f68a40c5642c02716ef400649b3e64073dee0b6e676c22f97c39ac475

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys
Filesize
145KB

MD5
98a0fb6e58bb04f73f50d69332ac32ff

SHA1
d7997b442388f7a326f85a61af8995aad6114792

SHA256
46bfaca224a2b44352d3c8c5c910f1b8d42d51ed1c96a5d61af84ceaad9bce61

SHA512
5cbb54c0935be8b9fa056a43ca68310b1a2b3b63bd46b2cfc46bae1eefa670693d89fc18014c3f228623f90e268e135c07b76fb5ea95fd1e3448517fc5c726e3

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\7z.dll
Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\ctlrpkg\mbae64.sys
Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\dbclspkg\MBAMCoreV5.dll
Filesize
6.7MB

MD5
d7aa4188a5f44b98274c3f3ac29e6cd0

SHA1
6d6f54ff1ca9532ac75790bb9b16cc29fdc6215e

SHA256
bb9cf3a83c7a76592f0b412cf0c11a96faf3584fc7e3f5e46662670759ccbb5b

SHA512
2e65fa315bb6b06f291f812a90f8a045a567702e9b250fdde324524aaeba39b24eb1df7ec9065cf35d59912972b7ba6f2be64b7a15a8436874722bc3673000bb

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\servicepkg\MBAMService.exe
Filesize
9.0MB

MD5
732197b86b24b54d0c38ba4fc8cafd25

SHA1
a1431cba5eb0ec353586457bc39fd1af87801313

SHA256
dc803f356dc58973bae6b3e549fede269582426c8b9fcc3e69c06798ea8119ac

SHA512
6993d1eaaaa09a94982c54a6e5d1698fe251fcd8970c0f37b0cf8a9228758114427af2d9ec731e50c2a3490369568ecc0b5baf4dd4c572b05216be42a8fa6fd6

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\servicepkg\mbamelam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\servicepkg\mbamelam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\servicepkg\mbshlext.dll
Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml
Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTemp2cd01e61b4be11ee979ffe39e55555d8\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml
Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
memory/3036-4216-0x000001880EA30000-0x000001880EE20000-memory.dmp

Filesize
3.9MB

Download
memory/3036-3211-0x000001880EA30000-0x000001880EE20000-memory.dmp

Filesize
3.9MB

Download
memory/3036-4077-0x000001880EA30000-0x000001880EE20000-memory.dmp

Filesize
3.9MB

Download
memory/3836-4040-0x000001E6C0000000-0x000001E6C0200000-memory.dmp

Filesize
2.0MB

Download
memory/3836-4035-0x00007FFC5B670000-0x00007FFC5BBDB000-memory.dmp

Filesize
5.4MB

Download
memory/3836-4038-0x000001E6BFBC0000-0x000001E6C0000000-memory.dmp

Filesize
4.2MB

Download
memory/3836-4036-0x00007FFC5BBE0000-0x00007FFC5BFFE000-memory.dmp

Filesize
4.1MB

Download
memory/3836-4037-0x000001E6BF370000-0x000001E6BF380000-memory.dmp

Filesize
64KB

Download
memory/4052-4146-0x00007FFC5BBE0000-0x00007FFC5BFFE000-memory.dmp

Filesize
4.1MB

Download
memory/4052-4147-0x00007FFC5B670000-0x00007FFC5BBDB000-memory.dmp

Filesize
5.4MB

Download
memory/4052-4145-0x00007FF6C5D80000-0x00007FF6C7444000-memory.dmp

Filesize
22.8MB

Download
memory/4052-4148-0x0000022AB8D40000-0x0000022AB8D50000-memory.dmp

Filesize
64KB

Download