377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33

Analysis

max time kernel
121s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup.exe
Size

2.5MB
MD5

7ce024e6e2248ee891248469894d8a9c
SHA1

13db96c5e8d67b7f1141d22567741cd45d659c1a
SHA256

377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33
SHA512

ce5b6e7b7da5d3d00ad1df64006c24c291e24cb63e855855375e52e7a18ea7b3d283fababb79046a59533bcd80d8c18f604d9ace64af7e712f18020e5b351eff
SSDEEP

49152:YXrcUh6gxrxD0Xc3StQyfvE0Z3R0nxiIq2ddIAuSF:4rNRxrxA6KtQRq2SSF

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_fr.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\Control.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Sql.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\CalendarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\TabButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\qtquickcontrols2plugin.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Window.2\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\languages\lang_en_GB.qm	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt5Charts.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-utility-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\StackViewSlideDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\images\focusframe.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\MenuBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuBarItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\resources\qtwebengine_resources_200p.pak	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-console-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\MenuStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\TextFieldStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\ToolBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\SpinBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\ToolButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\DialogButtonBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\pkgvers.dat	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-processthreads-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\HandleStyleHelper.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\VerticalHeaderView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Popup.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\RangeSlider.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\BusyIndicatorStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ToggleButtonStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Desktop\ApplicationWindowStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Drawer.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Material\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ProgressBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ScrollBar.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Switch.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\Dialog.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\ItemDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-localization-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-crt-math-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\qico.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\qmldir	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\warning.png	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\HoverButton.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Private\Style.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\ApplicationWindow.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\MenuItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\api-ms-win-core-file-l2-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\Button.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Imagine\DialogButtonBox.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbae-api-na.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\SliderStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\SwitchDelegate.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\TableViewStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Base\ToolBarStyle.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Fusion\SplitView.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls.2\Universal\MenuBarItem.qml	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\1a5fe917c20611ee9b26d2066d8f1295	MBAMInstallerService.exe

Executes dropped EXE 3 IoCs

pid	Process
4300	MBAMInstallerService.exe
2980	MBAMService.exe
2032	MBAMService.exe

Loads dropped DLL 7 IoCs

pid	Process
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
2032	MBAMService.exe
2032	MBAMService.exe
2032	MBAMService.exe
2032	MBAMService.exe
2032	MBAMService.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LOCALSERVER32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1917B432-C1CE-4A96-A08E-A270E00E5B23}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{346CF9BC-3AD5-43BA-B348-EFB88F75360F}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BD2053F-99D1-4C2B-8B45-635183A8F0BF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97EB7268-0D7B-43F6-9C11-337287F960DF}\ = "IRTPControllerV12"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8891F9E-90C4-4B3D-B87B-92DEA9221EBB}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\ = "IRTPControllerEvents"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB473CB-B8B5-44A7-A3E0-D83AF05350DF}\ = "IUpdateControllerV10"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2446F405-83F0-460F-B837-F04540BB330C}\1.0\HELPDIR\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\ = "PoliciesController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56898B37-6187-4F81-B9C6-8DA97D31F396}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1691A7E8-B8D1-46D5-BB29-3A4DB2D809C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F12E228B-821D-4093-B2E0-7F3E169A925A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4BDE5F8-F8D4-4E50-937F-85E8382A9FEE}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CurVer	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A66A096-E54B-4F72-8654-ED7715B07B43}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F798C4B-4059-46F9-A0FE-F6B1664ADE96}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08927360-710B-483B-BEEC-17E51FF84AF9}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\0\win64	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97DA9E74-558F-4085-AE41-6A82ED12D02C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAFDF38F-72A8-4791-AACC-72EB8E09E460}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE95CF-6463-415A-94AC-F895D0962D30}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E32ABD9A-1CBD-44A5-8A62-55D347D3C4F0}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3CFEBD-3B8E-4651-BB7C-537D1F03E59C}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{620A01DD-16D2-4A83-B02C-E29BE38B3029}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\ = "IMinimalScanParameters"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{503084FD-0743-46C7-833F-D0057E8AC505}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA5CFCA-E804-4A2F-8B93-F5431D233D54}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1917B432-C1CE-4A96-A08E-A270E00E5B23}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBA4A79D-9F4E-4E7A-AC00-49ECE23C20B6}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB473CB-B8B5-44A7-A3E0-D83AF05350DF}\ = "IUpdateControllerV10"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2C9E279-3E50-44F0-8C3B-606A303BA1D1}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFFF19F6-ECFE-446D-ACAD-8DC525DA2563}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E96FEF0-48F7-4ECB-B010-501044575477}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA226B90-F6FF-4618-8AE6-1114E82CB162}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E298372C-5B10-42B4-B44C-7B85EA0722A3}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49F6AC60-2104-42C6-8F71-B3916D5AA732}\1.0\0\win64\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\\8"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA248A19-F84E-4407-ADD3-8563AFD81269}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{834906DC-FA0F-4F61-BC62-24B0BEB3769C}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC34538A-37CB-44B4-9264-533E9347BB40}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24F9231B-265E-4C66-B10B-D438EF1EB510}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{473BC184-760C-4255-A118-E8064C4EC595}\TypeLib\ = "{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BCAC7E-75E7-4971-B3F3-B197A510F495}\1.0\HELPDIR	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A7FB145-B72D-466E-A3AC-21599BBE9E8C}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56898B37-6187-4F81-B9C6-8DA97D31F396}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{778103CC-4FA4-42AC-8981-D6F11ACC6B7F}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACF635-5275-4730-95E5-03E4D192D8C8}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090D2E82-C71B-414E-AF6A-6681A92FF2B3}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3328	MBSetup.exe
3328	MBSetup.exe
2324	msedge.exe
2324	msedge.exe
4072	msedge.exe
4072	msedge.exe
3032	identity_helper.exe
3032	identity_helper.exe
2972	msedge.exe
2972	msedge.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
4300	MBAMInstallerService.exe
2580	mspaint.exe
2580	mspaint.exe
2580	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2980	MBAMService.exe
Token: SeIncBasePriorityPrivilege	2980	MBAMService.exe
Token: 33	2032	MBAMService.exe
Token: SeIncBasePriorityPrivilege	2032	MBAMService.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3328	MBSetup.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	mspaint.exe
2728	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4464	4072	msedge.exe	96
PID 4072 wrote to memory of 4464	4072	msedge.exe	96
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 1604	4072	msedge.exe	97
PID 4072 wrote to memory of 2324	4072	msedge.exe	98
PID 4072 wrote to memory of 2324	4072	msedge.exe	98
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99
PID 4072 wrote to memory of 2832	4072	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3328

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4300
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbffd346f8,0x7ffbffd34708,0x7ffbffd34718
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9104613388230757161,3785339731006364439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\TraceUnpublish.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2032
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  PID:4460
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  PID:5440

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
1⤵
PID:4420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x4e8
1⤵
PID:5616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
1.2MB

MD5
4fccc817e371e1bb9f57f0f8cecfda56

SHA1
3c09b0e839029671c6ca95704b65d7d9d981209a

SHA256
da16bfc489dfe690bd5f1a1a9b9f1f33ab561e93808f5087b489d830a562e841

SHA512
37fc41a4f2dd2d04dde147fdedbef488b326583f9555b5607b3f387085ecf5034d4bb1e5cd4037727acbd3923d6e482b3cee3873324b2546efde8e5a5a9363db

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

Filesize
1.4MB

MD5
42df01326c3d53492c0f24384c52c02c

SHA1
1b1494cfee79f26e578bb042c340b086d9a8982b

SHA256
65f02cdd4dc1e6a1643a3428a4b7c445169073050f445e3a58114e7e47c22902

SHA512
690ebccd6c577b8177a2769b6bd4ab7b1a1c6e0051140a50405907d87915701fc525a83c9167d658d9eaa0b3a6ed0d466bc4881fc6fe5bff46620ad91dfbd786

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll

Filesize
1.4MB

MD5
e928e0a91a8de0f6b29557a842957910

SHA1
3d3ac63ea23ad257aa30c971275f561702cb7969

SHA256
ae9911caa5cbf51191b0a804dc8b3afe705863149a6abf9683d3d23df51d7565

SHA512
16db34cb7396651b4eccd03f36522c8680661be6a459f38423ced2f7480c956f6dd76ae76b4565cd93110f0d851e71e9636dfc11360c7b0a824f93209125d259

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

Filesize
3.8MB

MD5
248655363603d54f647c57fcc9ff33ec

SHA1
b5e248fcac17db27ebde5c8ee340592d2770346f

SHA256
fe98e6aeab147b705236263e5864f1d7cf6a486533a7702bfd188c0981998627

SHA512
33324fa6e094479af538d7841ca5ec13f4d18bb3ba9750e53a8a9b4d60e2cb30abf9c11446f3505bac695f697d8310fa514d1457bbc3add5b4e437c43027e5cd

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll

Filesize
1.4MB

MD5
c40a6921063dbc9d381be8201ebc3b93

SHA1
63f2c031826fc1872ac9c174db29d6983752f907

SHA256
a5645e76e5cbba1e6f2631de217b4bdd16762435de3277d727b8a2bd276014ff

SHA512
5499921483690c7e2e28ae19e13863b35380a4810d4056c7b8ec245fe524f6cd4003154cc827c563233c7b05a4f665be87bb5d32f6a78a2565fad5e606d38198

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
4.0MB

MD5
48693d44163186403360ed1a01670b90

SHA1
eb655282138908eb7806265af71bf5f135c8745b

SHA256
c0ac13d203bc8da1b2ad8eefc8de1bc6702c2be67ee1155fa5a08d6e90afdb35

SHA512
9d9e2e28814dc379ded4ad0700bbb230a64ac3e08e8eb7f36b789d85e35435acecd36e425bde1ef626ef83cfa1301adca9f22f3fad1dd945c39365e56926c583

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

Filesize
4.4MB

MD5
485f09c36b78e792b23b52e889917139

SHA1
950cc2cc992c7433bdc778da44a9d6337ad063e8

SHA256
cdca10c69b40cb954b6b2e06004d72eda772c26afbe50ebbeb9d73973b4366a7

SHA512
8a05c43d7308272d165bedf0434dadc07bc71b396fb1ae5ec524fac865ae3346a15485d127730daa94d7eb37b4e234b974e0e8f1ab7de8df848c2e0bfe7f8fec

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe

Filesize
1.5MB

MD5
8e50d7fb5027836f741c8fe92ddb1ece

SHA1
5fe0bab0c47bbd6706c33c9105872e7f71c6230b

SHA256
e53deed457b55429b774619565ce3e7f6bcc4f74975d2ed0a93ab6349c3955c8

SHA512
6f9b3a0fded6de9b28b859e3949cc10ffe23b6904fc7d1bc7b7a4071dc6a60977205b0d8ab3618bf9752671a02f80615756ffea46e2d55f755037ca11e82a3dd

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
74B

MD5
797e67e0b20976363e338af98cdf45ca

SHA1
40bea9ca354ab5fc678cf355bc32705dc966a3a5

SHA256
20e5f550e739a83ecd6a1986cb487ce5fa1b536dd8e70a889794624bc8da26d6

SHA512
3c10e6f5693162c81db17e8ed10f0a50ef7bdb423a129c36ed148af8897393c383c1c8e4ed278c492afc3ddccea0f0c2e9186b4cec07170cdcf90b4cd77d22bd

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm

Filesize
277KB

MD5
9029f3e98e6bcefe84dbd6f2ae7f24cf

SHA1
4cc056c93fe197ecbf7e9a80dfd269ef476dcddc

SHA256
cce8a24a864a89156f8d0862c5ff34408149b3bb67c48fe8d7ffa68591490838

SHA512
9aedc980e3a72287b27a7dbce0d3cab9f3d04ae101858d83b8df634fde108bf0c5ec70a4ddac1670d4175f88201bba7aaaf56f73b10c11d2df50caa104a30f0a

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr

Filesize
1.7MB

MD5
3c77562569e080d644877430c2be28ca

SHA1
70e71e5c360108ad50a21a2f67564f2a53cb6707

SHA256
eb1a62505f85d4c06554e998442ba211b145e15e3f392f94bd6bb04f2e9e2205

SHA512
af18728d2b469b316cffe61f8d8a1ae50a7db5f797794c34f6e86ddf8385a94751c12e75fccd4caf854ba57d811db95327b17aca5bde22642953def00794acd8

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin

Filesize
1KB

MD5
86e218784196fe0b6472cd0f20a85069

SHA1
8a5404e5b49624a5a6c289b299f98c4b72720968

SHA256
9aa9ffbaf7126a0b23ddacfaf7f576c85b5a3c3a7d57eac636e73af8842c0902

SHA512
1db35f7d6414fb6ceb486c0361ad394dd4f75d73925b17ffedb07d20b2cc264da33a1e9ff2306dc87ddba81099d5dd2c06b0e399de912d6bfa464c62c9ad777f

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

Filesize
10KB

MD5
6b61a1438b1d9791ae2ebca27e64b04f

SHA1
d1ab21d7d4962379b545a6a8b264fb39b7b902b6

SHA256
45bbb2390c5b89a7f302d49ff3912f4ce278e8bf0f758bf0e4caa360a4843a73

SHA512
f173571f627136de3c5bad4536af3d7afddf145dfb028d0c2c2e202a94a18b633cbfc65d675297de75e187b48c2f296a424a9944e034f2ac59b904ad2e94eaae

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

Filesize
924B

MD5
989788e689faeb06c4e0e19cb0b5e65b

SHA1
14b1f291cb3c70fd1827dd49db20ff261d511b5f

SHA256
2b36f27c13c66cc33edab9a42db8b64c4e2960e3969f0da0b6184c83cf1c84e4

SHA512
453ac2d5dd4c0364c17a84dbfeee70d25dbe4955baef00cc80acc885cb8f0581a9fb4b9fac772d1da94c6b5fac442535545e8bc9b233c5bef7096f0a4d0fab15

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

Filesize
514B

MD5
9d33e3d562e15befeac68bb6ed875f88

SHA1
4dab4dd92019749cbcd180cad7cd7a6f5014b115

SHA256
fd3acff19a737474a38d9a0cca801a0a6280384b0e88418523a7872dd85a8409

SHA512
69cf4ec805aeb2986481efbe68306fe89a8dd9c1e2def5143ae577ffff0d7b39a8a25ad15c99b6245c3a4950ce135ce7607194b9b19a878821f35ba3d21baa42

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

Filesize
9.6MB

MD5
ec177ce2d49024d825bc45b7314f1f61

SHA1
e257571da894a4bc07032090fca709054ca40df7

SHA256
0b9d6eac6da7302c9be12fa37c1d24f7f3166713ecc924ab40304919fa45405e

SHA512
8f3b6059aa7cf88d0afe48a5ea7bf94b05936fe6772b1d863f73accf0fb3e6af729d70e5d7256f3cdca82878a50bd8223dcb19238802523971eb966135fd32b4

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

Filesize
994KB

MD5
f586aa454cd389dc5d04b924ac8b3732

SHA1
753c07209994935319004fb0250bd943b16e1bb0

SHA256
de961281a6af85f2a2f0619ac5e3757c642ea1903b8a6d74ab6b091dc46a5b54

SHA512
a1bdd5b53f8e335a099201f6acb94e44577b167599828a48a82ad89398ffa090326476bb08a8ca9e0c87b15b31fe1c447a0d88d22bdb2b6ca0c1835f306d1f7d

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

Filesize
177KB

MD5
8f0bebff195193be315c6b5b7173d5f0

SHA1
a36fc4a214c8181065fc4ea79d263f2219e88b8c

SHA256
35b6ea7f0f08909a5f999ba04bdc678b62f370a6027c3234be1c734941f5bda3

SHA512
0295264e5fd5e8e304bb4ce3a9ddca72d369b9c08f5b5bd115be1167003ca1852b8a2c1160b940ad7b6691e74f186598244bead27f1534cb0582d41fcc4d5e9b

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

Filesize
5.8MB

MD5
2bc3d9040f68637b74b92fdc994f9598

SHA1
420c38e790e1b21c3f4922f14b8ba0eb51e5c213

SHA256
5a9214cf73be3bc76fc54c1621787312b004aa625a5c3c1f50d7e717b5ff1ad2

SHA512
b2bce0d673de7afa2a4ab3c6ff2bb982837ccc316c1592cbc09147f8c10e1a7aa72642b1fe999981765d3c35c31775b1589c5973d0eaf94a42abfc84fdc30578

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll

Filesize
4.4MB

MD5
e0f6252ef47bf828cb349e09f605f155

SHA1
cf004dd3c2b22e1974182f00c833608d39982ac4

SHA256
4a05cf3b69e34700ce32dd8939e1bb01eeb162a130e9c26394ff5b29a251bc43

SHA512
16b59ab825da006ea6af20a6b8d9b7c693135bc81953af8fb76429eaa749849772d15346c030cc57f16fe3cc95d09573ef0c4a91256f23830ac1b57f6d60ac6a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

Filesize
64KB

MD5
246dab4f4bf548d8deacf0a3fd57c202

SHA1
d7d573f3c8b26480bbb3080e481ab6c7477fd629

SHA256
2b951b307778ffaa875b6b4e2973df2c653e503042f897d63cb26fa44e266c4c

SHA512
4bf7e0e2dd346c74f74ba5f796af99b8a15a7160f4dc74f42da7913d0369fbe194fc3079b73b270db656019d0e0e533d45b59913c81a1cddf586637363ad35f7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

Filesize
4.5MB

MD5
e1fc83d549301cee0a4af21008746c6d

SHA1
e1179acc8f52531094a01dd8852a9e5091161942

SHA256
2885ad5f047f7394987fe6f242243894e52ab6aa54be5a1171f062f956ce9f9e

SHA512
74e6a462cbdec0bd88560dd105c948ce8c7dbcf8947d073f5cc1dc324da17cd89fd3a1d68c19f936969e1c0c157b3f6185fa23d6bdea8a78e526aaba95b63e75

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
8.4MB

MD5
f167ee5d10611387ba129526109225ba

SHA1
1eb2f199ee7ba274e923ce4668aa2085d03fdfcf

SHA256
e92fc9289b1df832c432c86b28b2d25b00dd91f9d653a1ef654da438936f0514

SHA512
403acc824041089fc1588ec2fa24ff9304de9e3a54c3e3efedfa4456a00d3533343f813c8d75185553828d72b7cf3d790d20c2587b48583dced1d58ab8835b11

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
6.9MB

MD5
d15c75bbee80fafa60d7f856e9f9ad24

SHA1
cd4c13620f70300566367e04a5afb29eb11fa03d

SHA256
a0f8b73cc9f379a7c3060ed9e1d19ec6d7bd611a5a75b28cc38d21a8d6d2776d

SHA512
226c26d252129fe683265302ada3b425cc7cdaf7c6f94a89a04f0438527e3717a07e99eb003707c415eec94e45c6e387ba0fee341674ed6848355120f0b71e10

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
4.8MB

MD5
5c582bc0b6bd34fdd4c73dbe9b76107b

SHA1
12229ee74b59e4a34f5b428aba5e91bd453cde51

SHA256
a2051aea36c32e3a0538c698daa88c032e251795a038d6d98abd844b1aa0bbe0

SHA512
a3beb979f30b982958c84c759077711474371459b86a4bd3a3a0b969feb15e7778b3ff09f5887956dcb16482ea95fdce3d0e0c4b64799668cbe0f63e9bfb6151

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll

Filesize
4.0MB

MD5
e3e5f85bd7cfb83e9f935ca401a45285

SHA1
28eeb13762208f6244eeb91110dbb69587eef515

SHA256
fcb39655880750b2030fa2c2e8ddb49236c922f83c56aa12f8c2c825629cc178

SHA512
a611d4f933dc9dfbdaf60178032e744a24eb9d738e98ee61a086df437409fc1dcd33df5ee500b62ffec800da3431c33deb58befaf8d6919e5abc53f9929918e2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
592B

MD5
1e8f990d9945f52dae1544a6ee195f52

SHA1
3fbee5d8a2b518981c4e9b54f89ad1d2522aa887

SHA256
4c037673e4bcc3bcaf1c30a702e0f74b6d8bb71a1b6371f8ff43bd7d1c4b30a3

SHA512
0e263656678be74061489049fe3ac7db47b697b9fbffaae4b0caaa177362de321abf4f98d72343ce62a96fc8e1903884ef1a8fb55da9ec1bc5f53094f7287c33

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
654B

MD5
e13120497f8c88bdd6cf8aba8b9ddede

SHA1
1271c654a5854187389241d0f7f58e5f22ae97be

SHA256
a20c9e51119928a9ddff91f12168a09b9e10bb30633d12328d6daea2349450ca

SHA512
777786188774cc4d45589709c8624a9db26d6dac8e94827cd3844a615ec7990b4c6a19b235729d3ad999c9c33328211196ed6a276ba656344793d63bc468ddcf

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
1ce34e67180e7f2d233b274457cc1c65

SHA1
451a6c7c2ac52cb903d5325acccb52d29d92fe5b

SHA256
d7f50cd5214d75cad9d919e64c6c6e7e75b1a62066e6f09ac7432105b4c33e3d

SHA512
f969f37de5af5d033798a1824a8d7fcbc71e78d31c00d3995426c7004adf180b970702921c8d05f5a42f65e46223a9e606076c77db47720beb2bf02aeef221dc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb4uns.exe

Filesize
3.3MB

MD5
bcd218bd2cd4ce836e9ee055fc26593d

SHA1
ec02e5a69b0f25fcb5db4bdc5fdf6973f2791ca8

SHA256
246836590d705096cb6334d5be360699070503a4ddb3937042f7591038d4bfc2

SHA512
d344cb2b0e23fa06090914f6fbd097142b57d24b81cc8b1f4f5e835186b843ecaaa3e96e7b2dc0e5d1ea3e1b4dbb9e00b271253a588496b125ed24a737eb265c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
2.8MB

MD5
c1abc08f5e8d19aa7eec55da565a70de

SHA1
0a4050000f27d7781500186e3d6809039f7a0074

SHA256
f48fb93acca89aa34dc58ac30c808c9b83265d7199dc8414856d26762673db50

SHA512
bdddb7856bd036b247e7715ec5dea2cc2ba2b839ac150b87132b60b0b59934ec34d621c7b095be2600afd7394d48a8013633b25fb976b46a33a50d301d73032e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Filesize
712KB

MD5
17e2d187cb75dbf18e332776fc90db8a

SHA1
47b4114f8ee955d12d2062de5eb25d8dacd7a5b7

SHA256
a9778bcf8c12a244a67812166da5007f59e6701525befce996760ec7f6567219

SHA512
dd85fe6aa39c1ca2bff3b974546ce802279301a9d2b9278e705d28dcdc89c788ef863e9632533503f258d6f8efd3b7247747e09e9123bf1750eb4048fbce3670

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

Filesize
114KB

MD5
f782f049b0e8c13b21f8e10e705bd7e5

SHA1
5c11f955e3983c50ea46b5d432c97c9148ac8e9f

SHA256
16c450a310edbea07f578f31368f168ec338011cd117406898593e86ebb83dae

SHA512
eed29c42b14ff26a030f53d61d6dc8e3971e478dc7646b26189f14f16699b6bedc170c4bcc37efe2e8f3048bde37480033b49eaf1a4712b88464f5da0efc18f2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.cat

Filesize
10KB

MD5
f7c8e0339bd48b6fe8eca81ac3ba5ba5

SHA1
1369bd4dcfa7709d8eed12fa76fdbebd39dd6bcc

SHA256
a9dd01f84a075ea8d0b0968fd7a11720e49f019834f7d4fe80f50dacb12030aa

SHA512
c722510c40fbed32bcda3b5b69c590a9043e4e51f8e804f77f73eb8ea0cac0f4a587ef540f2773981839f04e44f48bbc8b5e8c03ded3f0cf637ed1e3172c8e07

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.inf

Filesize
2KB

MD5
d87c2f68057611e687bdb8cc6ebea5b8

SHA1
27b1311d3b199e4c22772fa1b7ea556805775d37

SHA256
ff93773f55bf4a6a0242adf82276a8c95c0b244b9bc05e515c4e810c81a960e8

SHA512
4aa65b8911d8a2a0f9ef0ee6e934b94db0a9ad4c2ec543b5edcf21486be43f6ab1fda6617ea2cbb85eff230628c9fa8e7649da915d6de695803b28e55bef5819

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
9B

MD5
f726542aded84023a13eb78929733a4c

SHA1
a6e6cc94faa58f8f9de95d6fcdd6a7ef8a86565c

SHA256
ca8a93db9b23da70acf8913f25b52c74ba3cb9a705de99e8cffeec3053c97316

SHA512
a0c11b133436d6f186c7ad44e307b7c7190b7c685c9e750e4d8eeb90e1c5efb9a6397ff575c998cf3d334a670b331b1ac5e30d6524e6c051e9a3fa5ddd367673

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\uipkgver.dat

Filesize
6B

MD5
74c6677020fc6b6c867aab117078bf5f

SHA1
8c46db37dc0b39eb963d4144539c8b591e122400

SHA256
cdbb9bc874d71e154c71b68b1fe959913d286036dac11e226e5620c919ba9708

SHA512
3f9db8d9bb25322f8d8e750750bf92dbe6ac63d686eced65cddfcd61178cf0e947118a491058414d4d2cbb4892e39815565669aee0dfdda23aece72d278292d0

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
0c1489aeb26a261dc7ba3ce7b451c3f2

SHA1
0fed1b7b803578e4c446e0497633e2a2a9236b13

SHA256
576def457d00924c3309a39b866a5187e146093d7bcd2f3e22089e9ce98c9df2

SHA512
195bbfabcd6bf7d85fb95008d6b937a7fa1816ca3f56cc8bdec4e9ae741d90e5f063356017e699bfe5accbb2d8ea76bb4a20f22aa1aba9d2b02247e1264f7fd8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
1KB

MD5
41703b8edf7138319c05877c4cab5c7f

SHA1
a24f03c6978b8b9733aba72c28d8ced851763904

SHA256
bf0833a5a5686b5834077c952859661decd2a602a2705a5d0fe960bee8f172ed

SHA512
572396f657a910e8614e4b2062cc425374c94b0d11c502947468c78914a890461a1b60d454dd31e5975164c60a0acdf1bf277e0abdd6f28607a28a0f6be652dd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
f17894156c5978b40f699c3c41106c09

SHA1
35acd1b51b3eebee6736912becccaca0387a2129

SHA256
c2e7d4752407bce7b93d8fbf7d3bc18179bc3543469d689326eccdf484957ce0

SHA512
ca1db598f046f9fb90487e91761ce1569fd4d6859c9d5f8d83e7097f94c4232803ad378218af5e289c55206480616c2d3558f1595c46fc3bb3612d800c61a890

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
f1c3ad2cbdcac82807d4658ca7aa3c70

SHA1
8de3bb05a67a57d3c8dd10eaa9909e398fd69384

SHA256
b9debacc9f8a944173efdd2c21d8aacbc61aa21690e2b7c543bf830196850149

SHA512
f1bb75b57e1b0524854859035eea7a73fdf84d0e35d67cc1992845f064d552bf178f4722c7ae3013593e1ea77a0bbf207fd6a0d2db19e425acbb9efc3082e3ac

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
5c7482dbc857cdb461c8e6aeb36f9a42

SHA1
29cb4279894e62de09a72b7c04368233e370437f

SHA256
ab12c78dda1198fb9827a2837b5251ce0177abc0f084c377db4a1b1499dad823

SHA512
1339e2ba00f520882e7ad5ed3ed3bcc987db838970b0b2cef64765c4cf3e7fa208ed6228b09d5d874b510956ef969f105cbaa90e2f345accc0f7ae2dbef3cf2f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
fdae77d6f244e3d5837a264c9d8c8f41

SHA1
31dac2c13ba2d2720818602d11ad8e29bdc54a3b

SHA256
23fc7daf271df03653fff5e965d90375abf6d214cba56edd353be6b5d80e417f

SHA512
a929713d76862ae545d8f24d0fdcdcc5b62e87cbf16f45974ee412ce573c8fd64698ef951db7b40d78ce4ee834366a42f5c51dc5763c7633db28e1dfe8fad2f9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
847B

MD5
89f44af66feced4e5f85b1971ea86be9

SHA1
8acabc664b97e0db0519037ae6fb11f562818fc7

SHA256
be84ab5135934044a8ec7b599ad45b1f82c844c50866b48cdef328c9396d5580

SHA512
cffba8899cf3b5741405fcb8d09734d31e19596c742f20ee6a67497b22b591ac32dfeef077f97c0e298f2b85f9966042ad0ab4918d7a29b10dcc641820ba98ab

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
846B

MD5
37b8c2f5f938c7628b1220d892abb01f

SHA1
0b0605d40d3869b42c08adcc382316804505cd2e

SHA256
ef50317f1c6d96dab57934a854d433844d7bf6b6144a4a85f92b3391e2aa0f41

SHA512
a1928af3eb00e87bab7a82560231c516fb71d463f9c8b7bf52a25305253184fa6e4c8c6bd2a93972954ac73c96ba7f82e665c33adf75be206aa7e7faa697e240

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
825B

MD5
816ed0d80a0bce0ffab312fc0333b3ab

SHA1
34bd952a7cad9628165cdddb19306f9cfd4711aa

SHA256
40956e41ef197c7eb075ac8c165cafc21040d70971d05bb5269a62783ad3e093

SHA512
3ec839006bb6c80c7a8b2ec7ce73b9957266f75b42323cfcae728c8a19c3999ac27e6e59a0371bc21b3ffcc3ae4091bf478eab66f79b2b3b45a8bb8232871aac

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
f63f885df6d3207177fb9d7b6c46bd14

SHA1
bad2b23d5873ba220caf6d7209b420e960087db6

SHA256
a801f2ee1337254ad63c5aa960b990e52532b41897699dddce78bf08cc41789d

SHA512
be130b76975d93b4fab78fc1198a7b791294d2a8bba9b22c74ea48ff5128e2bda75d3bf171eea8bd0c87f95c1905cad8beb007caf7d1f388a1c558474d60eefc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
faf356d52719662c26de34007e6b5598

SHA1
b7a8b889826b7833b890a193699f0415853e4d3b

SHA256
bfa7c9531ab8f5d50f96bec4acccf1e54c846441b01abef452d2b4eaeb536568

SHA512
1e752c16759814602d09e8b8a4140bc88a8f1dca8ee81d397daede2b3d94195a5e8bf8dd22873aaad81c0d901f029028ea3b938b91072551c90896842a147abc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
15ee409b6ae72ca292351c4a9677beaa

SHA1
51be142af00e71eb26addb05b8ea6b1bba0ab1a5

SHA256
911484dd009b987f6754cb4ed1b5ff33e6dc5840023a24f6f9da4e147fd9a3cb

SHA512
554e91338e66fa777e72516e091c0ac5b9b1f57cd3376611dd4db3550943343e572b29dcfb8d3f69d3ad14eaefcb37343fac2ec1ced5554a482bf70e94a8e247

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
15KB

MD5
4665fa8e2f264e4c06437ca77bfc4013

SHA1
dcd9ab702fe55529cf6bfe225e930002bf604a39

SHA256
cfcdc35dcd4a1394b976b687444e5e5d2010f0911a571269ddd19820c911943b

SHA512
a4bd3c8cdc931b866bab765c230f201566e34ba3f3e928fc32a0b0a6f61132f00ee71c08fe162428db0acc109a619a378b0bf737e1960bb6fe084f7765a4a0aa

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
1KB

MD5
f3dfb43a9c19180de15c5d6211a2a4c2

SHA1
6fb883bc63b1394926327ca6e93a95005504b3ff

SHA256
5b9d0e83229305f8d2168c86c395b6165ef7c5acc1b747ca3491cc4a22d7973f

SHA512
7824d799869dfc8669b2e1cbb2c312cdfebdfe0585c2286e78e888b55d0ac90f990e261f39c75c99d77ca3d3d3bb37637bb62dfee69d48ac26efa6cea728c1d3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
2KB

MD5
d6db2696cce27d2b8316b3293d8987ad

SHA1
d086cbe22b0042fa0e1cbd16c707426134e59c9e

SHA256
78cd10258ad6621eb3ca4e517fcf9c2a8051e004fa44e11e0d74f0465fb3a705

SHA512
18d16be11d6612619380f34f6aa0fecb4ea94e56fc815cdc3b4a6bec0f8194e34e77b3cc34ef322b522969a6bed27f10cd80cd012da84f83123a0bfda637a020

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json

Filesize
10KB

MD5
5b14448eaa96db3cb501befc970e9045

SHA1
40bfc5a8518a01b5d32787f1a53d9a6f393f3ca2

SHA256
7e89db0c896adaaacb54071919b003f86fadea9233b18c6cd2162b3600bf7d2d

SHA512
44eee0ef32c1b3d13530ccd0f010e85452082f57458ccdfcca5a130f02097042a0bae261d21deaf41d2aad4d915d5b31884255a02cd51ca5821967c6afd1b556

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
1KB

MD5
ff64a504f546ecb8a7f70358de4d5d2e

SHA1
1979ee207b0a8291d1d0aa2301ffedb213b201d8

SHA256
7d788c4c14f6c2d86337c558561ef51ffc190f962eddce39411d1af41482ff7d

SHA512
bdc429c41dd23e946597de495f5fd51e9e48695f80c41e409bca44b85fd04579a58c6135b36cfb6a32775c35415bb9ad919f19917f85c90f83d1013866f23535

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
46173c888e89d53c43878ce28593bdb6

SHA1
3b1276c09c0bbb60a94ddf33875f93cfb1f742d1

SHA256
c76ccf29183f86f11b7bd2a44ade888424d5fe180b1d598ac19090bba0893bb8

SHA512
6396ec5bb45e4d2ddd314be68279d886827a72a516ef8ce03ae837d00c4ce8523c43f10ef295afcfd0a1d97b06a6ec96e8f9d773d8af2921651c4ff6fd4fb1b5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
903B

MD5
8276efc7a949e20a7edfff1bdaf0aeb0

SHA1
f83a26c30f3a73b862c514233c90ec96d3e78ed5

SHA256
affb794e39e4aed0f228a8eb392fead75607fe732ba77e970a03aca69c0f7432

SHA512
1508fcda9c6f58c9b3add54a0ecd3cb4f91fbf4edde04bd82d34df1ee04c53f6003cff4c0ae3f501addb90fd627de76749f5b274c974d9f8b87857a0b6812cd7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
bb0bb8925fba7830b3796a30c4da2361

SHA1
85471310d3693ba9f4e108c3b3fc57a1dd7f4369

SHA256
a02009872cdd1851a65c3136f173529254bf27f9440dbc291c9998b5a5fbe97e

SHA512
e68df6c70e3d0c33840b2bdcb822d5c2c77a7c324b789c0deaea5c22e5c013bff3bf467324ba58da997a65c9d32b65f0c9c5c81c25fa9ad60ee9f2b9afe1f67e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
f27856372afb6e0b258a5e43516681c8

SHA1
82b4aa36034598b3901e3e82c025f9fc2f88f578

SHA256
ca8f8be6c3c4e66a512535bb5fce7efc3ee69a1897f285c41002a586b1a1d277

SHA512
754b4e9f474b060b82a61fd8d6f7399251be46178ab79bbb4f429e07eaf94aaaadcf488e696c6ed705ff44bce40654f3b82decfe04ca0339c78efabc5a44afa6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json.bak

Filesize
4KB

MD5
81504c1633b60caa0b513d905b564eac

SHA1
0a84dea79fe28b0b706f6ec5e560016b87a1b849

SHA256
c0d075dff7bfd7dee7466e2309f7037b8e041e1cb23ade50c66ef3a7cfe4d0ff

SHA512
cfc095ea74af791820bd921f3d89aa9faa22e04eac1dac3b46e8c6431b33eac9bb6bf258d5d3c9c9edb90a20e17da93d6d6d27afe23612ca59b4eb2288e4e91d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
d6ceec261c80869eaeda2510313fa9fa

SHA1
5915f483de2358c5bcfc76d91ec6a8870231a0f3

SHA256
1613ed5acaa4108bd97df9a37e75bcca63b5432c23e16a5dfb3d7929b3f4b966

SHA512
b456d8df02df38195647392b967fa0b3b8054e4407481c9528f253329ac3fa9c573156c20b9f6c20135207c610ba0caba20e535f9873c5e2dcb62542c9745f8f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
f8f15d0341029729f89d77bb9f07895a

SHA1
f0c4212665e08658eb18b521bb90b763670463b4

SHA256
563c9f425a209ca47c3c213b58d8f8b696d66add8d381b326e95075e1426be0b

SHA512
b5715935a1bcaccd0debbffdde53842eb7db51b6e0397c23ea8994ea0e5083173cfd52ee098dea1d3ee9b220fda15565c60df90049688e2e8ce74d14f5465137

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
d4ce53f9dc7181315ac0d8671c709847

SHA1
4de65d53e75eff34d49968988af14eb38f1035de

SHA256
2c22ffb5b95a3f97f9c1e168d000534680f49543088cdebf087aba0ac94bcb98

SHA512
d4f2b8302efe3c38706be9b0047cd163c20bf7b7d25162140bbd59fd8631ad227af3da3b97905f29c91c92b64b120d7eb015a89523a04a2f518fbca3fe3c1597

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
fdc4777775cc885448c70640245be34b

SHA1
fab7272f97962d7a56db6e1259e5ba725351e70b

SHA256
f3b65e82b28fe0c8b07595aa4a189f337a72c66516081be8397dd6ddbf766548

SHA512
ae3b5a98a24816e86bef83c2f4891e2b7ee40b69e4741ba6abc26ebd66ad41a89475813eff3a9c067d8c5994569e07d7130b1f0aa0918225a43c80096162da0a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
f142085ccfcdc4e1bc50ebfe7ff93095

SHA1
49524a808ff05b9c874e92526cb147d8a4e55ec1

SHA256
73b59f52b3e42f200e307a4d6daf35569ffd78abe9d208a199d77daa1601191e

SHA512
13face1cfb6ef5c856aaa47f955132d39dd4364c6119c0361e608a6cff7d0ef5e9b55fca4bedfe00c785e7d0fdc16f12edfad47417aa4084a45c41bfddc29f6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
b03fbf794eb67e00b229f1d94b79e0d3

SHA1
63e1d61ecba5e951dcaba84a1cf36d7f41849761

SHA256
be244185df6e25e8c720e9ea0f31dfc02866f2303fe26e18f14ad7b0f1b3b8fb

SHA512
6af1880fc295889136636bdd30f795af7688c9a96188213570baf02012dfdbeb8cd8c9a0804b7eaea24b55271592f4c4c379bba2ef1d4cf4ba3c3b998ad5eb67

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
d7fe518079bca1f13dad6d2cce10dda0

SHA1
8ab6fae954c371014ef3ed5b85a16cc9bbca1d2e

SHA256
b6cc608ddcb82945fce555453a994494894876e34c70cb947f5c50c1f848678d

SHA512
f29439416a0664eb7c630a526975433e7ceb093a5ac5d165659cd62573a687ec6f35b1c3269c1e8aa582211abc832a3c8bea7389e9d1d1906215352e7fe0ab2b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
652811a0ac61d16a1fd92cf477c909ac

SHA1
f4aaf45c19906e8b358263b9c9f51c802e0bf883

SHA256
952dbf8aa56936e65555dab82d56ecf30bdfbd9e8eafd7dcc88b9c4f10107aaf

SHA512
e6789ce6b056b158db50925178df150f23964975b323b6e68487e9c2933dac36dc20b78414de8d3946dbbe298b16428851288eb77494887a696415c7b44bdc4f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
ded7fdf61af998953cfe8d47dc3e21c2

SHA1
411381c94c45d0bbec34d5512b6dd76e2c5f4b5b

SHA256
c7761f3fc5333b2bfccfbe09b849c9b8b395227b29a4b94c1ddde9961a164ef3

SHA512
f12c2f7165fbbfb13090a19bdc5490f740cca7895f1d5e6221eb6d0d18872acbc803a06f432cdf35dd5c5c3d168b5624e6f138f7d8d5c95bc0477eb96edb46cc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
68c7d1725f0b73ca7ec3a429ddb3be9c

SHA1
c34a50bdbbbd3071bf99173d615e0a5c130b8826

SHA256
017ee7b302ee05c8853785420d98c9200cd59bc2437ff10387edf1b00a83e24e

SHA512
e0d9dccc187ba80ef4fc2e761c2a03b3b5d649600333a57336bbdf37afa5b4256c5c3e6cab955c522572ddd57829de3a374f14f7be2a69936f844d61928bd31d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
ba4bee6e5e19593417ed1ab94f5ee933

SHA1
7e563f8adffb7d229470b42ef768e70c917f1995

SHA256
4432feb3648cbf531bf8408d982f984633475342f7428348c08d66f9de364ad5

SHA512
88cda33130385717a42654126d4f1ab0395e521697b2aa51c7e1b6d1a18559f8916cc06b878abc15fa0b98e848cb8aa57621a9e0ab8bd64bb8935a505274bcc3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
56e56ef821c0a76f489740ff1019fba9

SHA1
9cf1f7b8063912890883b67f7e9423548fedb598

SHA256
2cb77bb9c0f71fbaed7da945f5e3f136c5ea9cb63650edb51a2ef6a232e7d938

SHA512
eb2a302671c39df805cafb827792e32d1ddc0bee6cc14eba53792d55c6c9dbe78484de46f69f86812cbb994c4aa55532f4fb1a3472e4a3347979661048258daf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll

Filesize
1.2MB

MD5
fc46e649ec6fb17f90f4efe5bed70d9e

SHA1
cd7513beccc0537fa03c411072672e55b99561d0

SHA256
eb3b44a9262c05365c2dacb4fd80e7d31c32fb72f81d7732e68fdc3adb49af46

SHA512
53d63ebe45d570ae859714c0f84bd127acbb7b39102da792c792ac91c5e1bb57cacaa9859487e2b9de4cac4d06dcafd35c5d9475f918e46bf2f37222c4c08169

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
1.5MB

MD5
1f861d725fe7b6da91d659db1ef4d864

SHA1
ea2dae2ee0912e5d34215db9b61ae9e87e3c6e50

SHA256
b1cf91b5a36dcda6aad0377680292cd8981bb17478e575b745527e40898912ab

SHA512
2386e527c14472052b6bdb313da0ceaf44b673c112847bf194e6c7f25eeda276ecf416eab4037ef647c4ce9fa721c8cbae68aa82c3a04f0da45e18a8adc342a2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm

Filesize
337KB

MD5
d082eb09965b5b0aa0cb9fe0a5e2b9dc

SHA1
0b6e5120f55bd8ab978bafc5c1400a5a808503d3

SHA256
f070a7f5ecb5430133b990b5056e844a79b53dba2c46f3e2861a0d4bf4c15cb2

SHA512
27da864fd9bc164265d918edd506103440d1c1f0408dd0deba74f1d53a5c901975d18159088f15f54242a902a728ca3384764f6a49977e6e115290d7b9d71e62

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr

Filesize
1.8MB

MD5
d821e380ca4a1d7833e2330c9812926d

SHA1
361f49d473f30574a85b3535e8eb17a4ebabfd9f

SHA256
b2dcc77fd18872a45c65ba6c2d0cb66c2606068faa4d6c9113558010314b80f4

SHA512
9faa888af14425ea1a87f17ddccadad1259d9a0218026e9248b3ba8aeabddcad0f507d2e7903488c48a52afa32118ad8a20ab1ee3868f0425213031a6ea19dcd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.4MB

MD5
f3226bee7466a105d7a0d43b746cedad

SHA1
fb836a398bae63e6a9b131847017a7de9592ab9e

SHA256
a07d8df4cae1a30904c005477ebe7c8bfdb9ad715139a55a1faa45aa74d891f0

SHA512
6cac857ab462cf35b929eb5a8a7664613ea04cea16d83c14473f96ebc9df05e5b6ad39de5fcd9ca88bd15a39a283b380b343a38ea0721c56f88f0403f3f76a26

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb

Filesize
394KB

MD5
f642ee47e5e24bb556ed7971a6e1f0cf

SHA1
9463f1757174a4e25b527df85ae16a3f73b07bfa

SHA256
272c2c3e21bc5eb9d29bd9649c8d88a26543c1aab850b74b1d8c1573588a80d0

SHA512
dfb0102daeda1d4cad205f6f427bd73340d8e11d9fe479969de6f717a0ac8c033cec5291361ab7762d80ff5a98f98646f944ceb101d9cc7d0514a25bfb07e70a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
528KB

MD5
f088a77cd4502564d8b7eb80c3e85144

SHA1
5045b3f33c6504a7db7844a93ea68b968fbac7f8

SHA256
db0ff1a6dba77aa30d4a18d2453c88f7a964bc2dc9cb53d4543c2916c18bc4c5

SHA512
5f7cd3a7666ffcc90186c1c0d31885b40d34a7d8d75b93695734a7fecfeffaab387cecda9b0528af45de8a8a9ebe8c2ffeaa31e01f0d16025ad98b9657cb76d2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb

Filesize
371KB

MD5
d0b1b1297e4c91dcacbb13159b54ae69

SHA1
7f193584d15b4ddfd8d4b5082f3ef71b9f6bb917

SHA256
8a3cd7cc8df2a966ff4a4dd1fc78a7f447a60a5c6807e94e8932bb7cb59a5cd4

SHA512
399a7a92ff7a1dc41dd1d505a7beb53547127031a444da784b4cd0265915ab7cf90b620bdc7582e7d5cadf35ca5a180557418d03dc94c7fb18af53aa423799dd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb

Filesize
269KB

MD5
7b22d2a6fb997282948d82570db983d1

SHA1
b47cda350c9ea0737c3038b6524e9fc5fb1a0d00

SHA256
e2fa49ada75f995775555bac88b4a8fb538a828f25ab76359c48a96f440eb69e

SHA512
5163073f4c79ae3964ad72bdcc94e89ffc792f23d3ace2e7a3c3e0f18ed418d176a3ca334f4eb41551f18742e0d723f498896d5365db1f0b4c11110976b6626d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
ebbbe0d4f05c691f3c702db6be87aa63

SHA1
d157166d0ab4fec1ede8aacda5e6401d57556b07

SHA256
741cb96e63ece07818188490a8b3c2db49b24d33c397bcfe5895a4c93564f6a0

SHA512
576a2a825d448fbe392f9a4342cd3cb07eb09b1d7b0af323839ee87cc1fc5bfd0d81a3d11632e28ad68697b793e130abedef1a01d1f3f44fe7919d652c8a964c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
847e6bb2bb25cd22642cb36506e4f741

SHA1
32787918365c2c4d78bb6456c376eb7a7ba27033

SHA256
0ae295f69bdca6bcfcb35b38561784daec8c0ae8bbc525a32c7c3fc9aff1481a

SHA512
e9fb9c3db78ffcef01125f36446f99530d6c4684a8dc0c1718a1bae1e258e0f984c4b3455e274c13f8f7e2d2e884fd60ee6de9b51fec2598d4e7b6eb8e919b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
f4fa622b8b23cfe821f58f44ca242b73

SHA1
676c63c9578a8af45ef0e3b57bafd3fef64970f1

SHA256
37a0ce80331cdbcf18e7e3c58bb545fa9bdf9db76f98688cbabe0873f8de00f6

SHA512
e2676055f51fa6cf50fc5437cdeff4e41477725b935c4c0e8e8d5e0730804e47520b02ec3ce976ede34abd6d17022696fc06faede14433f357040e82292d9d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92bb150a266f5f2ff2f4ce0d1b09dff2

SHA1
7df0a40c3ae3ba755ae38c267593dedada9fee1c

SHA256
4cc025e4356057f6688f505e8d0d8df077d4b94057b4d96b392bd5f3dd39a88d

SHA512
071d7ab945b2881842f3d4797a384ec027ce4741b260c587842ced4c0a3d01056ba4c86c03a1547949bbd85a8c6dd7a595b0d66edaae1a9558fcc8445d0ae455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
408173f10267771412fc0fb8c57c37b5

SHA1
92dbb973ceba774e58022974a336ea11e65aa8cb

SHA256
034e12d5fd68fea2144a996d8f4f6428924bf455182b7691266fc823f48c9e9e

SHA512
49abf2d23db3e71d469e79bc10ef14af37ba0a20fedf18180ca727ec29377c3fc873ba69c1c6d97be41a246be86fee25e28df63549c94ff310a8e9f921c0ef73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc275de1a439fddbb10ea4e6d2899240

SHA1
df3774e954a82c2e988d0d523194f17bbd4a407d

SHA256
8946f8c56f4f28cff1a1a1a2aa1f4ddc756a4a5e4d4a60d7ba01d51dde7d124a

SHA512
740dc54a3531375f5597f33fd300e22f3864d535b4997824a0d576d448e08dc745e2e0a09742640fca9fac5a3228f1d7e3e61a22adec0b0da9cbbcefc24b9a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95264ccc6c002a247dc291fa0ebb66ba

SHA1
52790abb05cf545a1b63010d9ce091a38eab71f4

SHA256
2eaf72387851674f71ceaebddff06fdc5f18f82d97b208142f9ff71af81d3fca

SHA512
e6ac77f7539599ef7482eb46da196536938bd9beafd70489e99be2ef94915da33b5d950f432024e2210e25c9984db737851b5e135f28884ec3f2de478f709264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4eb5faaff2ef50d770fe0159aa334e2a

SHA1
b52e4713c436e791dabd8b3367852e8448e73f95

SHA256
8c1aa877f59d5fffdeed1bb52b5563c8ede9a399d528be5ed4857b99d33e8947

SHA512
c76db4d2a5f0f8bee84b778e06ad2b4ac4011707b6926d3fc152ce7f5cef0396941916bb2570c341012743da17df11e03df18ed8a1e018cb0af74866ea332c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
83053b74e2320fa850cfe244540e1fc2

SHA1
47728dd48b6b13d8dc3663c127d5f873859b56ae

SHA256
5154a2ca79533f377be496165cfdccc69afa36299999cf787c0dfe7943c89b5d

SHA512
7cf1648c2039f4a45e72a097cf229869d548704d179d6c18db8e1276c152d2dc250a41bb27d908d9b372b2883439e2b3487554f3b51db75cfe004cce72bde316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58aa06.TMP

Filesize
536B

MD5
216585a9a1af03f9c39124b9c69242b8

SHA1
c048d06d8cdef27b1990f6b62c8e3e5b8788f703

SHA256
a6a798917b63963b082be0c5b57e731fec57ff8b81b7ef2a14266bd7978df596

SHA512
762ca3047843f23a01503d3594880c979978f42dd985ca020562e2fd55590b9560cff4610ea7fd9dcfb4047c1e1efb12b42f2bff36e01f0effe4e6b831168b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b73e9f447ccee9451d03f29dc22e485

SHA1
c1c7a42f7b44bd835174d8bc35e76e72540860cf

SHA256
ff36d53afab5b9d41f75562b8364048d007611c4fb47f3bd97602e80ee630944

SHA512
a817d27d620488a7566240292af8bb46d7e34e9861befbdb7a735b6b00e68066d8f140d0702bf9e280a1a651d326d3a928430bf5333338a04c878d2ea177c59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
062cc89ce1c52418f8c82b95bc6512bf

SHA1
6cfff4b666aa59275e4e6c4d2bedfd7ef52a6ecb

SHA256
0bd921d15fbd3d83cb3785c804b094d851c2739900098bdca61afbc5d7f79153

SHA512
007c48687c163bdb40c51dd9e63eb6613de901a7508a229a7a2d0c72ebc3dcea050ce5d6435418a7155d29ff3cb8d6d10fcb19472c9eeb45ac0b8344fb25ab95

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\7z.dll

Filesize
1.6MB

MD5
ab8f0c1a37c0df5c8924aab509db42c9

SHA1
53dba959124e6d740829bda2360e851bcb85cce8

SHA256
6e223b275b84d948cc5ae1f161f0bfff2adb34de04634c84d7dbe9305a4998d5

SHA512
ff8a26e8fd5a08c74e5ba93a564e0d3cd932754e7f06993a365bfad06670497889e69ec45bfba1378040b72f82d468e79682beba2439937bb29d2a41da940d4a

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\dbclspkg\MBAMCoreV5.dll

Filesize
6.7MB

MD5
6781acf0373940d40b9529e30cd066e0

SHA1
92a5409f61692ccfb2f20eee7b99c30982334604

SHA256
7c1c3c0dbd5fb770a3abd43f65bac4f08eced79b75431e79b88f0b766d278a51

SHA512
14c1cc517282fd9f356949d4a00276534b84a8fbf3bb1fcb7d683aa46c311f12a6299b5c046a498724109b29f64bdd91f53d27baa2418dfc1c14df68f3a8171d

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\servicepkg\MBAMService.exe

Filesize
9.0MB

MD5
732197b86b24b54d0c38ba4fc8cafd25

SHA1
a1431cba5eb0ec353586457bc39fd1af87801313

SHA256
dc803f356dc58973bae6b3e549fede269582426c8b9fcc3e69c06798ea8119ac

SHA512
6993d1eaaaa09a94982c54a6e5d1698fe251fcd8970c0f37b0cf8a9228758114427af2d9ec731e50c2a3490369568ecc0b5baf4dd4c572b05216be42a8fa6fd6

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\servicepkg\mbshlext.dll

Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\uipkg\QtQuick\Controls.2\HorizontalHeaderView.qml

Filesize
1KB

MD5
d8c9674c0e9bddbd8aa59a9d343cf462

SHA1
490aa022ac31ddce86d5b62f913b23fbb0de27c2

SHA256
1ef333b5fb4d8075973f312ef787237240b9f49f3f9185fb21202883f900e7d7

SHA512
0b86ec673133f6400c38b79f9ba4f7b37ce5afdab1a2e34acbf75019e2590cc26b26d323ddc1567c91375053c9c8593be0615389db8eb1a8d1eb084ad4200b82

Download Submit
C:\Windows\Temp\MBInstallTemp1a5fe919c20611ee8f8cd2066d8f1295\uipkg\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml

Filesize
1KB

MD5
829769b2741d92df3c5d837eee64f297

SHA1
f61c91436ca3420c4e9b94833839fd9c14024b69

SHA256
489c02f8716e7a1de61834b3d8bbb61bce91ca4a33a6b62342b4c851d93e51e0

SHA512
4061c271db37523b9dea9a9973226d91337e1809d4e7767e57ac938d35d77a302363ed92ab4be18c35ba589f528194ad71c93a8507449bf74dd035acf7cdb521

Download Submit
memory/1520-2785-0x0000027584120000-0x0000027584121000-memory.dmp

Filesize
4KB

Download
memory/1520-2991-0x0000027584120000-0x0000027584121000-memory.dmp

Filesize
4KB

Download
memory/1520-2685-0x0000027584080000-0x0000027584081000-memory.dmp

Filesize
4KB

Download
memory/1520-2581-0x0000027584080000-0x0000027584081000-memory.dmp

Filesize
4KB

Download
memory/1520-2540-0x0000027584000000-0x0000027584001000-memory.dmp

Filesize
4KB

Download
memory/1520-2139-0x00000275FB370000-0x00000275FB380000-memory.dmp

Filesize
64KB

Download
memory/1520-2362-0x00000275FB3B0000-0x00000275FB3C0000-memory.dmp

Filesize
64KB

Download
memory/1520-3130-0x0000027584120000-0x0000027584121000-memory.dmp

Filesize
4KB

Download
memory/1520-2894-0x0000027584120000-0x0000027584121000-memory.dmp

Filesize
4KB

Download
memory/2032-4583-0x0000027310800000-0x0000027310DA4000-memory.dmp

Filesize
5.6MB

Download
memory/2032-5184-0x0000027310800000-0x0000027310DA4000-memory.dmp

Filesize
5.6MB

Download
memory/2032-4754-0x0000027310800000-0x0000027310DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4420-4595-0x00007FFBF6520000-0x00007FFBF6A8B000-memory.dmp

Filesize
5.4MB

Download
memory/4420-4593-0x00007FF6F96F0000-0x00007FF6FADB4000-memory.dmp

Filesize
22.8MB

Download
memory/4420-4596-0x000001F570BB0000-0x000001F570BC0000-memory.dmp

Filesize
64KB

Download
memory/4420-4594-0x00007FFBF9E70000-0x00007FFBFA28E000-memory.dmp

Filesize
4.1MB

Download
memory/4420-5145-0x000001F570BB0000-0x000001F570BC0000-memory.dmp

Filesize
64KB

Download
memory/4460-4590-0x0000019ADBB00000-0x0000019ADBD00000-memory.dmp

Filesize
2.0MB

Download
memory/4460-4588-0x0000019ADB6C0000-0x0000019ADBB00000-memory.dmp

Filesize
4.2MB

Download
memory/4460-4587-0x0000019AD90F0000-0x0000019AD9100000-memory.dmp

Filesize
64KB

Download
memory/4460-4586-0x00007FFBF6520000-0x00007FFBF6A8B000-memory.dmp

Filesize
5.4MB

Download
memory/4460-4585-0x00007FFBF9E70000-0x00007FFBFA28E000-memory.dmp

Filesize
4.1MB

Download
memory/5440-5049-0x00007FFBF9E70000-0x00007FFBFA28E000-memory.dmp

Filesize
4.1MB

Download
memory/5440-5050-0x00007FFBF6520000-0x00007FFBF6A8B000-memory.dmp

Filesize
5.4MB

Download