377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33

Analysis

max time kernel
880s
max time network
882s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup (3).exe
Size

2.5MB
MD5

7ce024e6e2248ee891248469894d8a9c
SHA1

13db96c5e8d67b7f1141d22567741cd45d659c1a
SHA256

377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33
SHA512

ce5b6e7b7da5d3d00ad1df64006c24c291e24cb63e855855375e52e7a18ea7b3d283fababb79046a59533bcd80d8c18f604d9ace64af7e712f18020e5b351eff
SSDEEP

49152:YXrcUh6gxrxD0Xc3StQyfvE0Z3R0nxiIq2ddIAuSF:4rNRxrxA6KtQRq2SSF

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3972 created 3400	3972	MBSetup (3).exe	25

Drops file in Drivers directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\mwac.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET40A0.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET4EBB.tmp	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup (3).exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET4EBB.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\farflt.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET40A0.tmp	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\SET2F79.tmp	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET2F79.tmp	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup (3).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup (3).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KCFPA1 = "C:\\windows\\system32\\rrokzr.exe"	MBAMService.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_0A36A03C09DCEEA388C024E3D20B14B7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77FBC64BA73370EC2F659BAD977FF2AD_9767A5403B067D539A02E2AD0F3C2C4A	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2E01D413E600DA01958BFB19A6EF6010	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File opened for modification	C:\Windows\System32\rrokzr.exe	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	MBAMService.exe
File created	C:\Windows\System32\rrokzr.exe	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2E01D413E600DA01958BFB19A6EF6010	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_0A36A03C09DCEEA388C024E3D20B14B7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_E3375A509D9058F6A8FFB74D3B4E6F77	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5F26A2159BA21EA573A1C5E3DE2CF211_E3375A509D9058F6A8FFB74D3B4E6F77	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77FBC64BA73370EC2F659BAD977FF2AD_9767A5403B067D539A02E2AD0F3C2C4A	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8	MBAMService.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	MBAMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\TabView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\JumpListSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularTickmarkLabelStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\RadioDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\TextArea.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\resources\qtwebengine_devtools_resources.pak	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_en_US.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-rtlsupport-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Popup.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\Private\PieMenuIcon.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CalendarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\MenuSeparator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\CheckBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ToolButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\crosshairs.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.tmf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyleHelper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\VerticalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\StackView.qml	MBAMInstallerService.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-processthreads-l1-1-1.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\StackView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\Private\CircularButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-file-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\knob.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\qjpeg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CircularButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TreeViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Gui.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-util-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Extras\ToggleButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\XmlListModel\qmlxmllistmodelplugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\BusyIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\plugins.qmltypes	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Dial.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5WebEngineCore.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SecurityProductInformation.ini	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\ColumnMenuContent.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\SystemPaletteSingleton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\ComboBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Popup.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\TextField.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\MenuItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Label.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\CheckBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Slider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\BusyIndicator.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ScrollBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\DialogButtonBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\Slider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.inf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5QuickControls2.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\CalendarUtils.js	MBAMInstallerService.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	MBAMService.exe

Executes dropped EXE 25 IoCs

pid	Process
4380	MBAMInstallerService.exe
2904	MBAMService.exe
840	MBAMService.exe
2156	mbamtray.exe
3028	mbam.exe
1916	mbupdatrV5.exe
4956	MBAMWsc.exe
4068	ig.exe
4156	ig.exe
4916	ig.exe
916	ig.exe
4524	ig.exe
1212	ig.exe
32	ig.exe
3396	ig.exe
1768	ig.exe
4556	ig.exe
3068	ig.exe
3904	ig.exe
2712	ig.exe
416	ig.exe
1820	ig.exe
6288	rrokzr.exe
7368	rrokzr.exe
6364	rrokzr.exe

Loads dropped DLL 64 IoCs

pid	Process
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
4380	MBAMInstallerService.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LOCALSERVER32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMWsc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbupdatrV5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MBAMService.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133510956959356107"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MBAMService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ = "IMBAMShlExt"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib\ = "{AFF1A83B-6C83-4342-8E68-1648DE06CB65}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{960F2BB5-E954-45C5-97DF-A770D9D8C24B}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7ABFE9-8F8F-4EDD-86BD-9209FD072126}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D488C7C-023D-4561-B377-DD9FB7124326}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55D0C28B-2BF3-4230-B48D-DB2C2D7BF6F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97EB7268-0D7B-43F6-9C11-337287F960DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A0F9375-1809-45ED-AFE0-92852B971139}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D488C7C-023D-4561-B377-DD9FB7124326}\ = "ICleanControllerV6"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1E58D1A-2918-4508-908A-601219B2CCC6}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89AE2EF4-3346-47C7-9DCF-ED3264527FDE}\ = "IScanParameters"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A05281-DB9E-4E02-9680-E4D83CDAA6AB}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F22E03D6-F159-40A0-9476-16F3377B58C9}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F245DA-55E7-451E-BDF3-4EE44637DFF1}\ = "IArwControllerEventsV2"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F49090F8-7DC6-4CBC-893A-C1B3DCF88D87}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3D482C3-B037-469B-9C35-2EF7F81C5BED}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CB653AC-F9CF-4277-BFB1-C0ED1C650F56}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B14402F-4F35-443E-A34E-0F511098C644}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}\ = "IScanParametersV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECDAC35E-72BB-4856-97E1-226BA47C62C5}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{07B91244-8A85-4196-8904-7681CD9C42A6}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MWACController\ = "MWACController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94E6A9DF-4AAB-48E7-8A94-65CA2481D1F6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9185897A-76F4-4083-A02C-5FFC2A51F6D4}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23416CFE-018D-418E-8CE9-5729D070CCED}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1E6E99C-9728-4244-9570-215B400D226D}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\ProgID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E298372C-5B10-42B4-B44C-7B85EA0722A3}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC6D7FD-62B9-4016-9674-53BAC603E9FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1BDE8B0-F598-4334-9991-ECC7442EEAA6}\ = "ILicenseControllerV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\ = "IRTPControllerEventsV4"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\ = "UpdateController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{956AEAEB-8EA2-4BE1-AAD0-3BE4C986A1CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C510D99-F27D-457F-9469-CFC179DBE0C7}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD67766C-A28D-44F3-A5D0-962965510B2D}\ = "ICloudControllerV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E32ABD9A-1CBD-44A5-8A62-55D347D3C4F0}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31BF2366-C6DB-49F1-96A5-8026B9DF4152}\ = "IPoliciesControllerV3"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A3E14F0-01F5-492E-AA97-3D880941D814}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D51C573D-B305-4980-8DFF-076C1878CCFB}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\ = "ICustomScanParameters"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6ED2B0A1-984E-4A35-9B04-E0EBAFB2842A}\ = "IScanControllerEventsV12"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C842243-BDAD-4A93-B282-93E3FCBC1CA4}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56898B37-6187-4F81-B9C6-8DA97D31F396}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6696D5DD-4143-482C-ABF4-3B215CF3DBFC}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{834906DC-FA0F-4F61-BC62-24B0BEB3769C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFFF19F6-ECFE-446D-ACAD-8DC525DA2563}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8153C0A7-AC17-452A-9388-358F782478D4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53260A87-5F77-4449-95F1-77A210A2A6D8}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe

Modifies system certificate store 2 TTPs 32 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2156	mbamtray.exe
3028	mbam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	MBSetup (3).exe
3972	MBSetup (3).exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
4380	MBAMInstallerService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
3028	mbam.exe
840	MBAMService.exe
840	MBAMService.exe
3028	mbam.exe
3028	mbam.exe
840	MBAMService.exe
840	MBAMService.exe
2156	mbamtray.exe
2156	mbamtray.exe
840	MBAMService.exe
840	MBAMService.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
2156	mbamtray.exe
2156	mbamtray.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
840	MBAMService.exe
3028	mbam.exe
3028	mbam.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
3028	mbam.exe
3028	mbam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	mbam.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2904	MBAMService.exe
Token: SeIncBasePriorityPrivilege	2904	MBAMService.exe
Token: 33	840	MBAMService.exe
Token: SeIncBasePriorityPrivilege	840	MBAMService.exe
Token: SeTcbPrivilege	840	MBAMService.exe
Token: SeTcbPrivilege	840	MBAMService.exe
Token: SeBackupPrivilege	840	MBAMService.exe
Token: SeRestorePrivilege	840	MBAMService.exe
Token: SeTakeOwnershipPrivilege	840	MBAMService.exe
Token: SeBackupPrivilege	840	MBAMService.exe
Token: SeRestorePrivilege	840	MBAMService.exe
Token: SeTakeOwnershipPrivilege	840	MBAMService.exe
Token: SeSecurityPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe
Token: SeDebugPrivilege	840	MBAMService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3972	MBSetup (3).exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
3028	mbam.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
3028	mbam.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
2156	mbamtray.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
2156	mbamtray.exe
2156	mbamtray.exe
2156	mbamtray.exe
976	chrome.exe
976	chrome.exe
2156	mbamtray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 2904	4380	MBAMInstallerService.exe	93
PID 4380 wrote to memory of 2904	4380	MBAMInstallerService.exe	93
PID 840 wrote to memory of 2156	840	MBAMService.exe	99
PID 840 wrote to memory of 2156	840	MBAMService.exe	99
PID 3972 wrote to memory of 3028	3972	MBSetup (3).exe	100
PID 3972 wrote to memory of 3028	3972	MBSetup (3).exe	100
PID 840 wrote to memory of 1916	840	MBAMService.exe	103
PID 840 wrote to memory of 1916	840	MBAMService.exe	103
PID 840 wrote to memory of 4068	840	MBAMService.exe	105
PID 840 wrote to memory of 4068	840	MBAMService.exe	105
PID 840 wrote to memory of 4068	840	MBAMService.exe	105
PID 840 wrote to memory of 4156	840	MBAMService.exe	106
PID 840 wrote to memory of 4156	840	MBAMService.exe	106
PID 840 wrote to memory of 4156	840	MBAMService.exe	106
PID 840 wrote to memory of 4916	840	MBAMService.exe	107
PID 840 wrote to memory of 4916	840	MBAMService.exe	107
PID 840 wrote to memory of 4916	840	MBAMService.exe	107
PID 840 wrote to memory of 916	840	MBAMService.exe	108
PID 840 wrote to memory of 916	840	MBAMService.exe	108
PID 840 wrote to memory of 916	840	MBAMService.exe	108
PID 840 wrote to memory of 4524	840	MBAMService.exe	109
PID 840 wrote to memory of 4524	840	MBAMService.exe	109
PID 840 wrote to memory of 4524	840	MBAMService.exe	109
PID 840 wrote to memory of 1212	840	MBAMService.exe	110
PID 840 wrote to memory of 1212	840	MBAMService.exe	110
PID 840 wrote to memory of 1212	840	MBAMService.exe	110
PID 840 wrote to memory of 32	840	MBAMService.exe	111
PID 840 wrote to memory of 32	840	MBAMService.exe	111
PID 840 wrote to memory of 32	840	MBAMService.exe	111
PID 840 wrote to memory of 3396	840	MBAMService.exe	112
PID 840 wrote to memory of 3396	840	MBAMService.exe	112
PID 840 wrote to memory of 3396	840	MBAMService.exe	112
PID 840 wrote to memory of 1768	840	MBAMService.exe	113
PID 840 wrote to memory of 1768	840	MBAMService.exe	113
PID 840 wrote to memory of 1768	840	MBAMService.exe	113
PID 840 wrote to memory of 4556	840	MBAMService.exe	114
PID 840 wrote to memory of 4556	840	MBAMService.exe	114
PID 840 wrote to memory of 4556	840	MBAMService.exe	114
PID 840 wrote to memory of 3068	840	MBAMService.exe	116
PID 840 wrote to memory of 3068	840	MBAMService.exe	116
PID 840 wrote to memory of 3068	840	MBAMService.exe	116
PID 840 wrote to memory of 3904	840	MBAMService.exe	117
PID 840 wrote to memory of 3904	840	MBAMService.exe	117
PID 840 wrote to memory of 3904	840	MBAMService.exe	117
PID 840 wrote to memory of 2712	840	MBAMService.exe	118
PID 840 wrote to memory of 2712	840	MBAMService.exe	118
PID 840 wrote to memory of 2712	840	MBAMService.exe	118
PID 840 wrote to memory of 416	840	MBAMService.exe	119
PID 840 wrote to memory of 416	840	MBAMService.exe	119
PID 840 wrote to memory of 416	840	MBAMService.exe	119
PID 840 wrote to memory of 1820	840	MBAMService.exe	120
PID 840 wrote to memory of 1820	840	MBAMService.exe	120
PID 840 wrote to memory of 1820	840	MBAMService.exe	120
PID 976 wrote to memory of 3000	976	chrome.exe	135
PID 976 wrote to memory of 3000	976	chrome.exe	135
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137
PID 976 wrote to memory of 4340	976	chrome.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\MBSetup (3).exe
  "C:\Users\Admin\AppData\Local\Temp\MBSetup (3).exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3972
- C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3028
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe486c9758,0x7ffe486c9768,0x7ffe486c9778
    3⤵
    PID:3000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:2
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:2780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1416 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4676 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:1752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:4748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5256 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5476 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5624 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:3604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4976 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4564 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:2596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3244 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5852 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:3536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5812 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5764 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5224 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6128 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3896 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4632 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6528 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6656 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=7068 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7040 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3336 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6792 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7672 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7988 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8444 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9844 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:6116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=9704 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8404 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8396 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8372 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8356 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=8340 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8324 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8308 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8292 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8144 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=7796 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7856 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=10216 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:6940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=10376 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10756 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6364 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6356 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6360 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:6956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=6472 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:6936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6768 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=7236 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=7220 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:3172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6244 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=6232 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=9844 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7708 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=8356 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=10232 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=11012 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=7280 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=9632 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=7004 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=11160 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=11108 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=11104 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=10196 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=10452 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=11408 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=11476 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=11468 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=11444 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=12060 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=11492 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=11740 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=12432 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=11844 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=12280 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:8804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=9988 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12040 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:8992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5572 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:2
    3⤵
    PID:6096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=2848 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=3452 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:9120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5764 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:5280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3388 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=3400 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=10880 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=10860 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:1112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=3440 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:2532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8652 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:8944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3324 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:8
    3⤵
    PID:7240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=10940 --field-trial-handle=1836,i,9965041924335747417,7587454907556242941,131072 /prefetch:1
    3⤵
    PID:7500
- C:\Windows\System32\rrokzr.exe
  "C:\Windows\System32\rrokzr.exe"
  2⤵
  - Executes dropped EXE
  PID:6288
- C:\Windows\System32\rrokzr.exe
  "C:\Windows\System32\rrokzr.exe"
  2⤵
  - Executes dropped EXE
  PID:7368
- C:\Windows\System32\rrokzr.exe
  "C:\Windows\System32\rrokzr.exe"
  2⤵
  - Executes dropped EXE
  PID:6364

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2156
- C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe
  "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1916
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status on true /updatesubstatus none /scansubstatus none /settingssubstatus none
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4956
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:916
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:32
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:416
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x488
1⤵
PID:1980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dll

Filesize
1.7MB

MD5
b9bab3b367c53472908741b774fce358

SHA1
987e358915e7bb78491a65073189642f88d0d823

SHA256
77a4eb913e5bc068fe1479f6da9bd2b31303b6d23c7e353dde2984fa373273f2

SHA512
60b3858901df2ad51db7efde8673fd17c529c09029247d6bfb6565031d53d00b1d554ba558b0440a00c961204b0bb812d0f9ceef16a7fc1934f6b1a5efa91745

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
5.0MB

MD5
1eff53d95ecaf6bbfffe80d866d8e1dd

SHA1
d7ef7d7c77fd04b2c0eb8c16bb3cd08057f6742f

SHA256
6dd748f7ca56125cbe158fa3612f08e7312ef58ad5375e6b7ab5532cc16ca0ac

SHA512
c59b8e6f0b238a247e64b9c7bb42213dadac1dada63542830a6292361174c935c0c662b2d1aed3fb6100cc4993297b1eaf25e328f2b4613458c4ffca63b9f02d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll

Filesize
2.5MB

MD5
fbc364eea16a35cc9b0a17e4aca7285f

SHA1
6b64884a9ca80dd7d182887e0343c605883c7bf1

SHA256
116a14d575bf2d7702ca62783ad5a85406c5359e1e1ccfd02f18101c3f660802

SHA512
883b5b83a352f51f5eb80c0f6a50639f03df5c3aa622208f64ebb5fcd19c42c46f19ea5efeb9fd588c9ae0dd7b8c380c7e095c875d75f9077646d9eefa09122d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLLShim.dll

Filesize
2.5MB

MD5
a331cf17fcc6837f177807b55befe7fc

SHA1
95d3a08e725bbacf6e7e9f4c6f476cb65896ae03

SHA256
2ee2687139da1173149072678204bc8fb42ca0e85dea6cea7a86e7699f8eb395

SHA512
7cf75ff9a2d407f4ea4e093470a650338f364ec8761b3fccda7a1de9219ddbc528e0b729ab5a05284850be8f862d6018222e9678a921db2ae04d86228e891a86

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll

Filesize
6.9MB

MD5
d58ef45a426aecc7aa0a0091d5a58058

SHA1
30f29c2d446afc7268fd0327b4c2eee65f0d90d6

SHA256
e526995675b199febcd0a04c4e46d347af81d029daa46a6bda36ca9f2e885c23

SHA512
7ed2fcaeba4aa91b9e936280c591e718f4d3791b2451cd4d199550b888aa7b860c0e71c46e88b76055d852b6553ddb4b52a480bafa6177a2fb730f60c603b9b8

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll

Filesize
4.8MB

MD5
9fb95fb4fcce555a7ad192054b7788ab

SHA1
dd94c091b296355d7af143196baa8cc14386ac05

SHA256
e3a44c1f8ac422bdc3866e9d8979db6beb9f40edd8ae37079a5bce89f7833016

SHA512
6f7d3d4c08ff29efe9f581482007ed74ae5dd02ce7d6c1409ecadeea4001f9e076e225cbc0bb60e4a55b7920433d2a14f7a84a2d251593f1b3a4c1df15019cf6

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

Filesize
4.4MB

MD5
e0f6252ef47bf828cb349e09f605f155

SHA1
cf004dd3c2b22e1974182f00c833608d39982ac4

SHA256
4a05cf3b69e34700ce32dd8939e1bb01eeb162a130e9c26394ff5b29a251bc43

SHA512
16b59ab825da006ea6af20a6b8d9b7c693135bc81953af8fb76429eaa749849772d15346c030cc57f16fe3cc95d09573ef0c4a91256f23830ac1b57f6d60ac6a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dll

Filesize
3.0MB

MD5
1e7d973c8c4f8c6b2a9869a0016cca2e

SHA1
c7ba28281c058473c5fa772690402ff8f6f60978

SHA256
5620e6838aa33e8ea09092d02af4d3d0a721f79730ed40b2d21eb8da600a5a98

SHA512
2a0d890602e20484bff2276607a410928644ae99ed6753cbbad3a090d4759877fce0cc1954e7beb8719a393596e81715692f828fbc6fc9beb18016aca3fc3a89

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
4.0MB

MD5
e3e5f85bd7cfb83e9f935ca401a45285

SHA1
28eeb13762208f6244eeb91110dbb69587eef515

SHA256
fcb39655880750b2030fa2c2e8ddb49236c922f83c56aa12f8c2c825629cc178

SHA512
a611d4f933dc9dfbdaf60178032e744a24eb9d738e98ee61a086df437409fc1dcd33df5ee500b62ffec800da3431c33deb58befaf8d6919e5abc53f9929918e2

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll

Filesize
5.7MB

MD5
6cffdefb396314322502d219079828f2

SHA1
3fab6b4e7d1c52dfe82dc29b2a73b9eb08b59f9c

SHA256
03d339ecd3f8b29b306df6948001d8e46bea57953ca6b20236cc7c6ad1e54484

SHA512
771c8efc2ed0c09f3e16e337986be62485fc15296dc62056e07379b48a1334af8e07612ed4b6e6c3012ac54d4e8f940f39fc85fe1f29b8d442bc05b7c2dfe812

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Swissarmy.dll

Filesize
4.0MB

MD5
868e824338f391e80232919cf8b2ddd4

SHA1
aa76ae74108323dd9e97496efd151122100e78d9

SHA256
f1dea5c79df500b0d2fd5284c2f843b899f9505d5083f2c2d41664b752569623

SHA512
cc47cae6133758b032ad344db6057f6191704b535dceaf42a5f8b0910b2c3564179c3567727e7b1356b73a014ea6936f243b76cb136d68eda9ac1716f1d4edde

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SwissarmyShim.dll

Filesize
2.6MB

MD5
84509a63f2a6f22f27dc41f0138e5a7f

SHA1
10474305b2eb85c31b92b2216e98386afcb818b9

SHA256
d5a647395203dd4dd33c0638384a139dd0c3dc15e0b0e3098f70488bda2e1b1a

SHA512
a9cb91ffc7e967980eb2f9776d08b3d7b00840786ee10f862752fea4a3c6abe9b6f0b9456e3b54e5ee8e73d369996ab34cbc86ed17896dedf24bf41759065698

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll

Filesize
5.3MB

MD5
c9aea537299f555ae001f4466bddfd65

SHA1
a0a3fb74c0aec94a2faaa33193f7e013866d8457

SHA256
636c6855d43b6e9a9111928753abb193315c3222d952c597d3786f3854f27064

SHA512
4647aa4db4b136ca7f054e89c1ab864d85d4d52405e5eccb157af7ebb140a1516657499fdd7927b83f468fdca1eeed2a80267a1a03084cec412f4ede4b04a5b6

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

Filesize
4.4MB

MD5
485f09c36b78e792b23b52e889917139

SHA1
950cc2cc992c7433bdc778da44a9d6337ad063e8

SHA256
cdca10c69b40cb954b6b2e06004d72eda772c26afbe50ebbeb9d73973b4366a7

SHA512
8a05c43d7308272d165bedf0434dadc07bc71b396fb1ae5ec524fac865ae3346a15485d127730daa94d7eb37b4e234b974e0e8f1ab7de8df848c2e0bfe7f8fec

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
74B

MD5
b3cc2e6472fde5896b961eb2724054ea

SHA1
dd99b52f9e3f9d2952f860a9bde4e7881ace60e6

SHA256
f4bdf991151d816b6eb92f20aedc82be5e70a4ee1693245029373bd17cdbb2ab

SHA512
cc1661ab0895393c9b374bb01d7e372dcb1d45f129b6b3d9ee19e7d0ce61b2b63dd7dd7d099466933df493f332419708e78f1c0e841380921c0fa88be5e2d6e1

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm

Filesize
337KB

MD5
2793ffb90a152420590b256f9b30351b

SHA1
3f4c9b75cb9305aa472c84f1e5c1c1d2a390666d

SHA256
b2c33bfee71af45454809e33d4f6323fca868aac19fa26ff6c226bfe4b571316

SHA512
7788c822da051982995c5d06443db5b823e01661b4deb811cd2c35261e3039d59b9acd13cf51b16ca69341881cf670222c7c3a067320e3e80073583196769487

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr

Filesize
19.1MB

MD5
23886e1f06c462f54684e9d7557c8d5f

SHA1
c0614822743e6987d9361e046019f2c31677cb76

SHA256
61da7f6618f8a4973979fe35a05e8053173302c9a2f1c32f08fed15c7f471779

SHA512
2a8a5affeb31ab8c571a41e2d17ec2be62b6faab2cd11aea00b3ea6b6507b22154dd5c2b6cda18c379192aa99c8cbb8cf90c7bf16f1ea99456a846616326ccbf

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin

Filesize
1KB

MD5
86e218784196fe0b6472cd0f20a85069

SHA1
8a5404e5b49624a5a6c289b299f98c4b72720968

SHA256
9aa9ffbaf7126a0b23ddacfaf7f576c85b5a3c3a7d57eac636e73af8842c0902

SHA512
1db35f7d6414fb6ceb486c0361ad394dd4f75d73925b17ffedb07d20b2cc264da33a1e9ff2306dc87ddba81099d5dd2c06b0e399de912d6bfa464c62c9ad777f

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

Filesize
10KB

MD5
55fd3242df42ec31c97042223b655313

SHA1
fcfbab458aa40e497e30a703eaf296c22f6675e6

SHA256
717c9b06c2ef03ae82877fcb22189292bf5740ee3ab843d9178a1980ccfa5cc5

SHA512
1f31b6986fe012e9eadc17f642f55f41acd5e3731e125be510f58b6cd985b591773f706684cfd4036127f8232207df091cfd56420805565fb11e52e3d18b49b5

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

Filesize
924B

MD5
7cb4a463f56c46ea988542549ed342f3

SHA1
7024e1a858bbc26c1571a3dbf78fde6dc0cfead6

SHA256
e1c6c70b7f1f3f04609064c367fb026292e7a280a2d671ea10d57726f9c75634

SHA512
dddd0a2eb9907a5f96a3392b190c43eba61341c304e5a26276ee9485681877bfdf6d8b36240927eb20a635641b1356ad68fdc2c3a67c06670599576e6a32e4b0

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

Filesize
514B

MD5
5a15a63ce035fa91adc09e4089033358

SHA1
61b9b0ad09e2c3ad8f6cf70b5bbae49d22a327f8

SHA256
50ffa8808f4832e2caeff5ebe23d984c6d181861a8680d9c13c075eeb2e02f40

SHA512
30e62015e2022a5373e9108fb1c8d07be285c01879d6be7a32e19b65143b804cd660902fa734566bec3e9d32febc5495de2a66d104ae2aaf7df00b9bf771076a

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

Filesize
9.6MB

MD5
2d9c2a2d6d0837e66419791e1fdee49a

SHA1
47aa47cbdbb3931cd3dfe06724ede177be0a7a2b

SHA256
4fc1885fb6a14929094c997eb7d850c06a9ffc7d13e300b9f58a68787d78b853

SHA512
eab8fe5034665518c7a16ff2228b95d39c562ada06bb8976114be1ed37a1d7c91d0d8a3e1adcfc215a455b32fa317a2f859063b16b90e68a5c9e8e7a0d3433ea

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

Filesize
995KB

MD5
08b56d62a71504776bbcae65debaa307

SHA1
6a02a85e9a7f45a1d780fa6b8eda2d35f600fe31

SHA256
88821b079ae8a892f84d913839a0f3212634043630ef43343db394b10f42e245

SHA512
93c4f00a7e9dd5f279e34f50c59c6c88ff8f372a12d02102463e2cd98e204b3550847bc4613bb9cd561e9cdea2ed22f1abc1932d65548dc3a9526e48ead3e740

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

Filesize
177KB

MD5
c075e2ae07d4d4ade2be2df194aa4948

SHA1
714d22b806dc5ba214ba11a7eecab5295b7be732

SHA256
266de809c0ee7da906a688001ad8bfa9d00d15028c81677501d7e35e1fb90cbc

SHA512
96731147a1650c0da7172bee9ba7ff4f3328e79960b44a6450e85d4fa248eb4b0d7e1742e7433efa54c2a64a5aca9cccad7904a8f4830d2a8dab8af042e07cfe

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

Filesize
47.1MB

MD5
580a2ce3cb8ccbcdf7508fb83641acc0

SHA1
0a17a477be571834d8f12d7d4ee0dd8c880782b8

SHA256
85fb33ad538d6c3549fde5083ad480e87e0c09023afacd367e6c99981d965e84

SHA512
18126763be3ab0a8d8abe5edbefafccdc5caff55acc53058e6a106132ea1ec26b32e329ed4f906bbd7d030a37e1b18044fcc9e713caf34973da8c084fbd5029d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

Filesize
8.8MB

MD5
f0c28c2c7ab3d0902cb776af8b8ffc67

SHA1
734a5fa38d72c40fa9a92472e270a0625912d2e3

SHA256
7512300ce0e2e98068f6ccdeed60b93001522a36d9dadf04a85a4c98aad6a823

SHA512
176bc0ebdff56b60998827d791ba9894213ec09e146a1e7398be4946499a367f25955ac0c300e85d1574bb55a6d5cc753375d6679b4933116989e1505f43fc89

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml

Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
592B

MD5
d085ecd061b5455f199e0b3c39f93507

SHA1
cc0a3ed8298cb6d301f18d06556a69cd65b57e57

SHA256
407f1214fbeabffafa2329dfac681ad36c1a9efa8ba4066f974e767f6aad5a3d

SHA512
e0a0899418f1215b0825fc9ec016941c4a4ee138c5e421cdfdeef9375336a4a3610738e365b077d1d99e6cefb9f6e29fc2c303020a91f8e78fc34e9af0c620ca

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
654B

MD5
6d41e9079774c95176de3eda011da909

SHA1
767fd91368d68148e5cebbe1fb008b13cb616287

SHA256
fecc5be689bb630713d722f97cb47659bb134ebaa11219bbcc7eb4f1e94f6afa

SHA512
d562eebda6d418c6b9d6b62b534be2778d7c7abfd4381e3e130739fa4b0ea72b04bfea121cd657906c69310e4d4df067a3b985b18dcc78a37a910b53b989929e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
1ce34e67180e7f2d233b274457cc1c65

SHA1
451a6c7c2ac52cb903d5325acccb52d29d92fe5b

SHA256
d7f50cd5214d75cad9d919e64c6c6e7e75b1a62066e6f09ac7432105b4c33e3d

SHA512
f969f37de5af5d033798a1824a8d7fcbc71e78d31c00d3995426c7004adf180b970702921c8d05f5a42f65e46223a9e606076c77db47720beb2bf02aeef221dc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\expapply64.dll

Filesize
365KB

MD5
99c8e47d747b36be8ffcfdd29b80dc3d

SHA1
9b8e87563fee31abf90bded22241f444b947b071

SHA256
0db4dcdf3fbeef2c4d18555f479a28dde3d67ee6f0d27c18925207142b7a38f7

SHA512
f9cf4ec06585c6cde57011884141782bde83adf186f57f75576c8dade1e868d6b886daf8fa15c55ac908ff995c4b6323c3a8266dbd664b807cd67cf788f7074e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe

Filesize
3.8MB

MD5
1c1ed125b4ba65d7499504b2c77a8b27

SHA1
4754ee30ac153247c8a0e5a264aa48c0f4c20ece

SHA256
0113b48553f2a67726a4eaf0fff5b5eda2853aadbae32be7a99629b8a6700196

SHA512
a51d3dc077b91b14e5c38083fc1186d5b5504cdbb5439942c39fc4d054aa05ad9bd1d913b7f8bae8d35971ee5f92e1f483cb39b6722a91a0976f96f79e39b512

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
22.9MB

MD5
b40893889ce23e4b4a7c36cf342a902c

SHA1
e12587d17569b8671458676c0d63ee9db6535b38

SHA256
58b49bc00806b5c5ee3f0eca2bc5b70ae5380cc8ea4d55abe9a4f653335e451d

SHA512
af7fbf40d500a1cd116b8079ccbf4ee255ab8bb3108850147008b2cfafda6683e0636f1628073b65c649608d8390137e27efe8c4078fabd58c3a4714db48d41b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Filesize
8.8MB

MD5
9397d8e4cb951f7d452caa6db54f38d4

SHA1
e8de4b824d1fc299c693e469efbe82fe3de89e87

SHA256
066d75c9522fc923f04c70efb02d236cfc9fc7fd695a6affc464d9f8bacab7b1

SHA512
92b97f698057815865d239a3b2ea082469d682203ffab6981f3a296a61e91065b304fc6824a1261ae274409f08ed3a6c4fafb988a2fe8c0e60a5b1b3ae1a81b5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

Filesize
114KB

MD5
f782f049b0e8c13b21f8e10e705bd7e5

SHA1
5c11f955e3983c50ea46b5d432c97c9148ac8e9f

SHA256
16c450a310edbea07f578f31368f168ec338011cd117406898593e86ebb83dae

SHA512
eed29c42b14ff26a030f53d61d6dc8e3971e478dc7646b26189f14f16699b6bedc170c4bcc37efe2e8f3048bde37480033b49eaf1a4712b88464f5da0efc18f2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.cat

Filesize
10KB

MD5
43af9deb38e2dbd69c46b6befdbddd6e

SHA1
eb7a9e4cdd74f0cc5a1ee07292a561123cab2545

SHA256
ca94b3a3b8721870a0b96675649800bd751daadc0391cbf3143e2f7aae6dc676

SHA512
9947529cab455151fc1ce09828ebf195de922b41a303c12f33baf5670729b533cadb28f360301f2a0ad14f3c7315ba90955a0bdcb7828ec1920b349fada2f518

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.inf

Filesize
2KB

MD5
358bb9bf66f2e514310dc22e4e3a4dc5

SHA1
87bfc1398e6756273eee909a0dfb4ef18b38d17c

SHA256
ff51780a5a854b2c18f71ae426cb066a13723ef6155e24f4910137c9e8dfdc17

SHA512
301ec5ec5c0813951843011f2204924240235494999136ea30a557cbf58146fc6043a8866b344fa7deb927d7c83d44e2aaf45adca7d221aba5d36715b9a63e09

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys

Filesize
195KB

MD5
d738a028dcfb7d1cf97e9fb11e306db7

SHA1
77f4d6a79e1f2754a2e93095158d0edfb9a6a5eb

SHA256
8f38d2a0a8e306de910bb621cab4276520aed84645de942538d0a9c792dd0074

SHA512
c753a13767c8460823851a144a2a9162168a1099664ba601d0a929d539ee15d78123ffd86cb6225f0d7e6f52f40b2c444705da8bcc1292bb6c9757732b82ad94

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.cat

Filesize
11KB

MD5
1cd8abdaea3bcd30214f01046ecd450d

SHA1
abc8fef03a274dcb9f15c17396e9f0af85a0b0fd

SHA256
cf981ad0b084c330fbfc00f9e559404c6731d407a9f004ce68b50ecd7abe7425

SHA512
a04f2beafbe2311a5eec84f8ecff16db1dda864d420643184b0164aca9958b679205c3ab23bb71095d710f45dc4c3c51ff8b267c36a1ffc768126b48556f5f86

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.inf

Filesize
3KB

MD5
5a9717e1385703e8f06b27aa10a69e87

SHA1
84ee67a9167b5eb6560711b9871de98898ad07a5

SHA256
47b7c516bb57c612de19f0ca865590af95b6e32bf873a0fef9e011b2c5b483d4

SHA512
dd3c7278c2c11ad15a55fae6d19b96dadd92f85b7f0c8ce934298258af00bb5c052a84a98499b8867b0f43704fb307c67d03692ca69dda4d814c6c17dd73df44

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
218KB

MD5
262ccb223392f18adb4b4c846905c4da

SHA1
63403407fbe1712a4bfad0a74efabeba297325ca

SHA256
5d2004603e3b392693a1e74926a36a2ab3573c6790b00ddb14564c8affbd4f4f

SHA512
68b2684b9f0a2e5e33b76e43ac4b25b8e7d3dc3d678fc3c90d70ec5ee65ebdd884d838950fb4bc5145ff927e25796d2e6e97ee6bf365ed4f66ac7f7ba8f63b33

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
9B

MD5
f726542aded84023a13eb78929733a4c

SHA1
a6e6cc94faa58f8f9de95d6fcdd6a7ef8a86565c

SHA256
ca8a93db9b23da70acf8913f25b52c74ba3cb9a705de99e8cffeec3053c97316

SHA512
a0c11b133436d6f186c7ad44e307b7c7190b7c685c9e750e4d8eeb90e1c5efb9a6397ff575c998cf3d334a670b331b1ac5e30d6524e6c051e9a3fa5ddd367673

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat

Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
a1817ad103de82687d083deb00c58402

SHA1
f222638b927b9ad732d9c92f66ed632b809b3eaf

SHA256
278fbf4184e52b002921e3ee3724e94edfe2e2e02779740e534e376f50edbfdf

SHA512
66fff6bc77d7e5f01724bd47b9e02ab7b65da5c09cd44eac79e5722e52a2deb92b2eafdae8fd698ca7441e6cd4abe27eb4c8e483a83327fb0aba97370691d4b7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\770a6518-bf74-11ee-9ab9-ca152a8dab80.data

Filesize
2KB

MD5
19ed80d9cecd4166e75cecccfc73a6e5

SHA1
614fd679e45752131ff043e66b7253aa9967f715

SHA256
83c04e971ffbaf01d4a57232476b4c8cbf43cbefa45f5eb9675ba05ed07e499f

SHA512
f22c5faf070425e9b035e8d1875a6d0d1b8e3dd4a6a7ee27ece9746ddbe7d286625a521f76b6fe7d24441e651c3e32bbf3b5bd9fccc984bf9a0c63e47cf2d70c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\c1efdc16-bf74-11ee-8cdd-ca152a8dab80.data

Filesize
2KB

MD5
5ef0fbb42a8f9ff4223f4a2bb0223a18

SHA1
af733489013b61dfccafe2af5d4e85f8b6cce2cd

SHA256
ac73a45fd0709d2020983eb95f82826f37bb05be5ffea69c75fc179fbc37bf86

SHA512
437cbae84eb743fbcbeec3105ea90d4ce4d61790b005a198e2cd45d742b93cfae64b09666a008d3ee51d35a977abcea0b24bcd8026594acb8549957892e55c3b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\c4c22ebd-bf74-11ee-a340-ca152a8dab80.data

Filesize
2KB

MD5
170d4730e6b48b1a1d2cdf744a67fdb8

SHA1
327740371806ab76b48e0b579e3dfc08e7685391

SHA256
d2930733ea53f66b2f21225f0131be0ec56132347d52889e08e156b9672c5c64

SHA512
542d76ffc888a94447d2808431292c5940da55e4de07e31602520e5803e17fb59f642ed7853eeccc6b759974d278ecd1c4ce0f3504090822fc96582d2d98ffa3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\71529f96-bf74-11ee-bca4-ca152a8dab80.json

Filesize
15KB

MD5
5abe39989e03ac5e86bc54397f0a7fd3

SHA1
0a940d92a4b281d706aa828d192934e3ed91f684

SHA256
4928a2349fa5945ee6adf2bc7435a124cd51fd3e148163ed83da399451d90cd5

SHA512
d7970dd52f9f55a6420a28283b91c7d8c245b1b140a0c8ce75ba9b60c8e76e731b0dfece296c7c333208b1d2ee0cecfd447d93e7016c7a4ad9517e951647c020

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\71529f96-bf74-11ee-bca4-ca152a8dab80.json

Filesize
15KB

MD5
168bb720932df9a33af38e7e7815187b

SHA1
4ef0b3e6661de4c60d7132af36c93487c53d9f1c

SHA256
bfa96dded8f41417d510f2e1eefe9ed377d730128389fcb23242882ca8b7325f

SHA512
3573fea149d59c0ea52b871d0ddfe1349fe221b10ab96f55a02265558b4de38675ede23f89dc6e99ea4ddcf7aaaba2f0a119e0f4dfe12cdbfa5273457e37e641

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
1KB

MD5
bba5a4113301fb344fbbbb7266e60d92

SHA1
00e87cd79ced171b918a54ea8baa4e8b0c43c93d

SHA256
9fe94d70f0796bec2cb5191459dda0e6d3bc2882c7c9bd68c7c77f561857eff2

SHA512
4973715b309330481b4254a2bfb0e6b79eeaf45c089de4fa95bff558e9edaecfc1f741d86a94d6f500ecda763b3f05e71ecb9a387f3db341dfad11596a3de24f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
420f0a3392e5ae4896d87d893d447703

SHA1
459f7ea0f526f154609c010737d161fef33073a0

SHA256
6e334859cfa52d3e24682712e2bca8f4c6b5738fdd3fb6e44790bf320bcc78c8

SHA512
7ceebdaa5e098e89f625ff784238044b2333333c4e06e8765866cd2bce89736cf49615be020283b07b965ae2e7a41c06b90589e64582feeb174cd6222393cb7e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
4cfca850a636a141799722e715e58a14

SHA1
80fd3b8bdda82adad3b9f6eb4c37b5d38f9d33a8

SHA256
00dc7a7cfd491bcbe98ff0173e8a8f5d512c2ebeb08847f302f5a63177f75b7e

SHA512
ca9138476388b4cdd2b5ae26ccb556656b5a6523fbb20a0e0668c1e00b4c0432dc08d0fed8aab6917ec650c9bf35851d03619702195107020794900708bab3c4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
f5803634ebdd7549d28bbf78067ffacd

SHA1
6a2cef42b687dae5bd7eb8bb5dbd3af317b54077

SHA256
6c0b57a5b03f105bd424084485d142a4739b2c02c0f83e948eddc36db5f21818

SHA512
747af7d33dccde6db7b177c6b6b11af2de671dbbddfcc9d26dd92148986d45c9555cb40ea4b0f638018883877746f38b8d5eb4bc4770d23ce4bc1b1874d5f715

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
89KB

MD5
e91cfd351aa972003317470415181003

SHA1
93c647d670d084a565b6fc9b9aa76c3302a52ae2

SHA256
018f155f5fe07b29e78aba363a39f6136ac0a4191dcc05e3cabd0b802a5a00a5

SHA512
803a312e02116ee950a1d7b489401cb25b9b7ff4322ba05a0a23f550ca93edf693cefd5ac7245ec82bf8d5ac5f323b7bdb0fa43ef8782750ff2076fe60489a82

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
203873a5b32ec3e0a2105973834ce269

SHA1
c5d67122fd1d6bd24ef7068107cf30ff0aba7d61

SHA256
2fa592c1e309b712e3e6d9cb546da7fc369b51463560a8d5a7da042567020c6e

SHA512
ec9eae363c9162035b5c30b9d0313ec2262d7f0453a5db630aa1c0fa22784ea24ffb713fd87806a8475f31ab937c7f863cb233a571b2bd8a95b0dbd951808cc9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
608B

MD5
addd9ed0f57e20f736a70d3fdee4a42c

SHA1
74cf55d15995eeab859ae5baaec2e4ca002ebc8e

SHA256
2aefd679c57d8493463f83551549edcd6d598cbba81f69078c49c229ff26445e

SHA512
6e866c6e2f8cc12350e659950117141dce583774478612f3fb46aa19ab60111b124b6667f2c270520949a3c384934d634db5ab24cf95d53a9ab520996bef9efa

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
847B

MD5
275f2920774d88baf273e09d0efaa5fd

SHA1
d426afbb7fae08c64da603f55c5c7a164b6954ff

SHA256
72e762181d35bd2418bb6f0149ff12adbd109ca97431cc9205f00507e0d6893c

SHA512
48422496cfdad1b7d595d2aa8ac045f40ea331c292b1cb581349cd7bed1e71c054a8cbe289bbe18d5291aab0a029eae73796cfbf7c32803a73c60b0195160a54

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
846B

MD5
fafbc8b2dcb75fd6f2aae98deeb9c4f3

SHA1
5bfde4843867e0e75cc2d8a656d22182e34b3757

SHA256
2cf8e3c96bfc8376649452316143632399fd65a4e2a3536ad0c8527a1bc2ab70

SHA512
822f27f25a82b6f7fe36b59c876e12ff8b18b89afa4d0a60a0b6830f1d30d9601496bbcc9d3f4621894811bf1dd31787edc1354a8c4c8d0b953669257434fe45

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
825B

MD5
2603f7392dd5a45dd010ec83dc479b1b

SHA1
2c11de846442d673e0178eb80eb6e9b6d86a48f4

SHA256
359ac69a77e43080df22a490a1d48424000de7bc8f7719b05fded7243497fb67

SHA512
126fd0d11ba5710e6fe2a84c4bcf85a0b3c1f1210daac3c53ef93970de68d38ae6da01d733a85a5bd43e352bf7451305797cf998120dc6f12b57c7053e3aa740

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
345521bb04132a4fbb8f87851480f112

SHA1
6b1dca3bbce77fa126e8613b1639c57683e966f1

SHA256
847afc4a45e99186610c8468851272aef58a74cb23a6dd9f57fce7ab4725cf3a

SHA512
7475be822119388a7f3dd1560cc6aa7b3ebac5bc27ed60a3fb65d20592e766fde4f9877a575de22be142dca2761c6e76968cba1b6a5808eaf3a55f0523436779

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
2KB

MD5
3be5acc5b8e80a687f61f471b017bbbb

SHA1
d125455c18a612e028a0f56bbecc780f615b882d

SHA256
ed77d1f4f978ec91c01fec9b82fec14428c37c3248cf6cbc7c44e950f5408e43

SHA512
8fadb5a47538e44bd1ca670a20d34289dc170d4f1e0d66263ce50a7e3b205a802fe7e1decd9e790c25e166046771856b9137e0653977524ad37a56551d5b9b44

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
3KB

MD5
c4691ac2177a885142aca785cfbcd942

SHA1
70a2e9a36974222522afc3c04de3e3dcb89c0686

SHA256
75694b407d92a86382affe3d98b7ab4c2484fedfc9e20b4af090d103205de60a

SHA512
e59f6bc6f9672e328c36cbd8798010c60302b1f25ab874cb1aa7f02c56500f1899eaf226e367ff9cc8637b973e48d2ff3da5a43bdab20de6e3c0f96a64a92e72

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
4KB

MD5
e3745152fea32a02091ebf426cbd5b15

SHA1
11b41a57191c073cb088cfb03677f25a6736a5b8

SHA256
dbb938d3ef2bfadf454f064c7f9dd4bd3af6cb885e1c47ec0714cfeb90ea7eb6

SHA512
0eea61b4fbd54526a0500ef45422719dfd22c9c9d81fd0d09bda780eb993790b2b8813ebc86890cc79eb312ecd579d07728bd74986edd7e08a88d9665491ccf0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\IrisData.json

Filesize
107B

MD5
0a0a482d3905bb92597f9ed0209871e7

SHA1
985540a228ea7db5bf9d9d7b362cc13c230e29b3

SHA256
cc84fbfda7b6839fe90b2c8018aff4a8a208f08864e24a4e1004aa6142d80a8a

SHA512
c1fd0bf468ff6b62c15f5358967064c85bd6bbb8a84ddf3cc70961e7462ed3527a2d63da5ab1d351f3143176215808b27758ad1d5688e5df0f53b811bb95bbe1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
d16f63e41e8853656750c67bb22caf93

SHA1
8f0fc43247c3fcd5d22eb039feb35fe1f1444500

SHA256
825e358197a2f0638be7bd0308ffcb5966dc63445606f924b0ef91ab3834da54

SHA512
ca43d8d8f794eae5c192cc26b03f13bf928a04daf26b3a0a7735ef93288bf8341e34c40759cee9ebdaf8ef2f2e9ae4a857ab5b4c3c07f866bfe875b21296807f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
7430aa6f3747690156d851f8680a644b

SHA1
ee2b3ed91bcc63fddbb7ceb15003c10da49aea2e

SHA256
464bc005d59d0d64ef7dc44ea18780ac3eb52799074f10cd3f2e4476deb538b2

SHA512
e894abfa7b7b363e9266805d1ce73677b9565cbd276de567d3dcbba59d29cd7fa324c974f5091619d81782d76a26a6086906bc41069380c95c32650607ec076b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
482aac01082727a708e1de9d3bcd0ad2

SHA1
06e2906196c667ce2e12f0bdfca936c08c615d41

SHA256
cb14f8fc6ac5c1cf7e94f804437f50bdd35f49c5f7a2c140ec374fef411d411d

SHA512
f538ce6f46f3b8339971655e805f49601d7a60babcc47fefc00e550bff7813e07ca4dcc1396e15cf4e9bd0c3d2870dfec9b371d6f7f50d2dde2369350483be7c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
c520291d57711c209f19e6266e6ab513

SHA1
b02983984f9ee6c32aedfa192d64f2de8ba35869

SHA256
dffc29526bc69b1f0d72f40ff9c7e24da4e6395bd3a4cb162aa1895a1f397387

SHA512
6cb92efb0af2fd360382cde74abc02f0e9306e6f0ee3704a6b72d8d13e4c7aea217b544939b8d79dd0f310eeb89b09cb61f4c2cc86e1a06b331bbff303196340

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
16KB

MD5
1ae47c61861f104ca56734c6ca46ac1b

SHA1
a9f25cd500f8aa5b68a28d1b47b5cc045d1dc90e

SHA256
ea00fb8856fff7cd669a21f6ba568fe4583500c0f2a032610a21916d7a2cb284

SHA512
8c82abdd1c554ae98e4572fc1756ef12fef5e6f66009ad5530d0fcba3918b460a1a5abb0506d024ecd86f3ce2da765bf736381fd27026c252dda09f661c1cf20

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
2KB

MD5
9b69c862b87e57422273a4d61b11e4fc

SHA1
392ed07eb9357fa544b4fd8265d75ba7467da0e1

SHA256
560d2cb7e939512d30bdbf58456b761fa1d4dbddd9fe6cad31339a9ff26e927c

SHA512
001e191084680858ef09bbcac945dc49625de798761d68897e84a716caa4c4b8562bb8201f2d3ebe7fd88f33bd144d67bb301903c289c496a589c34864b50831

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
10KB

MD5
1640a014ad730daa9821881d33fc4b99

SHA1
215ce93f65172558e2f0e05d8b0659d8850fdbec

SHA256
ef542166dc0e7ce7db8663bcf7a75e5d9d6603efba2f933ae46e14b8f004cab1

SHA512
9e656b3f3c345a8f1c0346f68ff5b11e885af80678f143b9a0b199feb705b19546ee3158517823355d146c01e9c6173a035baf7a76ce76682b4841de8dba6969

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
10KB

MD5
e380812bd78953fbe928440907885497

SHA1
e2be8c737d9b53816111271894b98b85e1262f2f

SHA256
8a3e9a14a68cf1cb3d68bcca0308a11fad06dea4fbe708b8a610461454ccb716

SHA512
2bc0dc0d9bde79985125567322a19a642ba7fdc4a2734601cd6e5be358956945d1c204eba933b9a2678755db8c5fe5fea7aa7d40fb16a267a123fd89f35b1a79

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
10KB

MD5
c1c3e62a885ad0fc15963df0f941ee45

SHA1
5103240d3e8d67ee5d7b1f1c22c24d78b0e146eb

SHA256
e51c94ff50f2f13ef6a149c0e92b7330e3f4cfc56f210e1188ed96f13102c53b

SHA512
7539bc3632e5e9ae7e15f55ac27d2add59e00d0ff1cbdcac1e7072fb680cf3f6f0908a726fdf028ad78c77ea05c6ee8770e18880cf8d995606de83dbeaeca607

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
74cf38cbb3209dc9105e468ac2ccc78d

SHA1
f6a7fba7cfe516aa0e58263df57fe14062adc800

SHA256
2ff4aaba5e7db2793a673a4fae9bd38c8aecc551b28c2cca1bd0255ae53b5b2c

SHA512
dd982fcafd32c0bc8a74d245f2017a561acdda85d79a61ee7c227f29801f6d7fe53d936a09d4c4e9b500865662c75d58a0911041713da2dcb04c612ae4916e61

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
45b91c33d0fde39bc0e381e48ead4a7a

SHA1
3b6b4254a63a0e5603fbf79c52fc1ce2e77dcdee

SHA256
e7b82e45d4dfe11911765fb83a964cbf490f90f76a6ea9b1bf7154b835a7c0dc

SHA512
6e5ae6ca52aa9e2e90abb8992256dafc99ac00862d73ffb86f03edf80b3537aeb271ac4bf124208a7ef0117da6a728fcffd8c71de385eb3b1ad888e02bc2ae74

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
03c3fa52fd81f9ddaed8955ad7496127

SHA1
9af0c98ab56860f192769f3f5248a87b438afcfd

SHA256
4a263be9c61e3f313db0ec4d553214ebc49e8b6d5fdbc5f725d2aa312bd52f25

SHA512
7e033bd00d358dcfd374a68df96548159b8039eff688ff46373f4c1f636b90a76d29b1395d2856f2f18bfe31f6e1a29c32846f711fa879661de9a1dc72999f09

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
274b9cc6672fa8b4c53cb1e4ef72a497

SHA1
f9ff34d78284c843992222818a54a82ae770b26e

SHA256
dc57c41438afa79446de325d789c57901ab3436ca424331a81573703b2452353

SHA512
9305eddae1f72181fd6fbfc549f5a57a6fdc94cb4774853d09fd894767a30d329ef9a4216cda3e8535d6c7ab7cbfb55141deb0eeba9aeba5f015d26ee65eba9a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
c747d782187f9dd49b6d53f1a34f6da3

SHA1
e22bd5b58702959a0a6faafef0dcc0989ec52d37

SHA256
54948456dce463e86ac951a222b7655ce250aab6fc242607b0c261b8368da1a6

SHA512
81ded7ead9c35da90cce8e68f71522a16a3e1dbb0a0193880dfef37e991e42ed8e2b63c90b3337a31823ca6aff9bf14f63d64142437e9cfc6a02c756e7e47c25

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
2cbc45d6ae0aaa70e1786e85fee6c54d

SHA1
600ef3a0578eec4348c45ea6d40aa08d5f3c0602

SHA256
97323b5ec67764d8564419b1b3e7d53a0ca0ce0b14bba4a66424b0edfe593e91

SHA512
1617caff530d4a1843329c9bd188201ec833b24d5174c371a38323d40516ffc5519945e686b50567ded12265cee611fab0d5b01d854cfd8315577ad816c24448

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
11KB

MD5
0e3dd738a1a62f62723c783518c2a7d4

SHA1
1b1e24c3e5c352208b7b8eb543003ef7fe7151c7

SHA256
73138686454b6f97f6720a30ff8cbe10072f2e93cadb05b311d0ca54006ba588

SHA512
a047f09b896fb7824a482602c484655e7d082706f11375f4df98884276d2f2cdfad9509c12700d1f72f24929ad29d5350c023d9a41e3d916dec4199c06b33287

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
1KB

MD5
757ea85b89603696551c4ce31ca54f34

SHA1
94bb669ba779c8e323ad93ee6758a1f3e82ab058

SHA256
f6ea1810808009b2d9fad98647e26b03ceeeb16bb1d730e0347e471d2cc1d7ee

SHA512
d65a5df0421e555d4f88b25dab14d9c6813c38482867faf0fddac7b3d4bcc65519a020f4240ca589af4cd9487bf12050757818c43223a163af66c60612f65251

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
0e162d05db123eb47bbc7f2493e37b19

SHA1
b490cb57791c1e6bb1e942f2acf878b2b4d945d6

SHA256
b635b083e25e5bc70c521fe273d6a70b25cc97934dc775638628195fb7570224

SHA512
f018e402e976bd031c1ed681243682d9c95bb255801607126e47872d09c83ff4c12ce56cf64450e78e0c55b91a025facb0497ad2310b0e24f1631e361561dc0c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
903B

MD5
eb90dbd805d3a47948d68268a46b6ad6

SHA1
9fdd494d3aa387a30f92d40a91465a8654fe9e81

SHA256
f3fa4cefc69fb02a5a2b9e5089d7d399f1d433f7d7d079c75dfffc5894b2d6dc

SHA512
3f7e969e0f331631016030d510a9c7e2ffa129550bdcab0d269b5a3b9257109eea0a8610a0d366be21d985335e09af8a0f90190cc54d6d806804db0ec82cc19f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
84f8bec6a6bf76213cabe7d7434c2c51

SHA1
6c5264fc85cea5037be09d83502dfed54daaa898

SHA256
4801983045e4f04c8621197034704e01e378ad4501b7fb8de212963ebc91f69d

SHA512
e0e3e1b4d7cce7fa4348ae47b513450a3b3310ba3a7c7500b0620092876697abc3d481db04b37b9610fbdcc9fb9aa21be29491bbe3e13d09d11787be0f4d7210

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
27bedcf9d60f5cbae79bd3ad2bbc3f29

SHA1
4751b00064f921be7955c2486cf5e372fecfc0a4

SHA256
3aff659a95280b8ad4c410406d7e67c0aefd72acaf7c90a2e7abe4502522f2cb

SHA512
600a9996f7934146d7baf0416ac65c4e6d42bb39b37fb666bdbf96a71289f9a7f440d871ee7a853fa6ffe0ab4728e6cf0c80c72333737aa411c2eac13053c81d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
574355b958619d7f213fd6095741a730

SHA1
c9a9be9d745bec8bfad53f13740c320119015c1e

SHA256
759ee21d1f268a61c1a7845ada3e0b3682c651e36a58c76f3720c05a2e59ebb5

SHA512
136b9aa3292a46274ca8093253b100137a8dda23a752e78254c32749f569423e3f4059dc81d5016447413d3636714a441d24379a7533e8ca1f20cf87f540120c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
9a691d505627ffc0c8a1be8c1a9bcbc5

SHA1
e9747043dbd91566c0911bce1a769e944140fe0d

SHA256
1e281200410e4bf0bca9a14dfcf389ed1733201c4ec8545a927f8bf89cc7bc29

SHA512
bbbd2af0671c69b47c352ba2528d55bb4df6c3824a39fbe94081e12eac40f529f8995e4e33e47255aa6e9b62eb32222ee8253f1c87949ed50826128c116e1c28

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
74504eef24d7043608f4577043ca7d40

SHA1
b6d27f02f62a0d790baeae345553f8fe33991a8c

SHA256
dc47e37d225751c28d54179f965028c3ea2a4e2b29bf35f4556e043827aa0e3e

SHA512
632b870912eaf3dfea754597b52534700345d0708b0f2ca71460007f098f3f0052c7c0e105d919626fbacdbca1fea4c3133255520c4d3747ade6a24c9616642e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
8d64cde75ed6f007809aeb92e99223e7

SHA1
701b2feb2c3cd58527b1431807819fed8f8dba23

SHA256
eda2d089b3d353048bba0d2a99e72557987c1fffa5b64e5bcd080d4b49101ff8

SHA512
fc86205297f83b66dd67ae4fd16d779f346c657ed9eb7182ca91b45dacd74531f4a1beb10e1ca79b5838f092f43a4035cf669bbcb753b40477fc123bd4685c52

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
83b10a09b57da141f71f578b70f2eb84

SHA1
f0d515c596d402c657f302298aff4aca85c47168

SHA256
c5e75aad71399bf7217adc4f6a6ab319c63b3e6c1c6b88064d9a680efe67cf6e

SHA512
39c3b9b4476b6edc724ce4532e9c58ede9c60b4f99da8d0243c9b72260ce985dfe1a6c27dfd6eb419b92e2f812c899049f31d1c61e710802f9f2e30c2d527aa8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
86c8c8bb6b8fba19e6dd713a562afdee

SHA1
0c4d960c8ae0152bad152e0d8c1751fc994578f0

SHA256
a550f3dad4f59673b68995434c100a161f1a93b41fb8b9c65c3100036fafcf55

SHA512
95498bbe42f8a601d6b2e936390581a3213726ede56d1ad3bfdddda42b64f8793624a62f98367f8880829d890abab6ffcf728795ae912a9d4cfeaa6fc40aff1f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
2da3a3887e25b2d1f7fa975badca0929

SHA1
f5b8b605e19506f8ec7ee2ca395e3e606cbe20eb

SHA256
daa64f525a3569f2f32528ce62b2d93f8419ec0a7451f9ac1e923b35928db772

SHA512
f3a2d84d20a1cfd7eb7e6db56caef9e2ba43af0b9526abe7bccf95bebe2c6ce0a53fad220482aeb0de98954fe1788d5805afec42172bf4565e682d32a2c48b5d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
b05df225a96de6d838940d4965fdac87

SHA1
994e8a87fb25d0ea2d33afd08bbcfb8fbe5e0928

SHA256
d7a0f3b5d89057c02a6107f5868921cbbaefa9540fac61da7fb2f679c678bff2

SHA512
c9efde8d78726889f3d38414701cb5bb67b24304d26c3d1162a64b3ecf8fb0de43cb65c285ca7411028469c8a55ba85737f873b5bbb3207a1c122411265d65dc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
165d7ae51d3a6202c6ef952decb8cb35

SHA1
a0214ee8f8490005998c43235b4762f63a919123

SHA256
db2ef7ffdf5ffc4b9575962dea6680e27dc06d336cacc23b5a6527702a2122df

SHA512
e49c677840f766f76734f02acbcd5475729bba2d71360984410ffa0300ca9cec695087a0651d1ea14276283ff8d0165d8036504f061aed738a469acf2045b0cc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
239238dfbaffaf55a889ce383517edd7

SHA1
885abd1c1be8a42753478af1f61fe005d33009b1

SHA256
3d3c1d265b3102d5a65dc6a5377ab40d00a0862eb907c04aa5ec97eeba2231f4

SHA512
14d5c01e7738d6e6d7e243e20e89412b84b9b67c3850a3239af840e1e46f8df8082ca7c473f8c7ffc545365690c728aab36af702ffc2719c4696793b4bd8a0c1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
43a37d80d4c17ec87a16b37dc2d1c26c

SHA1
9abf5262393d698bd772e0a1ab71bdd5669200bb

SHA256
6bb9d26d1d94d2e58569d5fe507ba87fa05091716203df0f30d9d728b044ecfb

SHA512
1c7d9bbe847c079307ec1e1e59f25d57a39c2c244ed049f6f9f2757e7571367dd6f03c13c0eae3b05db9860388316d48e4007e3944e38b154cadc3144b8da44c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
a8957fcc8cd1e6f25ad47a217bcbc311

SHA1
5903e1018821eceb9bdd0a127e201093f614d112

SHA256
646017786fcfe407feebf0b1ac1b5d42b1d63d3006598dabf9aea547a1bceeae

SHA512
310f95f42a0f60d8405acb84864682ee8bcf49dbf5cb6adf6a7aba5fb7c061e069cec9266decb76c9617900a0bce3cf5767d6d9aeebdd9302cfbf9304df4dd67

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
a5656130358af8e4617ff932604d5047

SHA1
5b5c9a7a8fb50ed2b17a6e7a71baf52fe2f93d87

SHA256
e733921f5bb2fb192daffe7426e040f51219bde21c861b6ba55c2397c8c2a3ba

SHA512
9ab317d77e985f97b43e97a1d3a73d043008e8bc0f6cfe0a80780d1d21ddd883918c66eece0fee9772475993e5e3902d3b0563bb10f033bba9aecdf58ddcf01f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
1b8a913f8c4008f7a104e14902704288

SHA1
bbe92a3cc5151eb56a9d9e9d99afb42261d45f5b

SHA256
e6f12cbc1b4e161511e6dd1b28d895bbd1442ed22689a38854af9db37a0edc3b

SHA512
11ab04f55efdb384734b469051cec2cca7adac6388b0d522e97c43a1acc8f2f67975cccbb55e03d4c2d4331856b394927c6c48298528ffc1b971d519b555f78b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
56672b5405617d705e1382334d36ad4c

SHA1
1fc58b865587a502f15af471c9188cab51bf6000

SHA256
26c7e3065bd8109965187f559e85f1169d8a088220f8aca0c9ea8a7de0272afa

SHA512
41b0665847ab7dc1b3cbaaf2dc0cf90144d1171f628dff0e1156ae1707a8e21e1baf7e7faf4302c6d704ac25b5cc2c60b44dce50d96ae161b6077ce8a7b89fa8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
dac3965ed59c6ccb29995e0240aaddbd

SHA1
50931d90e7ff0f3cad929a8bc2a717f98f4e4f60

SHA256
7fb464b207d432b1f8b60b77f21cb8b4bc32035d80bbcf45cde885b56bd57519

SHA512
2c7ee2025c8fbeff91abb60ed4bc8804d2ccfe083a6b93444cd1a780222a678ad08e1376f6783fc7e96539fc6a92a1999e5bbd820cd4308d0de49b4b53301264

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
9709f7a6f36e36e95adf057e8b5bbc73

SHA1
15e95a3317395c9492c564e03d97932542a8de0f

SHA256
555526d42f21952484e868b6df2e9ce7dbfe5dc58afc353c9fb9926a677b63c0

SHA512
e8c1adddfb25000648f797906b9a85a21cb21b7621415e34ffc98fd989a00093d04fc9b0d6902b221f1b37db232ed5b1f62efebbfa07850cbda6a1fb0b5f9e02

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
946d6ce625a72a45e525819cbb95c109

SHA1
8bf01bf44dd18924e4c09f313d57bca6127e1d29

SHA256
c676ea27dc98c546784bfe1d878fb19a881e46e899898a9a1d3c126101021bb9

SHA512
233141b72c1c7ae0fd5cf9295c8c6781aa2d4e5f06d16cd29ba1135ddb133d5fe0b6d825e949293b25d6ab29a57c34e99e6296d288c07e3dcd6d62ebe8ca0f32

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
f80fc2e3594af4e861fdfe0f39b96a14

SHA1
7c9207863efc428a9d7b1a2f35b437c05cde391b

SHA256
e9583abc4bce7046adefe92acd215d35ed032d5770e4be56bc04d4d6571b506c

SHA512
94107334a9accafed641ec0654a598ec68249d75d3f7af2df5c2c44501dcf4343f96e6f5bcccec56c423d43a8ec29b4ff657d7427e91a514655cc91d77930b79

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
8555615b36ed46ea68aa6867338a685c

SHA1
06fec6c30ca90fbfb7a7b22967919eade8a2e186

SHA256
278b5e67d4aa55cc37940d9519469fbb32247f9e767c90f8a6733614844cd449

SHA512
5677bc850c696769d9015933e43a57401ef0c9faf7cd645136f51d33bd99c21b6820bc7bd5e950c3163a890a3d69e06a364abed5890a9a92160d6e849a05ece3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
65c2c111f2ef0250ff04c4089dcac3a8

SHA1
971a5abd906192bd4f5fb9d198f14b1d5442046b

SHA256
45f83a6998fe31ebb214477e2aed6d73d16d2b14df13d99a14008f221b3a056b

SHA512
6b477a5facc77bfce1000fcd1f6d1f792dd4a32db0e7b8d72d82973f4435510b5090f891399a87088eac5bb6b1468e5fde013f558b728c8d677263f381a673b9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
de1f075ee6db27e6145cc766ca59c0f4

SHA1
073da9e04fdb7b8a4ad9e960285ed18b99facb61

SHA256
8b998f1e6a9309b5e8b1a8c66126fba510a27a3186a3713cef096ce2b234cddd

SHA512
a1daab32c9448c4e0c6f2388907747697b74bd4656d40d95979a8458744567321e0c83f37350c93629c0e5755e953f013a8a909d76498dbdda55be0599b58330

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
688cc0f26b9b2830cdaff1d745847c49

SHA1
577ac6be6df0b566bf3e67524457ca0cf5153fa4

SHA256
9afb7857c008c99b7c16f490aa49cd84ca5d421e7765df31f8ff38e70f75e3ab

SHA512
ccfe8cc72a8a36ebedf343a1fefdd51ba509fa8fbb37c2055e19a13198cc367cf7dc97eed619ea505ecf0d3517f2172f5b846c4f928744dd3cbd1e0afaf05d81

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
493d3918478a8f20a6ae22be5e7a1021

SHA1
4273fc663542f9aa3dbb29e76668bd0e3ca2bc8c

SHA256
e7232c6a19dcde1eb8c4888f2c972da3839e09e95879e7d5cc34375ff1999553

SHA512
e2728a660c7914a4fcf88efaf311da20746325f7fb330ba829459008ff32f6d9de055c7d976a46013819b24c8c86c4a54b6a66bb58f76fb59ae0c0867888e4b9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
e23467c967322bcc03a1915eb7342cdc

SHA1
ab922a1c6e9b0bca288a2f587f9b687158be85e8

SHA256
a8db1324b7f80f482845380f0eb8c012c9c63c1afc17df8bb46373465e7f46b8

SHA512
0825476fa2251158edcc0d89d3e76e939897257749102dc4e35689ef1eb2d1d9fa26dfd078238647077668a7652b96c549f28fa2aebab34366e8ffc8ba1f7061

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
299e47422434614eef8b7f4231b9fca5

SHA1
edb4a2a0b31b062ab634cb194e66024975eb1e07

SHA256
c0303b75addad595a3a4ac3b2762ba00e5fc78ed301080f0758863cfd56f4892

SHA512
ad0f4a26379114a71349434b03201148a8a3141b0f6966fbe1db72a41d88b42c6eab41919dab4a5a8472b2cca3b323ad625fe2cc5ec8a4262e223b0d410bb8a4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
5dfe80c1102a63e0987dec5a7e7cd176

SHA1
cd5210498fd5d1ae2292d813e2b527d8b412b01f

SHA256
6b80f8ed189e23b1b8907db106f4348f03fcc470e6238e433cf0022778ff0b80

SHA512
a535939a7889f3b368ecbf8adf2721b1ff3bebed848489e520e10f3274de4d76d5005af99dbb9bc406b2b44a41564ffe1721bc73243fb6eeed264e7e271844e7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
22ae6d70b945b9b55647859d4fa67450

SHA1
4d37f47cff8904400341013902c8635b5bc38748

SHA256
b71cb44996fde2f1dc28e7e6902aec06d766e8a4204659910cdf7a0be31b87dd

SHA512
108b2b9a51e41ea45612fd620c1589c8e3fc30af06e91faf578703ecbc84fd5097a8b9ee7de8ce9c69bd30fd27303fdb981bda4799711447f028b9b9d6ee804b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DA4.tmp

Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DCB.tmp

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DCD.tmp

Filesize
30KB

MD5
d281be80d404478ea08651ab0bf071b5

SHA1
e81dc979d8cf166c961c8e7b26f5667db9557c47

SHA256
5e627fac479f72363075824423d74d0a5d100bb69377f2a8c0942e12099af700

SHA512
fda7c43fb6ee71c7ccbad7ad32c1f00e454ccdee3bbc35de4045abbc8998281cdab9c506fea8417df25ff0ef09471eea49f63b2181e160c62bda804fbfd8c376

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DDE.tmp

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
5.8MB

MD5
1ed53171d00f440f29a12f9beb84dac4

SHA1
4d9a1e3579b0999f1ab2fa818b588411e9ee920c

SHA256
e659e687a872050f9e65d78992d16bd9b393cf3f8e8c94e0e15fb42b7065327e

SHA512
17161cfc672d1b996b8af4ebac17f9a8a3807f38c9a23e2e5b4dadcd9a21c3a64faec9bf59147022a9df88b80f89300f1b537091289bd7a42806bd206a317e6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.8MB

MD5
b387dd04a4009a17dad6d7a7ee5dd629

SHA1
954a72942b61de420a96785a93186da528055d2c

SHA256
4c4322833eb878dda3dbd431157c7bee9fb015d957c7987bc844826720be45a9

SHA512
819f24b2830a00734242d4bf90f8a10b0c0bbf11fc0acbc14c53586c51e76f28014be7c3a03eff66a09b9dc6a91dcf81aeb9fd7e7c90f40966f6395c85d8a555

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
528KB

MD5
f088a77cd4502564d8b7eb80c3e85144

SHA1
5045b3f33c6504a7db7844a93ea68b968fbac7f8

SHA256
db0ff1a6dba77aa30d4a18d2453c88f7a964bc2dc9cb53d4543c2916c18bc4c5

SHA512
5f7cd3a7666ffcc90186c1c0d31885b40d34a7d8d75b93695734a7fecfeffaab387cecda9b0528af45de8a8a9ebe8c2ffeaa31e01f0d16025ad98b9657cb76d2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\version.dat

Filesize
26B

MD5
43adadac955bca9ffb5ba0cd95f1d57f

SHA1
568493df97d0766d62c9a05deb16138d06dd4675

SHA256
e5372992b80724f397ec925b5828957a2eb4f34bb612acda08101bf723cc55b2

SHA512
204d4cd106ea6fc2f335fe89b6f262cb6127918cf030a39b21de32d65979b6202bf77c736fbdfcb6d55a143b282f4bc46603504d7b47c6a00827bd525b5699c4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\SdkDbUpdatrV5.dll

Filesize
2.9MB

MD5
8eabfa07079f51fd528b7510b9a97fdf

SHA1
9a2b1d3d7824df1bad648e3675b7fa945ca418d8

SHA256
c474f651aaf9142b8b73869c9e69b4834c97f497d071a34ea2b269cf1ea1fda7

SHA512
a4b459056c5cffdc93fc21c2c0ffeb905b9bb41a005bceea84b9d3d5c14f28bd6f8fbd5788d4cbc5a36a0e57308afcc753c5c86e2519e10b0b929eb0a859a435

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe

Filesize
5.7MB

MD5
694bf0dff0f575747e93866e1927a310

SHA1
344a9fc081eccaf2dfaa25b69313207bbcc91848

SHA256
a0c821aa71b3827e4ea128b062b19b9f61d0513906133e40d213b1fc7dc6757b

SHA512
f0db577b97c9884b107cba652cb588312d787e1cc407910b7445fcca41f990bb179447b6524d536ca54da87cdf5d2b9b4bf14f8c3002042fb6911e22d3e0f254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151

Filesize
1KB

MD5
96c25031bc0dc35cfba723731e1b4140

SHA1
27ac9369faf25207bb2627cefaccbe4ef9c319b8

SHA256
973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6

SHA512
42c5b22334cd08c727fdec4aca8df6ec645afa8dd7fc278d26a2c800c81d7cff86fc107e6d7f28f1a8e4faf0216fd4d2a9af22d69714ca9099e457d1b2d5188a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151

Filesize
262B

MD5
424554e0cfac69ae6856ddd4c4ba0cd1

SHA1
9e15371ead52382e5dd59145476460cacf3fac26

SHA256
f74b13cdcc9bd7a513c6ed81571220d75618a964b0b44d6e51df30978c26ea5f

SHA512
e45c764e30fe9c265eb15fb16b6f5ff8042d93d0eb9f7dde0f8b9e834ed6e553b2bef181444150e9ec7a4e731bc104d6d4901089ce4363b675b14f6c32b4ee7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
58KB

MD5
6c73992e0f0c77305a6cc873d1166661

SHA1
c054fa30f163fcc949ceb5509364789280901df8

SHA256
47e6ede66b9dec2e36fa3a77ae055146811ec9649a5505fb9afc62b257422aec

SHA512
3b907fd296c687b4a92617315b0ac216f591a9ba05bfee7ac6877dc6ff2899aeb01d7e77119297ddd150520d3bdbebff2a3878f394c6bf95f64af166a9f8d32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
40KB

MD5
1128652e9d55dcfc30d11ce65dbfc490

SHA1
c3dc05f00453708162853a9e6083a1362cc0fc26

SHA256
b189ff1f576a3672b67406791468936b4b5070778957ba3060a7141200231e4e

SHA512
75e611ba64a983b85b314b145a6d776ed8c786f62126539f6da3c1638bf7e566c11daf18d1811b07656de47ff8b50637520cf719a2cacc77a9d27393fc08453b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
481KB

MD5
2b4a2c0d107bc671d4b39568a47aad66

SHA1
779b0775413e557f972fb43d07c4e1a09d2dbf01

SHA256
cccbd316b2e050d41ebf62c8c613d5bfae33cd43104ac3b772c9e10950a3dbd2

SHA512
26d41601eabd090a6f6fb2e99d270f1631e2a4ecbade927705cc1ade3495757b097f0832a8a1f915688fb6072322b10071c93bf81d4304863ed53ec41c71fbd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
29KB

MD5
d453eca18d366c4054d2efd57717cf9d

SHA1
c7b0dfc73bb89d8f0a94e2cde0eeba2b5e07d5c4

SHA256
be8f4fac2d40747a0adaecc6f1befe81b254a2b12bf25ce01d7194b374a457fc

SHA512
a6f770c9e4058e8c17f3f72a245f76075441e07507ef05d455108e1768ca2a93f851b92335b33c1de61cf941cf135b0be4698d3d551b54132b2d5c882fd34835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
64KB

MD5
ecb683be42a398dcf103200629e53d28

SHA1
d0ce039a6bb1b0463b18aa26fd891701bbe67a43

SHA256
a7e042dd66f97ffff332116208ac95f3e5a21f7004dbd04415e5d1d3f1e7eae7

SHA512
da935990fd331c30ec66ebd0d0fb8973d154eac64fe5ae9657f6b8821506b17dbc287cc413fc568063dba6d39b29e9cf50064084d1381a4790d24f91a3d7dd17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
30KB

MD5
b7838d081d11d52348ba4d72f0f8bcf5

SHA1
856fdb6942cb5ff7e96aa6c748229cf28f9a9f7d

SHA256
b78708700a3b0a8b2ebd9b8052da0841abc71879a6f02a227e1d7530f3f0cdc0

SHA512
0886509b68b0820c181815541e938d31b4a837de10506fd09129ffe5c98053fe012a7c7eeffa3c881f88f14823de177ce2b9c6aec7d298e6970c34f5064340c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
78735509afd2e54b38387a007f934b3f

SHA1
d4b8a42c4bea00f3e511409aed4cf36bf9204d2c

SHA256
513f6443c6975888800248ca208d646b368934387221909b8a8a42d9d2a91cb2

SHA512
10168f75b7b41917556e0919a12a5207e6eed41a152a3a0a60bc312550330312a43a2b3c3e6a8ce14579b270abffd661d5b9998c84b17a16d7e978515e9427e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
93f821e316c179f8edbe7ff57ab97198

SHA1
61ea2ed72ba2b5aea589b86932ab06f4664f53bf

SHA256
c8a8d149c2749d2c8b74868a0d7de568badb0e222cf9a46366e514dcb81f034a

SHA512
8fad0dc1f3bc5958cac31f28a10a453ff7ae78c8c442a2e1437c3df0b753aac46980caaf003a5008980e05cd7cdd0beee0af784335bdd8f5955764f106f36970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5fd75865f89c71f74c4f48030e79e8bb

SHA1
27dafb4a939f254c44e06cd8a46dc7d88fe614a9

SHA256
18534530c8dd031830fbf359e3f9e6f5fc12b83fb557796450f3c351cbf9b302

SHA512
81eeba2ac003c6086fc49e63203744126d74567b395aab0683afa16353e43da083bcce6c6a4fc05ff64e12898a258c81bc861222388311e7407454d7e5f5afcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
83fc941df570d988f1c825a7e6525f3f

SHA1
71dd8caf5619fb4d74e8bf0ac31b7b7dd85d8561

SHA256
1b9548542298965b14e7cb0b72fa68a07eea0f606a7d4caa7f26f0276ac22eab

SHA512
5702d41733211e2b02d2f548c22a509d8eed33f945b2fa0aa43d38071b9b1cddc9906969320431bd04f55981eef37b8dd5c74c4a65055b8013114533417232d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
a06db35cbef470bf1d459a62f0b28ffc

SHA1
d605e948beeaa7b7ffad668b29d3fa795f5e38d3

SHA256
d98e73880d681dbffd49408390c529b2e2605827aa84b836bad63643f015225a

SHA512
d969a06b27b0115c203f603e8e7a5b2fced666c257b00c48c2e98023f3fe9e6f2e3adeedcaa4dbf119ebda0681a6a2ff494a6546133bd31b8935a3d7a3e31fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
351ff26cfc165f0d43cabac638e5fe17

SHA1
508542c2a50ea1fca7bb79fa28e3e7f10bee8c39

SHA256
a507061b176a85d26511fd264ad96f9d8f22d6925ddd7c8ff50ebc23e4ca6abb

SHA512
7c42403181ac74e980d140550a5f2a13bb98adacf40677817b4a8be2a702bd5f664cc392bba07997095914971326826ccc8e54bb8788849fe53244f2d5a46d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
43949c708c7496b3e622f6df986bfda3

SHA1
7babba9b697211e48a15f53efffb525f75d464a4

SHA256
052cb8ca0e103293dd133ee1a16aa3c5bedf76a2c1f7f4e920e8ca2d39fd0b0c

SHA512
99fc4962b9ffcb5cc552395a0e105d8c04631b7f989e6012aedb4631647ba5aa7412c4ce6ddf7e8589247861f2fe0d4011829eea2a8398bc85330108b63703ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
19KB

MD5
fa2f08c5708ce28010d7094d741f8fd0

SHA1
40c2e3fbcd789a144a43a6e263f69765abddb888

SHA256
e63c2da6f7311bad2836d38ab23efc0b20b53f7e7c0dd1b720dbd72ced32a2ef

SHA512
695897daad26d000cf96f30a01f6c5dbb87b511a8cf204fddafc6487565957382c8aece43f08c641ad3e94d9ab3e024da612312bcf670af7a4d0e7e52612db5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
86087b2df41ddfe14e78ca34e92fc0c7

SHA1
7dd3d8bccaf11a3c6607791dd11ed9016a27e4b0

SHA256
07b69b8270a978b7eec3ebd77154ead70ee0c2556f128ee8112b5383ca311640

SHA512
8e28e530b27919a3c604fcc3858a55429407a1672168dc322213075a4f4e09efb0a78e752ddaeccae43c3c1aca0d434a301ad49beaa6cba83f8d7242c02fb0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
601c5c445edd21fbc2ab2926ec6d7d96

SHA1
3d5039b7e5110a534a906ea563aaf0be7af78294

SHA256
6d6f0ae99adafb5f521c6ccc009d308363b7f7f64bc934d4d44e067c4bf12002

SHA512
e6bff31f669ff79da4191c61e6a763e2fc002e1cc8d2cb84682ac5b2ffbbafbe34350220203a358cfdce5feb9286edd128933b927fe4428938d3b379c99aa86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
040cdd55397a68a7e465dcbb782af172

SHA1
cc034f892156b9740c39d5d83543c58f8b06a388

SHA256
9391da350f9384b22660000ace298d82bc585a21c8f90dcd4a367b5789efa362

SHA512
fa7ba572362610541cf2afc136af1d752113905084a6f64963877160894de2431149c2ddd5f52b00d4755ba52f3a61f41327d1036ccf9f296029faf74a1fcdf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc6a99e2e628f865d8127bab9c595b79

SHA1
88b8275ef0151979c217604ca2a0d34b433aadcc

SHA256
03763fcd16930e7b6e63955b4ad2e36871ec76e70cb21e8b85b69b1abfa3cdd9

SHA512
f1cfe080e91d65b8410cbdc18d175182df8a766ad26a806a65c7f6ce190cd7839fd17b48bde869cb92dbb559139a4754eb52991a7ef17437c807bc20f11ecd05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
e88463fe14c0573e03e87ea5ed2cc49a

SHA1
eea421cf7821712272500e28bc9838f3fa6383b4

SHA256
07d53a675754ddc1d65ef54445265c51aa27497db6a04f78cfa851bd9a4c4be3

SHA512
debf69300f4eeb81bcca4b8b81ef3ab93605319c1706425674e3078e2cd52b88f1d342dc828d5d8dd1edd938eab2f0caba91196e657d392e46250f3e24b188b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
d5c58718b753923803420beb87dbc1b6

SHA1
fcd9238cda97864abc06d9f4d05fb54e8150ac5d

SHA256
961bbba36a47140f87cb37e7d73e33627478c7469fcedcce8c2c1a642e4671df

SHA512
f44d5ce530390d7364cbb4e84a69903953999c2e65b4c0e111b0fd7b93d1de91c78ae779dc90d4df066c09fd5bc485f57c4df64bf73a744d65a0a761feeab179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
505a545147a85f2c04a904ba03e59ad4

SHA1
e80ae4248bc9d22879cf7c2ffe621d5dc9f7ee21

SHA256
eb5743319f4a259208ae57b47c2fe421e51d99a3df5bb02e94df1183ff29bce6

SHA512
078bf74b8ba6f72d96ace2081b599e7c2cde6706b4acb454adf1984731417d6ebad8ddc0bfa5265f3b38f9ac2f279a49cdd75bb446f2b2278cbd4ad2bf14d3b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
4a360cb1ad313685e128c99da0ba7166

SHA1
f690f9da5b3316419861280dcea1b199b6b5d7e4

SHA256
7c11ec18d4bafdeef564e1798f077989583e44b2fb6c08e4f904c74c4462f53e

SHA512
e1177f2c13cca0f581556053d5cb4f7768f61b8d85976e879367695fc8b5b5b41f91da9ba385841be90f86bd209e97db76b84eb24adde77309dab61accaef3bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f708434ba681176b822d760bf97f4840

SHA1
87880249be32fd8d711cff775dadc8e757fbf463

SHA256
fb73d71cffe7c9e2bdf32038d1427d6bc8d5e887607a03fd6f3e2026540c37c8

SHA512
8c521b5d3d8281a042cee6a979d1ad7aa75c00c82cf5594bb2fa9b3e9cfee996914a4fd6990eca4c3bab14ddea67465a5cdbf8dd3fdf21136c54b286d19d0441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ec1a5bd090bdefcc35b60c0ddd472e1b

SHA1
22fca5cb1eed74f4fc46548beacf3f229b9703c0

SHA256
e58844162f24a14a2417abf75dcea967fb75611a532dc382f87638d89f653535

SHA512
1e13803b2997fa8b831a643fde36c68a826ec3f16fe347f3b02fbff63741325676301a761cb8a396422dd811cdc468b4828518a2d2866a2b86b6e3101a322719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
748aa051c7471b38884697d2c365bdbf

SHA1
7ba3a783d54bc4ec76db4c0b4bb77c0181fd061d

SHA256
de5b301fa27c0557be89774d7c754c439b73f2d40b09ffeff4dd38b0a468dbca

SHA512
b32115e8a09390e3039a381abc3b905fa9436bf9185531667d35eaf87b9ecb653c1998ff56963312c28181b31111c673068416f0f30230d0bd55d54982fbe7f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
59ae9d236a4c9a62e98c2169f59d0224

SHA1
056ca324a1d4cce48a6711ba27419b23380686f1

SHA256
94bf1a94015fbf2b91bd91b9acfc377e8bf659e9640a62082c85d0ceded1c8cb

SHA512
a6577dc6e2febea5090dd1fcbb8af8dbe609e42c5ee7c925c2cff5cba9d3b3d4f200f7a846e818c49c99bfc7fca4aa04ffa3a60c49382b9f8f8c8a941082ff3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0855a9a55ee3440f71bbb42abb03f374

SHA1
b97455d4f7876add332de3129b96c62681432d68

SHA256
ab5cded90be07a5570487e23e2835b58e185bd9e803ec5bf0f6dee59d62961fb

SHA512
ef3ff90614faf49539d2d92ccd60c75c25479b0fb46d39b7171d2ca1e337798c03790277fb6f883f52386f2bdc82ec2687381bb67becda83fc46bd7a1ce6352d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6221c5c1b70bf48a28b3306405ff66d4

SHA1
e9fd44388e3137ee09bc001eaef80e8bc426f902

SHA256
d537f1aeb89fba6f2803004cd6311dff36f23e7265a32bb6e58b1147355dd16f

SHA512
05aeaecf32b031e607355b1aa0ee2460d79325166b126013a4d38e86d80e6e7ee9fffbd564b18c12c590c14edb313a8ec6895e09a0011f26ef9cc37c9f7699bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b6def5fe84450c23bd0804ef96be2f5a

SHA1
456fef0eb9d4719335ff7a3cba9ef2fc109bbaf4

SHA256
a1a91073eb0fe51c05ef477f445eaaefffaf7a4c4eadab76088e436404f28c1e

SHA512
e35cffaee64465d79ece51e3aa440b34e8bab366126e62b2f00f64eab3d4b0e7aef9511f792e660e0454ec2de4be055f66081671095aaf47be541a07ad4c51f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cb49616b9cbc4e3a875d23a88d026dd2

SHA1
57619644e720edeb6774cd2aeaf307e17b0928e0

SHA256
9496866aa5b92a0d5ba6507e50e5ff51c66c3360dcd31c62ca29735e5d015be0

SHA512
9d2f926d8a8b045ea7d1acbb8d1f41c557c143064aee58fbed47606502faab72736dabf4426d7961b81a331719e32a1c89c2962577134ba956ce8cbcc63ba895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2bb267aaf7653c9281819fe94d947162

SHA1
8135c3a7820447a8c74c27794389db648dc31e89

SHA256
445bf6ab8d7a8011941ea650f00fbabf32ec736525c217676917a6d80311f147

SHA512
4d315e4150c642fae6446671115d1071cf53e520c8c9987fa5b699d76713bb43c0a00430d119422a3023028287bb362bd9defc177451024455afaf7423f2aa74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe613d27.TMP

Filesize
48B

MD5
b2a1ebbcbf4374bdad7eb1d0e3a7a908

SHA1
cf0df196652319d23ad7bb5724c52fba9539be36

SHA256
06d47c0d68912207f40a19c7202d0a599d210f786b88c9f3ca9f616e9158f84e

SHA512
70732c4842f34d4eaadf83c762bfc058cecd274cebe753647c09fe7a1e4f906e2a7f3b25622f327f9cdb1e0fcf5685fc57772bc62dca3b58b18a16b8053dbbbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
d7c0622c5ea404324f4cc115af186617

SHA1
e470d974e6ed554579f305e0e7d882f3c58a1f1d

SHA256
2400ee22ca7e716dd578c6801fde1b1dc037d552f9a7190433a6ba0e5d7c25eb

SHA512
5b1a8b9cc9be0634fd9bc71724218d88ceb183e23461744160e02bd72675dff7d9449687fa7aba2a01a335406340c4e7817b633632a0bd6f39a3395030a5b586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
5f89d6d0323b76eeef34e77a53927310

SHA1
199208d9a20def3268f7dee8590be37b00290060

SHA256
d8c023a8a71b508259718c16a0cf9b110055fee3b37bca01768cd129c2153953

SHA512
f11a583f107ee06004e1be50d0f1d73f00e25d9b4a3a6afd849085622e7fe46fe2da448ba7fb15e75872e557c6eadc100c083890bd07ef72bdac3297bd4c671a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
d5a6aad3cf05cc810c5f7071f8c79cab

SHA1
bd90fd17b812b80989b8f44a5533cd13b01a46cf

SHA256
3e127db685a81bd3929f3dff90950b2e1f9316c0ec7519bfe31a5dbfcef8c77d

SHA512
ef07c5f24a179520b3dcd90dccaa72822953b76825c2b8793916a911232647017e268bbc27bb6522b61982f59df5af86cc042abc20743f67220b4a4a15469abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b4ed5bf2f70b8626981fff587e4f0ae8

SHA1
91c33d86d98b1d1176e25540c549335cafd2e7d2

SHA256
b84db501830e47de44f8a92d9886db1d67f81687e16ba1abf4a545fe516dd889

SHA512
ad72a97975112d30ea73f6bc18249519a3d0bd76fda8c9c0b7c163cc0d399244f2d6c456568646e8b7a888e00c98f86c5207ac102030863e4e819d67a00c9128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
ffb10ed36ed90f38f330845931c85c2e

SHA1
789770babc74899e607f272f0e66110e7d12b99c

SHA256
c8b94e50b364b918c5da6397e066c6dd326aee048bee4a17378b166307dcb583

SHA512
141ffe16d0484cfba547b74beb28ecfa2afb367e84a111b151c4c194024a0ca9108cd3fcb93bec85d3c5b454dcebf4d5e9fb32ab4b4c06938e7b61efb08ccd3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
6ecc082b53bafacabf51d2bd247680a4

SHA1
8ca3d2f87cd53fd958c1c4fcc9ca0991ce28d926

SHA256
4ec2671a720a129c97fae8b29e843c8db8b789a52ed92557b49abbd496885a14

SHA512
88b6795078d24ebb2fb2506b29ac4183cdef393b27aec3a8bbff5cd0c715764aeac7445465aef24851d5f53e51a346e8b21f1c7e12f8cb39467bff981c662ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
5e43804f0aa9e72f78412329a4819669

SHA1
48b05181153d9b43ece051911b7e992cb135430c

SHA256
6db7e0e1079b5ee21a5c1e72cad2dfaecd82e66cc8978b2849b94f9aada6d216

SHA512
ab2f9cc743758df9075d419075948065eb01de75baa1ba0aa8521bfce984e1bbf8db42c7cf4f5233444f87a88bfbdcd369a4cbede4390431c63055058b443750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
e9098c9fc2bcc642518d7edc47e16aaf

SHA1
221d3dfbc45faa864176d80651c8801155f4b900

SHA256
dca8be17e081f7f5eb51b728d6443588cb36ea9442b7e1960b5604bc1394e2b9

SHA512
9d80767d2573c66e3746525a2efe02461d25e5a0d014ca665a0e91e5a85823c97f1269485fbcf3287e2f4f1050c1ab4541e8215b816acd6e8adba3459d49f7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe618fac.TMP

Filesize
99KB

MD5
25ff4f40a2ff86927193b3cf5befd5e9

SHA1
49ce9c9328ae5e7076fae05e279dc64753ecee6c

SHA256
95a10b516ef584daf37c71fc1ef3fae7359c4872890a37c37a074c9f21b76368

SHA512
7c4d72d2be3d9823843fa71f0daeee4c3690fdc0e2097a6a77fd5dde0ffcdecacafbc3e1fb1f81098d6f8848acdcbfd5484eac275070746966495cc23e259a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbam\qt-jl-icons\280ce82d540.ico

Filesize
4KB

MD5
91a74c169917bee7cb2c8ef9dc74ecbe

SHA1
8633b44ae58c4b201078114d925f551b36c549b0

SHA256
1e5eaee00708bb44d5d053ee25da5b273ad855b7f49456268dcdebac5d5d5710

SHA512
d5274c14e4f1aa99d5ead0cafa5f42fad074092944d6f48c3fb0cc6a311f958f97e23fdeba3c5639fae0751f692f9e5f85dd065baf2638291f2ba2a42c4afb72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
15KB

MD5
0a536d42d8a0f31760df22d108bbb1c5

SHA1
06084029109dbf0d550771534a6be20081b49c37

SHA256
0e8cd6d95a0200ef57c7f3f4d327ca532dc958b53c480f6b5fa798ef3f7cb453

SHA512
d31e60f817903721137b5152b9cee842772ff43ce1ef356cd63f812ba9b3dcedf30aa19726f2be8bd39b98d59121bf5189186cea5f3fe4762fd02dab720de580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
9f10d6196f05a19bf7c3330c4226024a

SHA1
ed6fe274dce3991fb630fda1155f028a0dd90872

SHA256
34e9c450cd782d482d372133f008e4a060926db616e36c38dfff1e2c12f5b783

SHA512
75649df86bddbd0d0269c90e4941217a51f2f8845a82211857ab07b33213c20159e996391c3365eff916c7bc8f8aa061810b16b6a3d83911ab5bc518db440edb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a712c324879904b1.customDestinations-ms

Filesize
3KB

MD5
88ecc8984604107ab77459abf1bf39b8

SHA1
428717614e1eae2e8c022f218804d7b5e1886285

SHA256
90a7818c580bd4b778441dc6d848566a35b31864a7ab37d5c73536c945aeec81

SHA512
f51abef781405b9c4a458c3033cac115b8c320f0d5d3bd2da6ebbe49b19530f237cb5274c486251b64d6170b48773fcd283453134eb816cafcebf48e7d0b5573

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a712c324879904b1.customDestinations-ms

Filesize
6KB

MD5
fa165a9e0a05aa3f40755b600dea2eb8

SHA1
4fbee7e710c07b43fe019f264202b5329eb31096

SHA256
4f4da8d82766b121dea34422868a4815d4275fd867e1b6436a824bba2d880207

SHA512
504f09eac6617d8e6567d22266c0b9a59e52d4d83e8995ff6e79c8b57aae7c51d83a7a72930c600702a9e8e9cc9ccf5a009b9dd8567167c3808f4cf3c56c9220

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a712c324879904b1.customDestinations-ms

Filesize
4KB

MD5
f30429a835f91050db3c1a47f6bc45d2

SHA1
4211012bdac7c48f4f90b96093d494d7811a4642

SHA256
e48b7cd2c2447f4d137a52bbe3c08c4666fdde64994cee21491464cd9e996ad8

SHA512
4e28dce2dc266bf5e76eb947e18564a6df5e77e6a763452fa5775cbb1f337c3f74a5fe0399b66cac351b27ca3e00777930523b747e4924c7ef192df876fc7d05

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
148KB

MD5
89e93562dda85284860e27fc75b51456

SHA1
b1e1dbb299e43bc401a78601ce04c5dc563ce731

SHA256
9dbb014945cda22a0ee06324f1dc662acf51c50170931dc63d6a592573facf11

SHA512
00757d04c97f28ec81677c912d8bd8ff033442774d59b57f807ec2db50bfcc2704fbe784de04ebbc1b3f31848ce8ae4619c4065ce9a0528e5dfc33a9c7528d7b

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
149KB

MD5
692bf7f2f3b63e15c6d89675cd4afc22

SHA1
25fc8b1d815f3d0e96b65608cbdf21f0e0dbf710

SHA256
1f0f3449e2c7cd3bc95e5108886d82b02927774f6975dda1b5505f25c2dc05ff

SHA512
bca03d7793f4a249a7b37d8c9355d3c12432aa95110cd790922ac80447f1f1ea25c268e0f7f526705d5adf40ac6ab66025d60802b4367d20a388f61befc7bc58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\mbam.sys

Filesize
76KB

MD5
113e213914c40631aedef185984c5629

SHA1
57bf886bfe1e4d765ea43e4c91709a5c4a9a024a

SHA256
d314cea3ba19c49342763fca6b64a33f12d730a8fa531ed9f7e75675035ba004

SHA512
76d7286963f28430d8a9bc3b59adf209b5fceb6a5248b7be54c60fff0b931ba2cf46a779f7e66008baa0853ad6ce55a4b9dd56e33574230d1e2588f7679630b8

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys

Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\7z.dll

Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\dbclspkg\MBAMCoreV5.dll

Filesize
6.7MB

MD5
6781acf0373940d40b9529e30cd066e0

SHA1
92a5409f61692ccfb2f20eee7b99c30982334604

SHA256
7c1c3c0dbd5fb770a3abd43f65bac4f08eced79b75431e79b88f0b766d278a51

SHA512
14c1cc517282fd9f356949d4a00276534b84a8fbf3bb1fcb7d683aa46c311f12a6299b5c046a498724109b29f64bdd91f53d27baa2418dfc1c14df68f3a8171d

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\servicepkg\MBAMService.exe

Filesize
9.0MB

MD5
732197b86b24b54d0c38ba4fc8cafd25

SHA1
a1431cba5eb0ec353586457bc39fd1af87801313

SHA256
dc803f356dc58973bae6b3e549fede269582426c8b9fcc3e69c06798ea8119ac

SHA512
6993d1eaaaa09a94982c54a6e5d1698fe251fcd8970c0f37b0cf8a9228758114427af2d9ec731e50c2a3490369568ecc0b5baf4dd4c572b05216be42a8fa6fd6

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\servicepkg\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTemp355667c3bf7411ee9371ca152a8dab80\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml

Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
memory/840-4169-0x000002370D550000-0x000002370D884000-memory.dmp

Filesize
3.2MB

Download
memory/840-4043-0x000002370D550000-0x000002370D884000-memory.dmp

Filesize
3.2MB

Download
memory/2156-4044-0x0000020F02F40000-0x0000020F02F50000-memory.dmp

Filesize
64KB

Download
memory/2156-4042-0x00007FFE51330000-0x00007FFE5174E000-memory.dmp

Filesize
4.1MB

Download
memory/2156-4041-0x00007FFE50DC0000-0x00007FFE5132B000-memory.dmp

Filesize
5.4MB

Download
memory/2156-4045-0x0000020F03AE0000-0x0000020F03F20000-memory.dmp

Filesize
4.2MB

Download
memory/2156-4047-0x0000020F03F20000-0x0000020F04120000-memory.dmp

Filesize
2.0MB

Download
memory/3028-4629-0x00000280D6190000-0x00000280D6192000-memory.dmp

Filesize
8KB

Download
memory/3028-4612-0x00000280D5940000-0x00000280D5941000-memory.dmp

Filesize
4KB

Download
memory/3028-4633-0x00000280D61B0000-0x00000280D61B1000-memory.dmp

Filesize
4KB

Download
memory/3028-4628-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4635-0x00000280D61B0000-0x00000280D61B1000-memory.dmp

Filesize
4KB

Download
memory/3028-4627-0x00000280D6180000-0x00000280D6182000-memory.dmp

Filesize
8KB

Download
memory/3028-4626-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4625-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4634-0x00000280D61A0000-0x00000280D61A1000-memory.dmp

Filesize
4KB

Download
memory/3028-4636-0x00000280D6190000-0x00000280D6192000-memory.dmp

Filesize
8KB

Download
memory/3028-4624-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4637-0x00000280D61B0000-0x00000280D61B1000-memory.dmp

Filesize
4KB

Download
memory/3028-4638-0x00000280D61B0000-0x00000280D61B1000-memory.dmp

Filesize
4KB

Download
memory/3028-4639-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4623-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4622-0x00000280D6180000-0x00000280D6182000-memory.dmp

Filesize
8KB

Download
memory/3028-4621-0x00000280D6190000-0x00000280D6192000-memory.dmp

Filesize
8KB

Download
memory/3028-4619-0x00000280D6180000-0x00000280D6182000-memory.dmp

Filesize
8KB

Download
memory/3028-4618-0x00000280D6180000-0x00000280D6182000-memory.dmp

Filesize
8KB

Download
memory/3028-4616-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4617-0x00000280D6180000-0x00000280D6182000-memory.dmp

Filesize
8KB

Download
memory/3028-4640-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4642-0x00000280D61C0000-0x00000280D61C1000-memory.dmp

Filesize
4KB

Download
memory/3028-4614-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4613-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4631-0x00000280D61A0000-0x00000280D61A1000-memory.dmp

Filesize
4KB

Download
memory/3028-4611-0x00000280D5940000-0x00000280D5941000-memory.dmp

Filesize
4KB

Download
memory/3028-4610-0x00000280D5940000-0x00000280D5941000-memory.dmp

Filesize
4KB

Download
memory/3028-4643-0x00000280D61C0000-0x00000280D61C1000-memory.dmp

Filesize
4KB

Download
memory/3028-4609-0x00000280D5940000-0x00000280D5941000-memory.dmp

Filesize
4KB

Download
memory/3028-4644-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4608-0x00000280D5940000-0x00000280D5941000-memory.dmp

Filesize
4KB

Download
memory/3028-4645-0x00000280D61B0000-0x00000280D61B1000-memory.dmp

Filesize
4KB

Download
memory/3028-4606-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4605-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4604-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4647-0x00000280D61C0000-0x00000280D61C1000-memory.dmp

Filesize
4KB

Download
memory/3028-4646-0x00000280D6170000-0x00000280D6171000-memory.dmp

Filesize
4KB

Download
memory/3028-4603-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4601-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4053-0x00000280CDEB0000-0x00000280CDEC0000-memory.dmp

Filesize
64KB

Download
memory/3028-4050-0x00007FF732310000-0x00007FF7339D4000-memory.dmp

Filesize
22.8MB

Download
memory/3028-4602-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4052-0x00007FFE51330000-0x00007FFE5174E000-memory.dmp

Filesize
4.1MB

Download
memory/3028-4051-0x00007FFE50DC0000-0x00007FFE5132B000-memory.dmp

Filesize
5.4MB

Download
memory/3028-8256-0x00000280CDEB0000-0x00000280CDEC0000-memory.dmp

Filesize
64KB

Download
memory/3028-5327-0x00000280CDEB0000-0x00000280CDEC0000-memory.dmp

Filesize
64KB

Download
memory/3028-4600-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download
memory/3028-4599-0x00000280D6160000-0x00000280D6161000-memory.dmp

Filesize
4KB

Download