wannacry | a7c02c784c49253d6272d33cc2b5e3a5e59222fb81525e9e152fce8b21da2d24

Analysis

max time kernel
797s
max time network
752s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/05/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

log.txt
Size

349B
MD5

afafba9827d8dce0007c2daa54737fce
SHA1

5868580dc513db7429aed5fe779f1cd742764c95
SHA256

a7c02c784c49253d6272d33cc2b5e3a5e59222fb81525e9e152fce8b21da2d24
SHA512

7d3dcc99af48853204ff6975aec4bed01363529c2474b26434a0fc092c48b5ed6922c20e684ccca0a5e06ed6f0a4f3b0b7fec6ccc619b788fb46e8a9479cc1f6

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	MBAMService.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbam.sys	MBAMService.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mwac.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\farflt11.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbupdatrV5.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7233.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD723A.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

pid	Process
1868	Sandboxie-Plus-x64-v1.13.7.exe
2388	Sandboxie-Plus-x64-v1.13.7.tmp
240	KmdUtil.exe
4516	KmdUtil.exe
2044	UpdUtil.exe
5312	KmdUtil.exe
5328	SbieSvc.exe
700	Start.exe
5812	SbieSvc.exe
5832	SbieSvc.exe
5956	SbieSvc.exe
5204	SbieSvc.exe
5752	SbieSvc.exe
5620	SbieSvc.exe
5420	SbieSvc.exe
3044	SbieSvc.exe
5868	SbieSvc.exe
5572	SbieSvc.exe
5344	SbieSvc.exe
3360	SandMan.exe
1688	kmdutil.exe
6024	SbieSvc.exe
5280	SandMan.exe
1832	kmdutil.exe
1420	SbieSvc.exe
1072	taskdl.exe
3560	@[email protected]
3676	@[email protected]
4072	@[email protected]
2284	taskdl.exe
3960	taskse.exe
4784	@[email protected]
928	taskdl.exe
4144	taskse.exe
4832	@[email protected]
2188	MBSetup.exe
5480	taskdl.exe
5976	taskse.exe
3212	@[email protected]
2108	MBSetup.exe
2328	MBAMInstallerService.exe
5316	taskse.exe
3096	@[email protected]
4060	taskdl.exe
5080	MBVpnTunnelService.exe
2320	MBAMService.exe
6032	MBAMService.exe
6400	Malwarebytes.exe
6684	taskse.exe
6680	@[email protected]
6712	taskdl.exe
6340	ig.exe
6468	ig.exe
6644	ig.exe
6612	ig.exe
6312	ig.exe
3456	ig.exe
6548	ig.exe
3600	ig.exe
1524	ig.exe
5952	ig.exe
4624	ig.exe
6536	ig.exe
4568	taskse.exe

Loads dropped DLL 64 IoCs

pid	Process
240	KmdUtil.exe
4516	KmdUtil.exe
5312	KmdUtil.exe
5328	SbieSvc.exe
700	Start.exe
5812	SbieSvc.exe
5832	SbieSvc.exe
5956	SbieSvc.exe
5204	SbieSvc.exe
5752	SbieSvc.exe
5620	SbieSvc.exe
5420	SbieSvc.exe
3044	SbieSvc.exe
5868	SbieSvc.exe
5572	SbieSvc.exe
5344	SbieSvc.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
1688	kmdutil.exe
6024	SbieSvc.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
1832	kmdutil.exe
1420	SbieSvc.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
5080	MBVpnTunnelService.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4524	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cclepenvruuyp180 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_bccd4c0a924862b1\netrndis.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_35c52a008b0fba12\netrtwlane.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_6686e5d9c8b063ef\usbncm.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_8a3d09c4ce3bae33\netsstpa.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_bfb9fd6f3a078899\netvwifimp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_a31306bfdf7135b0\bthpan.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77FBC64BA73370EC2F659BAD977FF2AD_9767A5403B067D539A02E2AD0F3C2C4A	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnd0a.inf_amd64_777881a2c4c0272c\netbxnd0a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb4p2pnetadapter.inf_amd64_a9fd59ce64f17c8a\usb4p2pnetadapter.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtucx21x64.inf_amd64_d70642620058e2a4\rtucx21x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_b98aa91c766be0ea\netavpna.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_04b60d124553a40f\rndiscmp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw10.inf_amd64_3b49c2812809f919\netwtw10.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_749854ac3f28f846\msux64w10.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b1f0fc0f-366e-ca4a-b733-f08b2679bc4a}\mbtun.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2E01D413E600DA01958BFB19A6EF6010	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_3aa3e69e968123a7\wceisvista.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165	MBAMService.exe
File opened for modification	C:\Windows\System32\ocudno.exe	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_E3375A509D9058F6A8FFB74D3B4E6F77	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF	MBVpnTunnelService.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-environment-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\ReachFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-time-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.Handles.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationCore.dll	MBAMInstallerService.exe
File created	C:\Program Files\Sandboxie-Plus\is-HF1A8.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MbamUI.Core.dll	MBAMInstallerService.exe
File created	C:\Program Files\Sandboxie-Plus\is-0T5SF.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-file-l2-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Formats.Asn1.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Transactions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Sandboxie-Plus\is-3OF5H.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe	MBSetup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-sysinfo-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Buffers.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Configuration.ConfigurationManager.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyInjection.Abstractions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Sandboxie-Plus\is-02L4C.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\Microsoft.DiaSymReader.Native.amd64.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.Primitives.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\PresentationCore.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.AccessControl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Principal.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Controls.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Cryptography.Algorithms.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pl\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\System.Management.dll	MBAMInstallerService.exe
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.sys	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.ServicePoint.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-stdio-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyModel.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.Serialization.Json.dll	MBAMInstallerService.exe
File opened for modification	C:\Program Files\Sandboxie-Plus\msvcp140_1.dll	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Threading.Timer.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBAMCrashHandler.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Style.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-synch-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.CompilerServices.VisualC.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.InteropServices.dll	MBAMInstallerService.exe
File created	C:\Program Files\Sandboxie-Plus\is-040QA.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\Microsoft.Win32.Primitives.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt11.inf	MBAMService.exe
File created	C:\Program Files\Sandboxie-Plus\is-GRFIR.tmp	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\msquic.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\ReachFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\VPNControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\PresentationFramework.resources.dll	MBAMInstallerService.exe
File opened for modification	C:\Program Files\Sandboxie-Plus\MiscHelpers.dll	Sandboxie-Plus-x64-v1.13.7.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Text.Encoding.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Cryptography.OpenSsl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\System.Text.Encodings.Web.dll	MBAMInstallerService.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	MBVpnTunnelService.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1400	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E298372C-5B10-42B4-B44C-7B85EA0722A3}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090D2E82-C71B-414E-AF6A-6681A92FF2B3}\ = "IRTPControllerV7"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECDAC35E-72BB-4856-97E1-226BA47C62C5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\ = "ILinkerEventHandler"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}\1.0\FLAGS	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{767D2042-D2F6-4BAA-B30E-00E0CD4015BD}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\FLAGS	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1\CLSID	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{748A86D4-7EDF-41EF-A1EF-9582643B1C9F}\ = "IScanParametersV11"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B14402F-4F35-443E-A34E-0F511098C644}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D57ACF19-30E3-4B7E-BCDD-6EEB8E57AF27}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E32ABD9A-1CBD-44A5-8A62-55D347D3C4F0}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17A7CC72-3288-442A-ABE8-F8E049B3BE83}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED06E075-D1FD-4635-BA17-2F6D6BB0DFD6}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\VersionIndependentProgID\ = "MB.MWACController"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F49090F8-7DC6-4CBC-893A-C1B3DCF88D87}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\ = "IMWACControllerV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE95CF-6463-415A-94AC-F895D0962D30}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFBD938D-3ABA-4895-97EF-5A0BDF7AC07D}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A583D5DD-F005-4D17-B564-5B594BB58339}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ = "MBAMServiceController Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\ = "LicenseController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A0F9375-1809-45ED-AFE0-92852B971139}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638A43D2-5475-424B-87B8-042109D7768F}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A583D5DD-F005-4D17-B564-5B594BB58339}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB586AB4-56F2-4EFA-9756-EE9A399B44DE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\Programmable	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABC1D1AF-23ED-4483-BDA4-90BCC21DFBDB}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC5390D0-3831-4D42-BD1D-8151A5A1742C}\ = "IScanControllerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3CFEBD-3B8E-4651-BB7C-537D1F03E59C}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237E618C-D739-4C8A-9F72-5CD4EF91CBE5}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB586AB4-56F2-4EFA-9756-EE9A399B44DE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F927AD37-BA5F-4B86-AE22-FE2371B12955}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B471ACFB-E67A-4BE9-A328-F6A906DDDEAA}\ = "INormalScanParameters"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}\ = "IRTPControllerV3"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}\ = "ICleanControllerV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53260A87-5F77-4449-95F1-77A210A2A6D8}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CurVer\ = "MBAMExt.MBAMShlExt.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3B74800-4C27-4692-BC00-5AE37FA118E4}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CE94D34-A1E4-4FA8-BEDC-6A32683B85F5}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615}\ = "IMBAMServiceControllerV7"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DB6AD16-564C-451A-A173-0F31A62B7A4D}\ = "IScanControllerV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0CEAFA7-4F65-418C-8A61-92B2048115EE}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\ = "ILinker"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25321640-5EF1-4095-A0DA-30DE19699441}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1\CLSID\ = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9AE95CF-6463-415A-94AC-F895D0962D30}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D482C3-B037-469B-9C35-2EF7F81C5BED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\ = "IRTPControllerV15"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\ = "IAEControllerV5"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BA2811A-EE5B-44DF-81CD-C75BB11A82D4}\ = "IAEControllerEventsV4"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E64B3CF-7D56-4F76-8B9F-A6CD0D3393AE}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44AC1571-055F-4CC8-B7D8-EA022C4CC112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32DF4C97-FE35-41AA-B18F-583AA53723A3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF}\TypeLib\Version = "1.0"	MBAMService.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2544	reg.exe

Modifies system certificate store 2 TTPs 30 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:Zone.Identifier:$DATA	MBAMInstallerService.exe
File created	C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3892	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3360	SandMan.exe
5280	SandMan.exe
6440	SandMan.exe
6516	vlc.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2388	Sandboxie-Plus-x64-v1.13.7.tmp
2388	Sandboxie-Plus-x64-v1.13.7.tmp
2188	MBSetup.exe
2188	MBSetup.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
2328	MBAMInstallerService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6400	Malwarebytes.exe
6400	Malwarebytes.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
6032	MBAMService.exe
396	taskhsvc.exe
396	taskhsvc.exe
396	taskhsvc.exe
396	taskhsvc.exe
396	taskhsvc.exe
396	taskhsvc.exe
6032	MBAMService.exe
6032	MBAMService.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3360	SandMan.exe
5280	SandMan.exe
7016	msinfo32.exe
6516	vlc.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
5328	SbieSvc.exe
5812	SbieSvc.exe
5832	SbieSvc.exe
5956	SbieSvc.exe
5204	SbieSvc.exe
5752	SbieSvc.exe
5620	SbieSvc.exe
5420	SbieSvc.exe
3044	SbieSvc.exe
5868	SbieSvc.exe
5572	SbieSvc.exe
5344	SbieSvc.exe
6024	SbieSvc.exe
1420	SbieSvc.exe
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeDebugPrivilege	2388	Sandboxie-Plus-x64-v1.13.7.tmp
Token: SeBackupPrivilege	5328	SbieSvc.exe
Token: SeRestorePrivilege	5328	SbieSvc.exe
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeDebugPrivilege	5052	firefox.exe
Token: SeBackupPrivilege	5812	SbieSvc.exe
Token: SeRestorePrivilege	5812	SbieSvc.exe
Token: SeBackupPrivilege	5832	SbieSvc.exe
Token: SeRestorePrivilege	5832	SbieSvc.exe
Token: SeBackupPrivilege	5956	SbieSvc.exe
Token: SeRestorePrivilege	5956	SbieSvc.exe
Token: SeBackupPrivilege	5204	SbieSvc.exe
Token: SeRestorePrivilege	5204	SbieSvc.exe
Token: SeBackupPrivilege	5752	SbieSvc.exe
Token: SeRestorePrivilege	5752	SbieSvc.exe
Token: SeBackupPrivilege	5620	SbieSvc.exe
Token: SeRestorePrivilege	5620	SbieSvc.exe
Token: SeBackupPrivilege	5420	SbieSvc.exe
Token: SeRestorePrivilege	5420	SbieSvc.exe
Token: SeBackupPrivilege	3044	SbieSvc.exe
Token: SeRestorePrivilege	3044	SbieSvc.exe
Token: SeBackupPrivilege	5868	SbieSvc.exe
Token: SeRestorePrivilege	5868	SbieSvc.exe
Token: SeBackupPrivilege	5572	SbieSvc.exe
Token: SeRestorePrivilege	5572	SbieSvc.exe
Token: SeBackupPrivilege	5344	SbieSvc.exe
Token: SeRestorePrivilege	5344	SbieSvc.exe
Token: SeBackupPrivilege	6024	SbieSvc.exe
Token: SeRestorePrivilege	6024	SbieSvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
2388	Sandboxie-Plus-x64-v1.13.7.tmp
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
3360	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe
5280	SandMan.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
5052	firefox.exe
3560	@[email protected]
3560	@[email protected]
3676	@[email protected]
4072	@[email protected]
4784	@[email protected]
4832	@[email protected]
4684	firefox.exe
4684	firefox.exe
4684	firefox.exe
4684	firefox.exe
2188	MBSetup.exe
3212	@[email protected]
4684	firefox.exe
4684	firefox.exe
4684	firefox.exe
2108	MBSetup.exe
3096	@[email protected]
6680	@[email protected]
3608	@[email protected]
6292	@[email protected]
2184	@[email protected]
5560	@[email protected]
2104	@[email protected]
6516	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3892	1324	cmd.exe	79
PID 1324 wrote to memory of 3892	1324	cmd.exe	79
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 3936 wrote to memory of 5052	3936	firefox.exe	83
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 4724	5052	firefox.exe	84
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85
PID 5052 wrote to memory of 2544	5052	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5592	attrib.exe
5484	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\log.txt
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\log.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.0.58760213\1621223390" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7966b711-c78e-4aca-99b8-73a46e785bd9} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 1848 22c520b0e58 gpu
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.1.31733007\233807005" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919a6960-a090-4ccd-a723-b9c64549f8eb} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 2372 22c45285958 socket
    3⤵
    - Checks processor information in registry
    PID:2544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.2.214203098\161776479" -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 2688 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29f967e-6986-4f68-a00b-7b88176bdc37} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 2860 22c549e1e58 tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.3.425898895\322027127" -childID 2 -isForBrowser -prefsHandle 2524 -prefMapHandle 2512 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {535b3840-ae2d-43d9-9b0c-578c4afb5536} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3504 22c5757b358 tab
    3⤵
    PID:1100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.4.1462224043\561759253" -childID 3 -isForBrowser -prefsHandle 5104 -prefMapHandle 5088 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13dcf3a1-6bf1-486d-a3c0-01a68dd97a93} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5072 22c5a273858 tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.5.422541391\1334635005" -childID 4 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57969970-c2b3-4165-9251-c8a126b5be20} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5204 22c5a273e58 tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.6.1627020138\1550407787" -childID 5 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d8c66a-b8f3-403d-ad54-0d88817dbc2f} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5392 22c5a273b58 tab
    3⤵
    PID:656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.7.794812923\636641098" -childID 6 -isForBrowser -prefsHandle 2628 -prefMapHandle 5236 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cbb2a30-61b2-4722-a56d-291f6a846782} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5096 22c4523f758 tab
    3⤵
    PID:3700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.8.1945716713\1353181544" -childID 7 -isForBrowser -prefsHandle 6096 -prefMapHandle 6068 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9688f938-3330-4eb8-b30c-fe2d6bcb31b5} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 6100 22c5b7e5758 tab
    3⤵
    PID:3712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.9.353121257\1244354888" -childID 8 -isForBrowser -prefsHandle 5212 -prefMapHandle 5284 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec16dc77-7936-4d46-8a22-c5118864dfa2} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5196 22c597a3258 tab
    3⤵
    PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.10.78172150\1610831286" -childID 9 -isForBrowser -prefsHandle 5080 -prefMapHandle 4988 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8541c1a8-8e5c-447d-a52f-de2d50641a66} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5608 22c5bd66758 tab
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.11.1573093558\1674990809" -childID 10 -isForBrowser -prefsHandle 5420 -prefMapHandle 5132 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b333873e-7f57-4239-903c-c63602f086cc} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5288 22c597a3258 tab
    3⤵
    PID:3784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.12.562639594\1827101136" -childID 11 -isForBrowser -prefsHandle 9924 -prefMapHandle 3720 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80d46bd3-c777-48c2-9b9a-1ba7d5747f25} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 9916 22c5a24e158 tab
    3⤵
    PID:2088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.13.1946613456\1344271390" -childID 12 -isForBrowser -prefsHandle 9772 -prefMapHandle 9764 -prefsLen 28039 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c56ad385-e8bf-4899-8ce2-3bedf42829eb} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 9780 22c5c349858 tab
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.14.593232246\1879242980" -childID 13 -isForBrowser -prefsHandle 5364 -prefMapHandle 5352 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b0da2a1-6f12-4cad-890c-4d5ddf3aabec} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 9632 22c597a3258 tab
    3⤵
    PID:2104
- - C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe
    "C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe"
    3⤵
    - Executes dropped EXE
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\is-31HVA.tmp\Sandboxie-Plus-x64-v1.13.7.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-31HVA.tmp\Sandboxie-Plus-x64-v1.13.7.tmp" /SL5="$7022E,20081407,791552,C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2388
    - - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /IM Sandman.exe /IM SbieCtrl.exe /IM Start.exe /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
    - - C:\Program Files\Sandboxie-Plus\KmdUtil.exe
        
        "C:\Program Files\Sandboxie-Plus\KmdUtil.exe" install SbieDrv "C:\Program Files\Sandboxie-Plus\SbieDrv.sys" type=kernel start=demand msgfile="C:\Program Files\Sandboxie-Plus\SbieMsg.dll" altitude=86900
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:240
    - - C:\Program Files\Sandboxie-Plus\KmdUtil.exe
        
        "C:\Program Files\Sandboxie-Plus\KmdUtil.exe" install SbieSvc "C:\Program Files\Sandboxie-Plus\SbieSvc.exe" type=own start=auto msgfile="C:\Program Files\Sandboxie-Plus\SbieMsg.dll" display="Sandboxie Service" group=UIGroup
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4516
    - - C:\Program Files\Sandboxie-Plus\UpdUtil.exe
        
        "C:\Program Files\Sandboxie-Plus\UpdUtil.exe" install sandboxie-plus /embedded /scope:meta /version:1.13.7
        5⤵
        Executes dropped EXE
        
        PID:2044
    - - C:\Program Files\Sandboxie-Plus\KmdUtil.exe
        
        "C:\Program Files\Sandboxie-Plus\KmdUtil.exe" start SbieSvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5312
    - - C:\Program Files\Sandboxie-Plus\Start.exe
        
        "C:\Program Files\Sandboxie-Plus\Start.exe" open_agent:sandman.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.15.1753881630\467863413" -childID 14 -isForBrowser -prefsHandle 5280 -prefMapHandle 6388 -prefsLen 28280 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dedd2dfc-e307-4d1d-ba5d-5e8166275095} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 5416 22c53e3b758 tab
    3⤵
    PID:2724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5176

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5620

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Program Files\Sandboxie-Plus\SandMan.exe
"C:\Program Files\Sandboxie-Plus\SandMan.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3360
- C:\Program Files\Sandboxie-Plus\kmdutil.exe
  kmdutil.exe start SbieSvc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1688
- C:\Program Files\Sandboxie-Plus\SandMan.exe
  "C:\Program Files\Sandboxie-Plus\SandMan.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5280
- - C:\Program Files\Sandboxie-Plus\kmdutil.exe
    kmdutil.exe start SbieSvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1832

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Program Files\Sandboxie-Plus\SbieSvc.exe
"C:\Program Files\Sandboxie-Plus\SbieSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
PID:1420

C:\Users\Admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:5864
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:5592
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4524
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 22971715729739.bat
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:1576
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:5484
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:5000
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4072
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cclepenvruuyp180" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cclepenvruuyp180" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2544
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5976
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3212
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3096
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6684
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6680
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6712
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3608
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:5548
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:6244
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6292
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:2236
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:7120
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:5020
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:4972
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5560
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:6724
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  PID:6180
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:6664

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3560
- C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
  TaskData\Tor\taskhsvc.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.0.1468708940\736468057" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 18527 -prefMapSize 233208 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8be5431-45c5-4c03-bcf1-98b7aa026458} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 1888 26caa72dd58 gpu
    3⤵
    PID:3716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.1.764678434\1013706305" -parentBuildID 20230214051806 -prefsHandle 2208 -prefMapHandle 2204 -prefsLen 18527 -prefMapSize 233208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7669721-cbb7-49ae-bd29-055de852fc39} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 2220 26c9e289358 socket
    3⤵
    - Checks processor information in registry
    PID:1716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.2.1339015725\261294772" -childID 1 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 21182 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6674ccb7-8c80-4e1a-a1d7-a8328366c756} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 3712 26cad137a58 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.3.71259430\1865856208" -childID 2 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 21369 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {332b991f-4dfb-49c3-8549-e0d3d68f65b4} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 4072 26caf28ab58 tab
    3⤵
    PID:3744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.4.1073521099\1341740403" -childID 3 -isForBrowser -prefsHandle 4384 -prefMapHandle 4380 -prefsLen 28079 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a27a042-89ea-4641-9e6f-fe45870c17c1} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 2796 26c9e27ab58 tab
    3⤵
    PID:2560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.5.1214311813\375115665" -parentBuildID 20230214051806 -prefsHandle 5188 -prefMapHandle 2628 -prefsLen 29189 -prefMapSize 233208 -appDir "C:\Program Files\Mozilla Firefox\browser" - {735c201e-6f10-4205-bbd4-49fbdbce456d} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5196 26cb211e358 rdd
    3⤵
    PID:4948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.6.1424606356\1550189205" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5260 -prefsLen 29151 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65dab8ea-ebd1-4bb0-ab5d-1bd6780b3eb1} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5360 26cb33ce658 tab
    3⤵
    PID:112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.7.884634407\501185999" -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 29485 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67b4d1a1-4059-48db-b0dd-268f45a4ad11} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5624 26cb42c5258 tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.8.326386612\1584680538" -childID 6 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 29485 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db724460-3a39-4132-8586-28e2d5fbba00} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5824 26cb38d6558 tab
    3⤵
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.9.372324997\1975337058" -childID 7 -isForBrowser -prefsHandle 5956 -prefMapHandle 5960 -prefsLen 29485 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee80e2a7-c213-434f-b3e5-64e841c8789f} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5964 26cb38d8958 tab
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4684.10.2042192185\1020039615" -childID 8 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 29564 -prefMapSize 233208 -jsInitHandle 1420 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6405508a-588b-41b0-bfec-aeebd1edcb03} 4684 "\\.\pipe\gecko-crash-server-pipe.4684" 5456 26cb49c7e58 tab
    3⤵
    PID:3512
- - C:\Users\Admin\Downloads\MBSetup.exe
    "C:\Users\Admin\Downloads\MBSetup.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2188
- - C:\Users\Admin\Downloads\MBSetup.exe
    "C:\Users\Admin\Downloads\MBSetup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2108

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2328
- C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:5080
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1200
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000164" "Service-0x0-3e7$\Default" "0000000000000174" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5060

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:6032
- C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6400
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6340
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6468
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6644
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6612
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6312
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6548
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:5952
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6536
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status on true /updatesubstatus none /scansubstatus none /settingssubstatus none
  2⤵
  PID:6568
- C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe
  "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no
  2⤵
  - Checks BIOS information in registry
  - Modifies data under HKEY_USERS
  PID:7056
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  PID:2728
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  PID:4708
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  PID:1896
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  PID:3204

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Downloads\DismountCompress.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:7016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\@[email protected]
1⤵
PID:6772

C:\Program Files\Sandboxie-Plus\SandMan.exe
"C:\Program Files\Sandboxie-Plus\SandMan.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6440

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MoveRename.aif"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6516

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\AssertMeasure.wvx"
1⤵
PID:6844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe

Filesize
2.9MB

MD5
46f875f1fe3d6063b390e3a170c90e50

SHA1
62b901749a6e3964040f9af5ddb9a684936f6c30

SHA256
1cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec

SHA512
fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

Filesize
288KB

MD5
db9e311dfec7a7185b57ee9a2afeb631

SHA1
55a60af1043a0e7b6986749690cdbc38759949a9

SHA256
c9612c9123ff1102781a757efa6caf8ad688b454a64ad52811b38b4cb6c42b54

SHA512
2b03f6d9bc9fa0ad2ddcfc796b22a5e4ec5ec77fec1f8b9ad16f98264d9df292360ef93622f09c4e26149bec963250018082f273dd405b3cf185cc798b7a9838

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
621B

MD5
2acc14dcfc51d25b212199a1181dc6e2

SHA1
a684f3c8291405c6f24981cb5db17103a8e5e12c

SHA256
cbda0f7df34d5c42948474aca954e1d4ae07a860a606eed4f806ef7ba15ad56e

SHA512
7a7c3bbd252877635a101f7fc646e123aabaa6a48119740ecd9b73434a6351d24e62318a8c57f5ef1f23f2595d235731288505f16ed6616855252fa57cf46cad

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
654B

MD5
2e8063af815110634fa39c80aaffcc3f

SHA1
0928f280a97e5ca414a158095141162a768090de

SHA256
8690a738878ccb650eb2f0b1f10e1ba9ca8ce986b69e5a3b42969c896f77ae4e

SHA512
e3e06a09c64e92903c6d8d73619ef536a9b1b0bc694dcbf4fc4d1a70d584dd73d3bc6657b25db7a6ee68af7dc938e5db36693d28a50db5a92427b8d3297cee4e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
64c6a4180a701458a2e819aff3d61527

SHA1
f881a93ee6b46104bb89b31503c70d312c671bc6

SHA256
a891b2587601fd639a4a5b7f94ad1701083b04d5aad031353d4543c5dd331bec

SHA512
aaa7069e5e55f50a02c968398fc079b532c083beeda2c2241e18af10d69d1cde95eeb1ce363bd3724fd696824800f5f4438adfc7375298ff58b8c3c64f96096a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe

Filesize
3.8MB

MD5
eaac9032a5151ea0d7b74ae4bab32b35

SHA1
f2c1f886868f6b9f78aeda8cf95df5051239c1ef

SHA256
807379fdd7315c29bc1e96ed224285ac5ae0226bdfa5318642eaed6bb0ca3191

SHA512
91fc6c387ee270372c401aa27aa399c5f6091dbcf1e94058c88e5edb473a7876c9de632cff5a4d6479a2a9bdcfb499c8ac6cdd3bd954b04db89685ccde0661db

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf

Filesize
1KB

MD5
5d1917024b228efbeab3c696e663873e

SHA1
cec5e88c2481d323ec366c18024d61a117f01b21

SHA256
4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8

SHA512
14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt11.cat

Filesize
10KB

MD5
cab9aa45b50d2419e3a772946d790d04

SHA1
047a95827e31c5fd366e8e43f517b1b903ed8e8a

SHA256
0fedc4eaf11613bd44b76276542e3cabb36ce312fb37cf04b402741406b7c2cf

SHA512
49a047a631d026dce5a302318f10c48de26e4788eb28fdedc3347d61f4696cd1fa2047bc2f64aee71fc5a6edc0a1ff026c66513784c68f1406d03b8a69447599

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt11.inf

Filesize
2KB

MD5
1b378aed3afa33a9d68845f94546a2f6

SHA1
95b809a20490f689a2062637da54a8c65f791363

SHA256
6ef70c4c969b91775368b3c5a6d0dce4c5a5d59463e32b872474f0c50b59774a

SHA512
fe0706f48ae52a14936e372dc1406720baf21e018b12ad79727da892c498fc62af59efd08024ba257a94442270c1fe59859a81a2eb7be54be6c7a3cb76051808

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt11.sys

Filesize
229KB

MD5
05c4546c48547386962794da5cbb5f09

SHA1
b61ed60ea92c221ed5a966e9a23b7ab8bfd461af

SHA256
0b544b88164e64e3cdff31737a1e72baf855be114c2586ce16ffebf787d42593

SHA512
b2446f22fd79db6ef3085e96305c3230ffa9dc8459caf2d4ecef33f8f94bb22bfd805b8a5f62e0eeab61e4b80f808f0790c0ce6e9222c0d2abaaa7ee32d9b145

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.cat

Filesize
11KB

MD5
aef40e9e7ca500f8d23f53a9b7b4fd1f

SHA1
9d6c9f4c18b6d57e43f26bb2593c11264a1eaa41

SHA256
8e66264dc7478e517b72af31ca7a308be15ce7dc9060e5f0488fb186ab1220b3

SHA512
f6857b87a244dd68ac14016bd6e25e31d45b1b00fcbe70129dccd33ab8db1d01d4c31651f5f7c08d237c76c0291a35e262fc7c25670ac11166354841272e1277

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.inf

Filesize
3KB

MD5
5a9717e1385703e8f06b27aa10a69e87

SHA1
84ee67a9167b5eb6560711b9871de98898ad07a5

SHA256
47b7c516bb57c612de19f0ca865590af95b6e32bf873a0fef9e011b2c5b483d4

SHA512
dd3c7278c2c11ad15a55fae6d19b96dadd92f85b7f0c8ce934298258af00bb5c052a84a98499b8867b0f43704fb307c67d03692ca69dda4d814c6c17dd73df44

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
217KB

MD5
ef356c49f9dbbfa13365a3fda7dfdaa2

SHA1
ac5286b5570b83b733f5833e92a220e2ceb0ef7c

SHA256
a507ab3164163a52c2039a02a1f5b7ab55fc120b1c1aa73930184086bcc5597b

SHA512
d2d88333f367d0ccefca84b4a24185dea257b30a15c28ed26b00f04ac90b3b2c4e4c5c42e4bdb97e07895c4a5f3d38786fe811d3eb04bc10a1a4b7a55795d8f5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
9B

MD5
35c919c92586d90651a5183e962c4a5a

SHA1
48653cfa8c7a378f7226b3cc55052af55091f5c0

SHA256
69cbe3b65794fd3ddb7e49ce394a6ce5ec8d8512d4a5932f24417c4c7b61e1fb

SHA512
ea1159f582119a37dc4f3408028a00886bb4760cc5c3b51da53f186cec81ac2aba35ccf24bb2d35aee6effcf787f548583bb41977827c3ef0987a9daabb2e9c8

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
212324ee6679900cc86b58891450c028

SHA1
391e12c4b95a68dbdc92b2ec3785c8bd7200df0b

SHA256
6ace143b90849f3432a26dcc8e0b571f7a0d375e0ca6839f97e89595028cfe6a

SHA512
67a964c4e43e09f27c66274b91efda758e1d52887eb4b0dbb29a2caf8326842a311b4dffc60e716f815f29a6549be2cf95705ef4ed00070f1ac77da606597c21

Download Submit
C:\Program Files\Sandboxie-Plus\7z.dll

Filesize
1.8MB

MD5
016455167158ad8932e1c661f882b791

SHA1
91ba7dca87ca8605394ebedb12a35408d716d8ad

SHA256
9d654177210e1d24dd1809c2917e23cd5044e672029488bba06d62f0936a1274

SHA512
8be7420d7c1eb3b0022d0022e026dd585e513f5e8f48b249bce19134f6053cc0985f44d48f5065f17710b2d20f15b6baabeef7356d6c18ccd915cbd08ef8f78c

Download Submit
C:\Program Files\Sandboxie-Plus\ImBox.exe

Filesize
178KB

MD5
344503bf5b7b82ad2770b445015961b4

SHA1
c94442d3ee453effb95e01dfaf82f67c71e80bc1

SHA256
1d96e44393c9fbfd813ac4364126672a34f51feadf58e04dd66372831f913e0c

SHA512
498786b92d906e6c722f9c39f3d4c424c6bad75e7a0ba965f40af289a94200184e3a6fd0d12cfdf9a3824bb9000601c236a4ae31fe5223d798b9050c00b59af0

Download Submit
C:\Program Files\Sandboxie-Plus\KmdUtil.exe

Filesize
210KB

MD5
d5e48be290003e4edcc9875f916f4b65

SHA1
28f7c3846a07d373ef39a09fc1e7e1337dc901d9

SHA256
6f913c193fc6b1a8ad23054398bb3a646ff433e520555577ae8255d28783eec8

SHA512
29aa31c03b726265d99b0ee9757b5d1f8ad51c1ea239bc79798756ea55e4d8f05fa162757c2d4cd6a1ce9e68bb96653459fde9468adc2750314f789f19aea0d4

Download Submit
C:\Program Files\Sandboxie-Plus\Manifest0.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files\Sandboxie-Plus\Manifest1.txt

Filesize
364B

MD5
1689ab6cf954209a1286a88c5ddee65a

SHA1
4028a3db74cc240643027cbb9946d3f03162f2ba

SHA256
de0167798a89a4b80ec2ccb4cb4ab95bfe4da2e91666f27fb83dcb75c71206ac

SHA512
aca0e04f607cf15ed8aeb707d6d6acb103278d2cd2fb27a3139904351c64a2c95f1857ee57c1d44cb3268bf07e1b112b91055427809a518fc1697872d048b7ec

Download Submit
C:\Program Files\Sandboxie-Plus\Manifest2.txt

Filesize
92B

MD5
9bc1b27cc08b3673686fa4ecf793a278

SHA1
67b588168dc8c8667343443d0a23cac59cab234b

SHA256
55e7b42230dffab5e4f1a13476e888eea5850ec8ee121e23a7b1c48836299335

SHA512
0bd40ead34aa1fc40aa25f4c59068026724e7f7cf5dfa8f3142cea00fd5804ba9309f4e92db2e36a72c7ee15ca3d6a5fbf0700429347ebfcd650a1cb1ea557ed

Download Submit
C:\Program Files\Sandboxie-Plus\MiscHelpers.dll

Filesize
617KB

MD5
c4f9619697e7c8831f85776a7531ab26

SHA1
a4870134bad3df3c4d880a0559f2da45dcd97bbf

SHA256
493dc5b6a538ae9f514ed243ced9efd58ef8e61e8a76faf33ed5c6578344a839

SHA512
922770658159d80eebc7d9e5e232d29a0b1aa48914911956df5d20edc564e9dc963e15cf81fa7dcdb8c4aefcdae0e6ebdc0f170d555dc22508ceb24044323a0c

Download Submit
C:\Program Files\Sandboxie-Plus\QSbieAPI.dll

Filesize
452KB

MD5
e22a534e260be44af2b80febdbbc970f

SHA1
232abfa7ecb1c7477a29674429efdeccc7e1ea4e

SHA256
b56f0f8da27865f2831eb3d820f009ea1955e715bb2b964474202ceb8a734a06

SHA512
8501bc528750801e965a06b043dae61def582418f58ab59268c048c664d68408736682bb81e9f9ca8e86d2d7d707cde49adc71fca285816a158b45eb91df4320

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5Core.dll

Filesize
5.9MB

MD5
7a3a908f3f221256283489591ed92ec2

SHA1
c0f304687916fa9b079abfe19856d6646809c66e

SHA256
ba06570557f3936f3a968808e52d2d811bd0e3da06556b7cc14d23f8006e64d5

SHA512
58704da13bff66fa15d394e69c0b75623e87f8f011ae78e51c84108ce0969a08173e9e248191339fddc615fc108e422d00a79f4bf642deeee439086113bbd63c

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5Gui.dll

Filesize
6.5MB

MD5
98b2db746ce372de20b84bd3b234d17a

SHA1
5c72aafe882db1a19f8c60b8bac5a2d942eb92ad

SHA256
7b9526a854347ae56550125171628a989566386e2b594a00cc37e6719941cc7e

SHA512
4c2d67018bb48b7377b09956a29bd86198d2cda46886ca69f3132010c6059661b4cbab95e9e9fa02d4a2301867b80abceb4ff1001e513d1517e7d39159eefe9c

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5Network.dll

Filesize
1.2MB

MD5
dbe97a62b1541340ddaf77f83026fe1e

SHA1
8af053f60a52f59a178dc30de8362aa524d8dea6

SHA256
91a3ea0ecef950a0de2cd91f2d3cbd992a066126bfee8b62872b8f6758c18e7e

SHA512
7e1f3fefa1e24d0a017103be293dd6c795e38ac393df1be61642b49aa143531f8654b823d4dfc8aa935a133d3663216e023a68d08fa9d4f82869f923f0a6a6da

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5Qml.dll

Filesize
3.4MB

MD5
db5d6a01ac4a3b63f98852f5128909a1

SHA1
e324e532573790d638bb06c8f6eec2a7593dce50

SHA256
46a5d7b219a43ebf9ba9527b842101bbff7d2bed873518e70f0ad8e5b73a65e4

SHA512
d3bbcc491cf22a2aa709864210855ee92d3590d7a418c84721b71059a73b24875b8041f2e75446637819e98546b26f37c07e3945714131ff0a780499754574b3

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5Widgets.dll

Filesize
5.3MB

MD5
1514da054ff6b151a224ceaa057a651f

SHA1
e189cd4dbe803a90a81ef7bff663e79924228015

SHA256
cda42931821882a7131b2e1511527197d6ea29c6dc413bfce998187a93d8129c

SHA512
1419eb4fb30d3b75ae24e383b3413e74d1d0ab2316026bc54101f11f82fdcba82cc313977248d544e039e240b3865ced0661172e4dd8849f42bef1731540324b

Download Submit
C:\Program Files\Sandboxie-Plus\Qt5WinExtras.dll

Filesize
225KB

MD5
1aaafe83fd3af7f2c15ccaecd75f87d6

SHA1
b2d2a872aff818254133bc4ac71f321d64f99ded

SHA256
b7b873403190f29c6e7f22421470bc6e6ad7bd1c4afd40d64325f626248043c7

SHA512
ffd120cf9a6ee3bd0cd3930451c60bc4710300caf3d0540bc7fb05bc50faff9fdd8b6023f9d3d0b6950fa9485e9448f3f402e040f552fc552dd15045a73a9f4f

Download Submit
C:\Program Files\Sandboxie-Plus\SandMan.exe

Filesize
2.9MB

MD5
e91a35cc14f4f117da6f4c91a0c8d048

SHA1
6642e207e3e7b4ad2f380bd51860aef616925077

SHA256
00090d289035749bdd0a25ad1990be32b12e3d1ae03bc58891f8b1df00bb2f5f

SHA512
5ed134c3ab9c0153576487a5f65ddf29b3e787237e56ad0d26292444426eff484c37285ecafc735c59f69caad7e6bbf81c5f322f3f7cf600978b88b188b15785

Download Submit
C:\Program Files\Sandboxie-Plus\SandMan.exe.sig

Filesize
64B

MD5
763007b2ffd35425de2606ff9df75a3f

SHA1
e22bb3bcc0237baad0711973b3d4a8ef536ee829

SHA256
0180cddd4f936f8ae66441114effafdc1fc1e624e40bf46b293e97390fd2cc6b

SHA512
21dc4ba6cd078cef03b94cef24b5891b23cbbaa4fefdfdf1d074cd4351ef699fae2e3fba5646706d792b4a809194faf87dbb4b6af09fcf90c73f8fad818415a9

Download Submit
C:\Program Files\Sandboxie-Plus\SandboxieBITS.exe

Filesize
116KB

MD5
59abdd32e66b6aa2dc3e5b4cd76bb409

SHA1
0e4d02294fbb60b2fd41f486160f548d35896dfe

SHA256
f786f0ddb73719f1937965232bfad5538213aa8e7232c490ef26de0f6dd83f71

SHA512
b89b4f2ace1a94891f63dcb78de81406e2a44b60afd9e9295c748f7981137a65b2ce6111bdd4f15aedec7c5fda41513d10a5c5a986c34f173cb817242429f7d9

Download Submit
C:\Program Files\Sandboxie-Plus\SandboxieCrypto.exe

Filesize
147KB

MD5
916f963dc8cae8f4ef14f2a113a526fd

SHA1
bf57a4cae9d48b15c73b42f7b1f500aee5944e6f

SHA256
ebef4062b305fbeb25f6314449fb9dfb5f1a5fe5f41a83d931f2a59775f1f556

SHA512
bcfd38affd17cea1e03f32fa67d7796dcc2dcf1a1efe6bb80a817b2d9c611f9bb3c43d93d07038a20c75dda8a128952ae444e270c034029e4e4c4f65fd9fd0b8

Download Submit
C:\Program Files\Sandboxie-Plus\SandboxieDcomLaunch.exe

Filesize
150KB

MD5
9af2d1765147735a3a5bc4f773b3d3e0

SHA1
336cf073ccdcf319ef9ead136e169fb30617cb77

SHA256
11cb9d8fcd8e2d0646a90fbcc99f951cd5854d3d575cf97a0d23b6ad667e9f0a

SHA512
ed8d5018dd09dfcb77f32fef146f95b571628ead0c867e6a7abb5616e2a30e3f6c4a8a1456086d640d8b801ad211172e7389096f23d295a1b178be7e65324818

Download Submit
C:\Program Files\Sandboxie-Plus\SandboxieRpcSs.exe

Filesize
165KB

MD5
102bffd2c8a821d4dee6f84d7756899a

SHA1
b5fd34f826a4e538d7488ea0ed2ce4b644619ca1

SHA256
a32dd97f41c1293e6991b648055b571a241cc1f6fb5c93f51cf901280580176c

SHA512
db3f4f01b03819c4091b89377a23444b6acd178964a2b1bd07a469872d4e80ad3c8809eb157b28ebd07cc59f0fb2cd5c1f1d27fd4c05dae8eb3c78eb6bb4fdf9

Download Submit
C:\Program Files\Sandboxie-Plus\SandboxieWUAU.exe

Filesize
119KB

MD5
32fbf3bcc55f61246a58bd267a9ceeb6

SHA1
cbb3db79dd2b4e9f760f795396ddaca5e71b799c

SHA256
0ec1e3969da6960dad14cc18c8f36a2d5ab09e3582d94142cc60709eebe7062a

SHA512
fed59d5afd9d861bbc3c02dc10b7e34becae43d2ebbceb918ace62e844353d2f0452cfa6947c781d5d126b5c016e02ccc227ac1350b2a0bbec8e613c9564d61c

Download Submit
C:\Program Files\Sandboxie-Plus\SbieCtrl.exe

Filesize
3.2MB

MD5
4f7b761fc9c84d93856baada32c66c29

SHA1
4acf76d29ad22abcba7fac8cf335378fe64577f8

SHA256
2476c2b0d2cdc4cf69ed74fd5a6b22bb90bf3f8e363768ce8381bc6d4dfefad7

SHA512
e2e78d869006e53d5caf25b4b526ac29e127fac17bb7b187636db9508927e665e9481024ad645cc0c6fdbb653a209f993420c364518512f64165cb2d2e623b36

Download Submit
C:\Program Files\Sandboxie-Plus\SbieCtrl.exe.sig

Filesize
64B

MD5
2befb4e3637457f7ca69f50b17ae36aa

SHA1
26ea0d4416c1305f562c4790d66fb07fbaa444a1

SHA256
62b79dd71cf65f909689881619d8c741be66afdde4c6188c075927be711a8481

SHA512
7c53b751f72254974f7a7d0c593bfe3dae7f04fafcfaa5ca20b5194985d536468f9526f43858c361501e2bd26bbb08e1e24ac5c3b43ccd34b0f60fbe277f9be8

Download Submit
C:\Program Files\Sandboxie-Plus\SbieDll.dll

Filesize
877KB

MD5
d8d4b52948e4c8ae256560c01a7f3f8a

SHA1
1dd4ce1b40399a24059059d867c95a5e1b74e4cf

SHA256
955fffc1c4eb639491e1531fee61a33161edad42a3eccf292ed202c8348fbd8b

SHA512
d8c0320e30bf2f4ec37f627e4b7969ff5070ef8c59692063951139e2742298a881a0dbc1aa789c725e628dd1cf3226a556c207d295c4f79968e5fd6969933dcb

Download Submit
C:\Program Files\Sandboxie-Plus\SbieDll.pdb

Filesize
3.1MB

MD5
a7cc1e0eaaca89cd6443d234642a6003

SHA1
83fe7f7054644814b0c5808e8058d62d3cd2e858

SHA256
798f2d7e180210693a1becfda26f10e8d51f32fa009429c0da698a1495dc3f04

SHA512
c323694a7b621b73f732760235ce30c01acc9653584b384adb121ab420870c406098b2a57031ca6ef2b02acb224fe62ec2609d5b9e75e1deb4ca912ab635ea88

Download Submit
C:\Program Files\Sandboxie-Plus\SbieDrv.pdb

Filesize
1.7MB

MD5
ac44d3759578ef66cac4b7725a5dde7b

SHA1
1c52e80f1f30cc9523563c65144e7d716bc48e5b

SHA256
4cd6726866171cd63081c674383635c5ead6fa07982efcf7ac2c7dafd3352ef1

SHA512
7190d9b078e13156277764f9be25e242bfd553244faad2d7c7a0e66d1fab2d9a55df9d7d2a34a6f50b955ce2f3b85c51b2f74ade215094d7cbee473de5313baf

Download Submit
C:\Program Files\Sandboxie-Plus\SbieDrv.sys

Filesize
240KB

MD5
3c89ff1f12da386dc3bae95bdaeeb45c

SHA1
73b15930ba31c9142d8673774edfdbf4bd7335ae

SHA256
378fb8c178e176629c6d27ef79c0c463521cca375080a0fe6796878d42af79d3

SHA512
38753b325c0c9c334b5f4d343dd7351af0d2c0b9b32a8d16a96b95a1647d27e222e3bef4857fe5ac9f5adc1bfcbc3f4f70e49c9acb10df67f9dda69108159d1c

Download Submit
C:\Program Files\Sandboxie-Plus\SbieIni.exe

Filesize
147KB

MD5
3dc9c5ba6da3d5f2df33fdf1b9e8218d

SHA1
b0b5ded4d894accce518b65613f833b5b6f2a42e

SHA256
5008aedfdd873d9ba39e68be87362594d7e065795ab3648aa03e4ec27e256587

SHA512
d9009649e853db68b0614b20b59a5a3041e6b81fc22253cd25aeb6ea8dc7fe1334bde3b620cb24731007f133de7cae96bc59a57f46b87f61e117a9b0f886f945

Download Submit
C:\Program Files\Sandboxie-Plus\SbieMsg.dll

Filesize
3.1MB

MD5
3765214ad3b86f6d00b54c7195d0f543

SHA1
7b7cce5ac90ec62b63995c0e60cf76dff0b7f45e

SHA256
4cfa82c91672784e5cca3c831579463cd25b96b398c809afd553eabade96bcf6

SHA512
b841071d37002d7651e785c8008e6b83f360e82c727f4751b021b371ceb759c08c1cae8c9fedce36ab14cbd6eabada4a751487fb6d4b4bce3a37018b95d352a6

Download Submit
C:\Program Files\Sandboxie-Plus\SbieShellExt.dll

Filesize
72KB

MD5
d75a458d4885037fce786fa5345068f6

SHA1
faef7d3f22f5ce67a29db4ae4f0d1c6f0ed70c8d

SHA256
c8d013b0e3e88e9c46b9b533c7327c58e40acb74491bec3252a3279f10a2230e

SHA512
aac6b93b139941f069af3b8afc06a4b1003220fc98415ecd6ef14c8660bcae345e5733b9ec345ce46cc165234fbcaa7bf2f7edce3ca36585dab3b86982f32348

Download Submit
C:\Program Files\Sandboxie-Plus\SbieShellPkg.msix

Filesize
10KB

MD5
474e5f07aeac40208cca5a7cd30ae092

SHA1
44ad36a978cec60dfae08b550c040e90cd9bc345

SHA256
3a40dc51680eb354267e4d53c7e8d6176fb2eb793031009581e421a478903c8c

SHA512
c69b84c00d965ae545a690c0be57e3ae8cd86e739424c3a0a2a8b74a71c9e28b1a5d8e6afbd6836db6fba54dfc0dd7bd74dbdbd6f20c558041d460b919425e54

Download Submit
C:\Program Files\Sandboxie-Plus\SbieSvc.exe

Filesize
402KB

MD5
d51eec123da839dd9b8fe2841a6ad4f8

SHA1
0efbe63bbc2b17cee6e30cd2bff39d172ace2448

SHA256
40646981b6b360953ada98667195a0890ffb1fd23f73d576056d554d458dcfe7

SHA512
8c0bdcc881de1b3c91a60d63c2b73878e7e27a9dccf88205691ce7936b326fa3fc34619c64a02730207930e6896c1c185bd0449813a31ce6263e19c02580e67f

Download Submit
C:\Program Files\Sandboxie-Plus\SbieSvc.exe.sig

Filesize
64B

MD5
d9e4ed7e35fda153407b85a2b0278844

SHA1
e46e084d94c606917bf8d84b68dcf7fda2272c70

SHA256
b0934c6177abb736647d59fd09efb6c6a52a3af6db700ae3291e0d83e24348c4

SHA512
2d91540738ae1ee7d85689e0b9776704e9e8451e47c643c0a2c75ec738117f98e73c4e615d26ba9d264eda2954afb33e3b56c4af5640000e8c52d7a6cb30f4c3

Download Submit
C:\Program Files\Sandboxie-Plus\SboxHostDll.dll

Filesize
141KB

MD5
de94dec9e08ac5f85be279379ba7293e

SHA1
6571cac41a891273cc3cc52106ba240bd2f2191e

SHA256
2e75fb1c3adce77de23d26ee42eb6c9f953ff2bf21a39b3350bc603615386dbc

SHA512
ed681a54e6ef97643b12061ba6a30961f7178943b36f3d8728723c32a474742d808e17f4d8edc5286deee8b3e1207f333db062e8abf5b25517a4be838dc991d8

Download Submit
C:\Program Files\Sandboxie-Plus\Start.exe

Filesize
328KB

MD5
8c569deac8f343779b9058c718aef6ea

SHA1
93ffb32cd8a2a2ae4f77852c13687a36a52b68e0

SHA256
d6644ff66f5f6648c90011b4e12cd7e7b682d9edb5f4f4084737f1bd0b10b838

SHA512
30c1459973b7b4ca3522e8e223c8e7cdb6b26747e11cfba6ac3d9603549ff85cff5a6ea69b4f9ded843f44e334da6a8bbe6ea1b0c6441ee0d52e256653d319b8

Download Submit
C:\Program Files\Sandboxie-Plus\Start.exe.sig

Filesize
64B

MD5
8e8dfe7efe5ccf966ce70ea12fec1694

SHA1
52d95c7235e935050f112d7ee71f287f722156ca

SHA256
42d68b18d4481b12eb77ac67bfaf3d1e6d325eb40e24cc854c0d7cd760efa2ea

SHA512
1f4b8f5872a4a5e489def66dfba538706d668993a0c939309d872f8b255f36c427d14b3d4ae1802ffc7a6fc0d6256747949501f1d3c1a6bdab1aec260a9a1c35

Download Submit
C:\Program Files\Sandboxie-Plus\Templates.ini

Filesize
131KB

MD5
02d8c944a405647cd7e3ca3f1eed1edb

SHA1
30a9d0ca793e90e3339179c1d03d3cbfb60f2777

SHA256
cdd36ffc584207f373db775cd3576d18a71b0b303d949e80777fc734ebc89236

SHA512
edd0a44f43c2ff61a21fe3741b8cc2d21b35921197aab9a9e00812e9da6da4fd823f1e63e2fb3c702f6738bc32b470757ed70183517afd6da5a98d48c2edfb27

Download Submit
C:\Program Files\Sandboxie-Plus\UGlobalHotkey.dll

Filesize
55KB

MD5
06b4fa810519b020475a5edca459065a

SHA1
512453bf8aa75fd74862caa2ee3c85a740217659

SHA256
8f3b9e5d6272a04e728d30d6a2241fbdc9166e10779b06705008c76a8d6ab122

SHA512
dcf6a6e1b3e6edfc809d5bd002851b401e133dc2257b9a2c2221455f090197111f01dcab333c600120e5e15b9fb7d7159df0bd72be37464e02d572cc495f5d81

Download Submit
C:\Program Files\Sandboxie-Plus\UpdUtil.exe

Filesize
176KB

MD5
de9b3053d8bb3a1b6bbb912fb920f71a

SHA1
9dd0e520936b19a4d183f4469a6d8521ab1da102

SHA256
1cbe32444858c845166595fb83c2b80bdef491ace7129be022c635012015f836

SHA512
f83b490ca69895ae66e2a8b632a99daadac4ea14a9e4ad855b9814ab5c7d1b263309a097c490d3ce761d157fd7ae71de81c240c240af88075426d56d323a726e

Download Submit
C:\Program Files\Sandboxie-Plus\concrt140.dll

Filesize
310KB

MD5
44240c846cfa74af233c58983ff2d2b5

SHA1
e7caa56beb7e02fd30ce5ad449f19964529d8706

SHA256
f0d83677b5296ff90d22959aa425b2d249145d894200a33ec10c001191523c74

SHA512
fbb32ac42cff9e07c0667c8cbe118f7f9c030207c8f525176c796003cd3ce6ac08e18ed7fb7ab85a713f0a0bdf9aef60b794eb1b6b74370b379c13c54085bb51

Download Submit
C:\Program Files\Sandboxie-Plus\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
95190986990d331bdd760b4e6790b2dc

SHA1
6e0c0b7bc1c8076c8ca72723efffddb3ed2cc41a

SHA256
2cbf8402bbc1e0a20e5399b3f05f8fc6ef7dd271f1547bb9cc82d7a21b912e91

SHA512
843b48049a6f63863caab947cec94a2bb30001d48277ceda7b5ca17f2cb9fb25d98238ed0498342fbf8acf9c4763fd767904b1fa70f5bff8bd901aeb03eefd5b

Download Submit
C:\Program Files\Sandboxie-Plus\libssl-1_1-x64.dll

Filesize
672KB

MD5
45f0c10f0e1683f40b26529e37acd526

SHA1
67a4a29a066950be1d8fbdfe754386b556df5810

SHA256
d7e91180194d341dd129b52c6833c2b89d7a32f65808204491bab632cfed13fd

SHA512
8b1300676372d958b119e5e19dfef4a8d733ceabec83362e126cc4c06e3eec6dbf6823fa824cb6380465927b6358b9da8e787b8e026654f4cd2b3169a7cbc8f6

Download Submit
C:\Program Files\Sandboxie-Plus\msvcp140.dll

Filesize
554KB

MD5
0d89995cc45c7eb40e5a7e287506c1e9

SHA1
096c27b06ee7fff2bcd290af0264cdafd04cded9

SHA256
e0a22a594e148fa55ceef3e49969bfa77011a801267a0bd7805b681b593c9d0b

SHA512
3497c2957d10fcddeec8f312fb15c53f82d770dcc3e771a94daf4f4435c3ddf323ecd33310baaf1ad56673bac7c6268a9ef921d5f32cf7e4a7c9dcb0d8aafa63

Download Submit
C:\Program Files\Sandboxie-Plus\msvcp140_1.dll

Filesize
24KB

MD5
c060bb176a671f068362db2673a08c5e

SHA1
1d6b4ae5e778f1daf3573d4817777a51c35cbac4

SHA256
768e0829decea713afb35a7de07e276f051581c8ff2c17e1bae9b07dd1445dd0

SHA512
78a6c8f76d3ebd8db9c784d7775ec44647c4776fcb11d0b32ae2b3a6f2837c0b3be12f053ef6a25811a68da17d0eea83077521f496e238757f5539b445a58a7d

Download Submit
C:\Program Files\Sandboxie-Plus\msvcp140_2.dll

Filesize
182KB

MD5
94bc7a22ec7308f851cc58fd6de90b2d

SHA1
cb4d8dcd2c8e9bbf049c1628246cb12cdd34b353

SHA256
5c12eaef6db18b168f712bff9b55793e0effddf15b89552e7f5ca4f8f1887b9b

SHA512
87791e992ccb43c833ea6ef2b0fa146031e0fd26305c93d77bc693473292f5b54d36516f3294edcc1c253d2decc166fdd1767c659f65e7d7e447cd8c318b7c96

Download Submit
C:\Program Files\Sandboxie-Plus\msvcp140_atomic_wait.dll

Filesize
56KB

MD5
6407c40330e6081689bb702daa5aacac

SHA1
24126ff2ddd568a6ed17134e539cad94e22152a7

SHA256
0193cdcff562f12218ecab5841fd6bbc4d24295cd8e4dcae960e2fb47cceb662

SHA512
445ab6d0e1f2e5d0ef520261122fac3f6909fcdc7c39df7891b395694f31a3b54a1f7f5dadc35701baad4431ef358481e725cd19f438362c262e4f936abea7a3

Download Submit
C:\Program Files\Sandboxie-Plus\msvcp140_codecvt_ids.dll

Filesize
21KB

MD5
23efa781b89641f24c17592de857bb40

SHA1
fd537ff2cf7d09701baf6550640d6cc96bd5d284

SHA256
9c6c0d8fa51ecca5e274295cbd72d45be474f3c6ce1070ec5e90f70242ae7185

SHA512
48c541d11fae95cfd04aa00d9c769a7cb6844524cdbb2e234af471048148a6f7f20e1acf077b88cb6127e8a7c49642726745386d081d0c8d404dcbb9caa4310b

Download Submit
C:\Program Files\Sandboxie-Plus\qtsingleapp.dll

Filesize
46KB

MD5
fbd30d0467b6c6c69bea9440c9a89921

SHA1
e8881bf571600c8d10f191dd7305b0da930036b9

SHA256
d4f56ae9765d30d07d91b4027d676d69b7d13afab93ecaaa2ab2097f4adf2542

SHA512
ee4df4d4edb1521831b507648437342d99e7d2f40509c65042055d216bc5a97f375c6d75be6120d0ec5a8f510c58c181d463a519cef34a7ec939fe224e4b4300

Download Submit
C:\Program Files\Sandboxie-Plus\sbiedrv.cat

Filesize
11KB

MD5
7a64843cdbba1d99312e1f13961ed806

SHA1
efea970a56e6d07e67a5c460b4c50a37ac90e152

SHA256
357f353dd3879d84e3bd52bc3f210a62b4fa82021741137842f01da12b573e5d

SHA512
ebd9f66f1f5bf05eac03481a53829c2ae543bcf90942acb0c249c80aa3b4ac2822a85a7df0daf5e91c184e144048debca3cc011dee6d4ef023a9955ba639d690

Download Submit
C:\Program Files\Sandboxie-Plus\translations.7z

Filesize
1.5MB

MD5
eac10fdbeb6718b4f91ab7301509416e

SHA1
065f51a8a02e84915d70b46fa0f5d246a4c34972

SHA256
7cbc25ea9bc6c563ceb2c216afb7917ea8cad6547bcff8564fcff617380f8a3a

SHA512
60fa91dad9cad4393224e613444e49e6101e00ca042486d8ec18a0fa2242ddf0f5eabf322d4e8be29790e976cd586d625e0ca192e0595f107326854d5a2d72b2

Download Submit
C:\Program Files\Sandboxie-Plus\troubleshooting.7z

Filesize
16KB

MD5
8603911b1898b4cd4c3b98784bde79b1

SHA1
33bd9562a78668de85d2674c32c97868417f4d13

SHA256
a9760c5de0da61159125f4b552d2d90e5d350f75eaa124621ea15c675f3bfa83

SHA512
e26de3774367a53b987971b0418e08679a66bc4bb739d2db672ca5e66c588eb141c8f3fe391f5b9414aecf9035bedfa3d8a34d380a3c7839acb0811a76361424

Download Submit
C:\Program Files\Sandboxie-Plus\unins000.dat

Filesize
34KB

MD5
e35926d00a0180c9bd2cb73f0dcac056

SHA1
27aef273092756150efb55f90a72801e17e52eb4

SHA256
ac1bbb2da11afe66feaa3fd825e9c8de230ad0abd5c76ac6d1658b3e25faca0e

SHA512
378d9d743ac23a2eb62da3f7a8ae17b32a3f0da12be88ee731ff8e5ff01d8724cb1ff6c29660883fda847eed17bd449284d7e7f8ba7431a618076e7093e2243b

Download Submit
C:\Program Files\Sandboxie-Plus\unins000.exe

Filesize
3.0MB

MD5
ff6684e5ae992d7a7a14bc04d7038d4f

SHA1
7f1111236f1aadbe5ac6a133f6c2229189c7000b

SHA256
eeea913fa30a70de2703e980222884f103d82a15eb6e1177f213a5003b537700

SHA512
da264d5aa4b8d72479d6077de03da7dca411bd240c43bd0b784fe80af429d9925fd4234ab66352dbad8352a450f43f9a76d91c6fac86a0e2e57ed7e12ceff45a

Download Submit
C:\Program Files\Sandboxie-Plus\vccorlib140.dll

Filesize
328KB

MD5
6041b10ea3e291bcb38b1b6467c07c75

SHA1
c9fe0912efd22ece649ac2d4f0fef1211c5d9250

SHA256
011da00fdde5a7d4e36f1e472fe7a2918f58ee422b2c1d9c427b069f1657359c

SHA512
6d2a1439e7accace575029229acff1ee599aff5be52f9f051adebb3d8c5b130f3f9bf845a0399d670d75170a3c4850566f047d767fcd464a9d2a65e94aa2b608

Download Submit
C:\Program Files\Sandboxie-Plus\vcruntime140.dll

Filesize
96KB

MD5
a4cf5c1f71c540c69371c861abe57726

SHA1
f272b34182db8a78ffc71755b46a57a253fcd384

SHA256
c179d8914ba8e57b2f8f4d6c101c2c550c7c6712a7f0f9920a97db340f9d9574

SHA512
f2b53f28a6369f76b22e99fddfb86730f3d33e87c68dae7aa3d05808223693bb86ade263cccb99d5462cf98eeeaa6a6f1cfe5ea3aa1739f8ad6eb624caff1045

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
3767cddf336bb62d508b88de1728c31d

SHA1
aaa65d6c68a202eac3f16b8cdfc675a3901ece48

SHA256
a8a04687dcfe312a917a7ec1efb4a114aabd464866ee63f088e6a59b825b3c62

SHA512
ef4cf6b85488a559e3f7657178246f46b8b19a8ceeea0e1ed9314e28876f5ae0f752c9658edecf01695ca07d32a19d3e4a4d4465c5d230f70b6c4654122cc046

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\LOGS\mbae-default.log

Filesize
1KB

MD5
7b44b80a712d6fdf221ca4647a2e1db6

SHA1
acef3aac3721f4c162d31acbc11e79a1f9ca752c

SHA256
567126f0b47463186111da02d4d391986e8a7526a8ca70c199d6d0e568f7494a

SHA512
5fa5c75206b14f62d91cc03a0a1ca6a5fdb02081118cce32937b485d620ed7b223e04292303b71884fc23982f892d8e11d63c2895836f1d5e6c441fbbcc3d1e4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\3e3f6a06-124b-11ef-a1cd-de841f1e203b.quar

Filesize
585B

MD5
e64ff49c6fc98e5cb775b7c745ee30e6

SHA1
cbe4dc2e5ed6dd1e97c1eafae4ecf3cde5ead117

SHA256
df3554f687be0f600e2e9736ffdd2efec7cfd7d25bfc38b7118439e62162a4b0

SHA512
7fc3d2c4e7c7b2cb37c9f1ad9696e3e3a633d79b69897ec495f2e424cccdd81939ac810d97fc39023efde27677d68bb9e94490bda485a0d45cd25cb43e549259

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\49df07c2-124b-11ef-9aca-de841f1e203b.quar

Filesize
240KB

MD5
799b9c7f1342355ab5199e4cd0ed193f

SHA1
24186c916582edc952dffb43954550c8055dc2a1

SHA256
f2036993f75be6ebbc74eff5626590b6a54b384a858ddea8e1321fed53d42022

SHA512
22b3f975ed2a54fefb7a4b43928426a7d2a443eb3cccefa5e882fe3208cabcf23f5e5c9c6fd4d0f46014f9959968c57aa0eb9132d5baeb095e8d227746f7764b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\1a4370de-124b-11ef-955e-de841f1e203b.json

Filesize
120KB

MD5
da6a3ec538e4aa84e65147fdd6c60541

SHA1
438f26b1bb7774fd821630dca7196b9967978c8c

SHA256
eb47dd931ccd99f218b3128e4899add3e26896b6910edae9193a37d7c5d9fa97

SHA512
84bf00962a85c6512ecd586a89d5a8938c38cdf167cff5d52f1a17317f5435a2727438bf9e7786708e113a01de9db381bfc1c9c96a80575904d880c129d37bff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
1KB

MD5
37139747f82cb0d30237e1edd2b6aa4d

SHA1
9ab3f444d4c6c5ca8b869505d4c98c759663f6cf

SHA256
0aa54abd1981358db06d959f6a0fc4b1c587cbcdb0fb8c10bfe596fff867faf7

SHA512
5a1cebb57ee06897871ee403e2eba0a802078991f9c21bfd5210aa2fba0252452844cacdfad61cbb3a666fd7d79d7cc1259affd85c63445374982e8af32fe95e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
9240ffa4eff8f8382b089e932d33d87d

SHA1
7389b9973a869181affea386d8bf7405cbf1d55f

SHA256
8f07c21b92debad9107539fa5144955317fd5a0619070051aab98579de843dd2

SHA512
c774677e4f6e7b6c301e2faaaacc0ab995ae1934454bc1782f6f7b6c316173223d6262e43488749e708d0968c6b5e8b7536aefdbad3e12e61f0169509dc58ff6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
613bfcf7b4272c5342073c468b51034f

SHA1
982b0d84d2608789521eef227fd5fb04bc242271

SHA256
e95a583ff54f64682434c78f8e4d40ad79127c08c6e870bd411954649d5e169f

SHA512
b3184abe4c8f4fb0e1fc6aeb5b76451ea1c7b37ea0c43af0b1a40b93def55c14e728707c13b683b6a0225378299f7d3e8f48de278975746ae70dbc326e34c15e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
89KB

MD5
d07344ab1c903efe9bee4bee81ba091a

SHA1
93dbde598f1419ccb5dce6db1d57254c95ca3b28

SHA256
408f79e37697bd1b252911a6a473f4833f467094dd09c5e9a761df9c05e2f9f4

SHA512
653a2279eb86338e86e6e0ff289e442563459f91be9a9ecc162427054a3c6a58b2d109fd087676a7da3129ec5f75dbe1e2250cbb9f724246fa8bb45d4e605398

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json.bak

Filesize
66KB

MD5
2bbb534e6075243dfbec78942c88f1a0

SHA1
e0ef42c339ced35235ab75ebacaf4bdea874f56c

SHA256
4353f89b854a841dcadf8d47e7f080aea95924cc0cbea90352f380d9ab4533e4

SHA512
488908bb5992e15ae457b6a78e6e87ec5807b60388d7163246e3f30fe6d538128f599f4b335e3d6084ff388db73f3f66f27677d4fb76a67f2355930149dba3e6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
99b5d9790324a3276e6ccfa462a48881

SHA1
009c979f0c1d2a81498c51fc8a01e52c8ceed7af

SHA256
52e800d49a87d1ca2ec127099dfbc15da0eabd46b07a445d5c69fd5971b48c29

SHA512
6e9b058a1b18ef88411a20aa181c7a6159f96ceb2eead98e91030b1fb2c1d1c963000915213726ee62db5fb9239bfab5a393ca83d65adb338293b66f7eaa7d95

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
608B

MD5
a93514fef50c272d886c0030f2ccd42f

SHA1
657794595822ef183cd4a3118cde8412f9434310

SHA256
093c6f0aa9352c7fd7ac28ecf2619cdac2f7a1f51cd8da31a9dddb0e6af4e297

SHA512
b5f751229091aeb5118b9b9a9dd766438b93396efdbc06342301a30498ee3e9890fbfb01ef99a82adb10e8ed21f6eede0f2ccb3968c081c03eec05573d0de19a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
847B

MD5
9535bd2393a076283f30011bbcddaf77

SHA1
278227e3052f5c8b5d6ecdea3ba4304cdd6bb7ab

SHA256
c50da9dbae94f4f208422f47ace08711d47e68493890bc4926e873ba99d36d9f

SHA512
22474e53030effd8c5dc99eda1741fef09ed995494d785c5ab32379fe40698874f6223263bd3539f51e22c0387bb2d8fbe8c421c213e0bc4867232275bd3c499

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
846B

MD5
bdb33f56f93e94043adad7c40ba3369c

SHA1
8cc67ae701455716e38960d44050927b53ef874e

SHA256
a967632310cf136ff4d8eec868275be0af9c2dab30d25226c3407cf87b1d379a

SHA512
8cc5d6f58dc18b10dabe85625573b27d263d7115b16a1e0dad844156592174e410670d9271a3ef9ce7dc0dbc0d32975d17b39556f556fa3d1308c18b00944041

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
825B

MD5
318e16b7a3dd7159791edfde62840a68

SHA1
013640427c62f302a6f8ed146c1c7c705bbbe06b

SHA256
571b9121132b5b305f9341a4e5fab59f140405dc14de28f225ffef18ecb8a09c

SHA512
86020296b1b3729007a3a26b7878b03c19dc15269ff0656b398d9f3c4cf66db60af81c9606742d3680a5463def44768593d81a3ec5facc21da9c45e880d1250f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
ce85c1ab27b9037324dc205a51f148e2

SHA1
f08d278983849c30aef5d66d38e76dd969cdaa51

SHA256
311c2cd01ccb8afab5b6b93bed4da68fa5a2259d6bc6e25af270aa9a998f556a

SHA512
8a8af3fda8feccfd7ab88a4db58d03ff099fcf4acd32473292f247e824442d4351811399c7d26d0f4c68d4f6df8ab75e1444858db24adc7523e78698c983fe4c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
aeacebe867048692bf5e7b24cdf17eb6

SHA1
263fbf61e0d8300a5654e182252c0faf777cf38e

SHA256
4af61e04b43ea41865b34574b5fc0f7c567ba6a07e2d87d751957d51908c80b6

SHA512
99d9158ff34f2dd4cef313ee33aa840e0ddece1f3d1f5e3f5e416e90667c47980e049507ac2c0bb3f8eb8a44453b54aa47f6db4721531bd6cb2beae615becad9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
2KB

MD5
eabea8f07dc8fd19a0c926d2c9370e6a

SHA1
45d48f5fb40ca5925e86c6f69e7e14f2836f3707

SHA256
3ed4e03e3a8029490ff923f5e98f92cf631df3d2be6a4fdeb1579ff1530795e8

SHA512
2c7ee2b4bb1c3765111f502ea44e3ffdf2979b0ad321a97ae0b271fd998f3be82b271947278a29c1976e4c29b7366730351a613c9ccb310fd95fb77c3a7373be

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
4KB

MD5
f236151fbf5a42a6795d03e54794dc84

SHA1
86f61d867f4eaf2ea0a1e2906e1bf9b02cd7f01a

SHA256
dc1afb3636507ca05c976489daee0da0ae676971bb13b4ccf7b0ef65b97a5beb

SHA512
11df4820f1d00569b543b42fddb6f8663a82034665b6c9ba37462f8807b19c8bd9fdd8b7a25aedfb492ad592eacaae17d1bc55eba80e9ab21be662a0ddd69c4c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
6KB

MD5
130049fe26fecb6f558c2a670e6f9e18

SHA1
69dfafa79c20192825a942956832242890f4463c

SHA256
4880637e11bc1eb9256885e9a3485ab6c7bf162d9869366d84631ac2a51bbf84

SHA512
8624af20f24580aec1440e8de288741eac21574ffd20681772bd20aa86436aaee51553f54378b4ad522c660be805a4322e987d2f096f14d1717643302082c654

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
8KB

MD5
76f3c8bb18ce40e956960d6fc7a9adad

SHA1
9922f42fa736957f880f53af62875d8fce8eeeef

SHA256
5c2dbb495f1976560277dcc3fd383f599fcf338bfd9bc2558465bd6cad682f72

SHA512
a043f3c4f7e36c78216ec530aeb25e2d5596bf12c3df25666cb9956c63cb5276bc89a4670bc0e0726ebe0060ef3e1dd9bf45a35c9289956cdd474da6e405ec58

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
9KB

MD5
9396c6fd3840c168f9d8584ae9438fd4

SHA1
5125780b7226b1bf0ee2c0769182d0b645a18b42

SHA256
343e1582ce8834ea6f977c632ee52642bcd39cac244d3313d2ede056de6c85cd

SHA512
35a0ecffa3ac823081dfbc1d8d7d29a4ae800f832e867a2092487d3614ebb37dd91364965ee8b94206192a94aab3cfcd853ac4858652e7e08a3fd1aa78860e5c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
10KB

MD5
ef82ee057861f77522ed97d629738e43

SHA1
f285c6832d9f0221b338318a68f48c316903cd96

SHA256
194041b875d3149b50b2c3444eab5dfe207f7f306dbad897b7834c08ebac9536

SHA512
6ead6498f3e16f38ad42da4237602891b924a2f0417c0fe77f3866b9cebfe385a58832743ae80d415d009393b3ffcf11df8ec0b29b21590e63da31a230cb8e61

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
9KB

MD5
f2932e6c7185b595fe056c6f5777ff27

SHA1
4fa8f2e29110aeff3f94e9037a3bba54d3e14bac

SHA256
6dbe59aa643400a727f30d7143b5b2b35b63f0a8236d478d7154875d25efd4c4

SHA512
8b7851826b522879dfc6966c068e7dd63829db5e4b0e88a725d1ba0988444055eefe62a8b99a9a8e0a3b58178720fc17a7cce761d464306fa06ff11577b5cc95

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
10KB

MD5
964ab68c8baadc100bf7ec9ae8f63627

SHA1
a40c23553094ba2314d4c09a99b8406278a0a11e

SHA256
6016256ef45edc583a06eb99fe8423f46b6fcc3da27fabcc3dc7abcacb1a69f4

SHA512
3ebf6cd43a83a455dc3c3ae3f6e5bfa467a3e405afcf1048316e97c1adffe81f7fd5b20166b3dc5482bfd4aac8852bcfad0d1bd79ad6ce99e2d609d2a86534d5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
11KB

MD5
fc6ad44c8289075b9fdd0c0edec6fda3

SHA1
a9e5bf179f170f9b0cc5a38d688044597b71766d

SHA256
801bb3b99dd841467c03a6028dde74400a5ff466dd8106616197677f6a17baad

SHA512
9f6ef8c88c3c37849b148072a8cd70b1aa0c29babc2b4e732527b67e737d7069bff7aa1f7e2e2418f184d1efb6183185d531fb62f6ffab5410f0e2e6f0ea6731

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
12KB

MD5
ee2a45c97792a77f00345f548c677a79

SHA1
d02fe2d541a17c5db8c084cb4cda7989ab7e9d2c

SHA256
6e94c271857ec28d9bc3c01469e35f1d9d3b54529589c38bd14a209a71a6c84b

SHA512
c25c633547da8e7649167cceb11af82011824230199555e170ea34da805dc002866db06bc79dd452d23399db10040a792d49db01ed4818aebf439dad8034a824

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
12KB

MD5
d930698768ab7d7437cf1929a75429fe

SHA1
ea0440d10f042f6173d72e4bb8d4dcbad31b5340

SHA256
80041677b99367761a00a88c4e1371b54de0dbe66eeafd746fa8f3bbff47adeb

SHA512
2b1af9e96a10a2cee1cf848da676924e4ded7fd5472fe89196d839220aeeb953adf0a73db60c7c0f221dd51790da5e025ddd76f9cb4c1aa806e9f1e1c840c26f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
13KB

MD5
a0cba6ce562630f4a1ebee3b73288ffd

SHA1
214bb1c9b8010c4b58f7a6b632fdfd398c7b5cab

SHA256
25021c2aaa4efa963b9f8291fbe2383adbccf85ef8aa9b587675ae4b81da4175

SHA512
30ceca698d5f70782ed396d677ecc2ec9d11a4583c4046aced8b05246bf745a8bba415051b398b51ec65e42310eead41023d23910e8ce098a201e789c11534f6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
14KB

MD5
12b5683374a431ceeef586257e2ab7d4

SHA1
92a6f1ae4227b07192157f96221b7655f047ccae

SHA256
e3f59b803503b0d8f71ffeeb3f2b511296dec884dcebd9995a0dfef84daeeba7

SHA512
ca85842e962e8a60e962082b79488f8588b16700b332d7d08eb2ba83591508fb6bfdf72a893c0f763b98df68abe8e2f810affa1945c8ffdc1d3c2507029d2a75

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
26fc11cd0e4787333984d07c9d5ec89f

SHA1
6fd44363d43decb40a7b6ad36eded04b1954b233

SHA256
e8f8fb02a538be32ca82d729da0bfd0409f39d63a0688151026f6a68cff03427

SHA512
301543837c90c58356c145c7a4c511024e27ffa844a8fb0ee3555de3d95ab6250da2aee59ac7a5ece9e2671f9a4ade89d6498c922f3ae9a687a771df7c5deea6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
2KB

MD5
fc8e818ad87ba7db2ef3a1ccf207c478

SHA1
498c977f78c78ddd2c2e63055d731ca27b037e98

SHA256
c1e2af685640d0d81b39795e1e6b630eea64384e733fd1d18aca72efd92e3d5e

SHA512
d3f0f5c88e56ec3d5104bb68f89319e3c5a1d45a5887ca4afff1d43f666654bd608b8d4b0a7c24a8ee6dd5320a0fdafb77cc8387c56e92de58c62327e2230f9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
3KB

MD5
f206b36d693f0020e2844829ac6d1f2e

SHA1
247514d5527422eed6860ddb98037dfdf2b143bf

SHA256
f3fdf8f852e5a5bda5e608ee953b0cec648254872296c2a523af4a4954f07418

SHA512
9a46776d58cdb4018e9bf4bbe83b4d7eb1cb507186f78397d0321914d62d43861bd45cc881b6c5750599b922a315475e886dc8dae716f65d61211151202ee7f2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
11KB

MD5
d8e7149c2f2948cd85d2790be0d362d7

SHA1
a5ba2d97ff43e5be90539d8cd6d27882b31b0fdd

SHA256
e750b85a4600403a00a354d4d534975ffe7449e9ee998d4e2d427836d9227e63

SHA512
886eaa5867d6952fd1b8d4701423ac483093abe780174153019aa995f4ab016869f9a50c99bfe9cfd92dffe21d232463f3127b459971692507d0c655f8d1920e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
11KB

MD5
6b84f9e27df9a2f4a34e9469652e33b4

SHA1
3adcfa0b53e36992488b078dd6e460ffa5b84751

SHA256
2b138058ba1bdccf8af12a24fc4e1caa8c003e09fb5f77d1fde0dde3dabbb090

SHA512
6c137a14a6bd44075a830ea9335d83a40d12d8fff8da6abd7d9723e1f8b8351abb09f61141fb02cf7e22b32346fd57490d77f5cccc73ca511bc06aa98dfdcd22

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
11KB

MD5
b9322906e796202b6443002cf6cff2ca

SHA1
7143d7d8a3be4cd6f6bb4fb47d62a05ea58e2ebf

SHA256
a7e4d1379ada87de08cf9c289b0ea4bbd55529ff4391613a99a023b6a93e6a33

SHA512
0459da61b5d1049385df74a6881536d9a71b93737cfecc1045c3473b29f98268f42afa15d4023598d11145d40302232b9e97710d6227b8f18c8b1b6e5c2737c2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
1KB

MD5
a1b242779193cce392c2a198c8cb8aee

SHA1
e7669ec9334fc5d78d83d39772bbd5cfdb172498

SHA256
dacb7b2afcfbe15ed2f0b5ba9d808cd397e29a0d6dbeaa80549e0325f4d5fa88

SHA512
f6c0ed33cc8761280dc2c3c560c62c8c93de7897385393c20d5965a53ad61f971db86db7522f6a8526c46b03b8cdbbaeb697f7bf97db49cba53eee2242ca7e01

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
58195e0512d39ea11bc07e430381a96e

SHA1
64fd4dc79618d2b8fa7587857cacbf901e9616db

SHA256
96901d4477419324d6a669ed8feaacb75934318f58f58818f9903c164d645a87

SHA512
2f999de80f43583f13b1a6589955a9267fdebb9bddcf4800dfa523893589b9608afb2702bdc578d31ac83847f578c329ffaf49e4e935c4bfb3cf34817273157c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
814B

MD5
fcb672c773d9e36fd9cd91d569fc087b

SHA1
6a0a257eb2952046131e35218018118ed7284b54

SHA256
82cd0f2c49f8bd858f793d31ebe4a31e82211d972e8fb84311a88a26a07cd422

SHA512
a2f177e29a5a4f5b19a171376c8996d95dec0263ee8e325aba06e33682e7d1ed2ca016af5184e5df98085a1b81e27f218efd5289e940cce241129b025d909b0c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
816B

MD5
21e51b4a4ed5809f4ff2f0ce2dcb55af

SHA1
92d7d691b69c872c1d4907eee5bd248950fcb6fe

SHA256
2b33e9eea0e536c995d06b10b8519f69730978f2b7e7c4ba16cdea938e47ed43

SHA512
131c5fb290f595c57c48af33db0dd11b6a521476ef3e625f1b872b6e4509eb69357fc341da1d7d7fdc7da2173953ac11b2a592caae7800d390e3b0cea2044e1a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
386e7abd35c35e8cf1bbac1f38d1267c

SHA1
a9d80b22419dd62bce23fd4364807f774d9f302e

SHA256
5701ec23ad514d5e5284c85e236c31adf33bae257e5be9338d874a3985a03eba

SHA512
e82bb01280053d9159296a702cec1cb7e9b5e871774e5c0a26b6f26ab3faade0d5b44a8a82aaff5d3a354805473d1700f116e86185aa6d6c6e46190ec97f93fc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
e21e20c849b65316e68a7526ffd01f37

SHA1
6b91af7f1fd709ca46d6bade8c07877df9ffa511

SHA256
21b12ecb3dca8deb489b8d594d95e3aa8ddc0aa164ebe367ba1fb55fe6787545

SHA512
8d43f36ca063d96409181329d49b4544d0c03c2c059108ef7f9af8dc5766064b4a93e060bb9d80432acd96bb0d7e8dd066aac68ff88f635d754c011092978015

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
396fe34c0300b6a16820a89c8b1508ca

SHA1
31be0d703e7f5793edf080d8bb11e4bf8672571e

SHA256
13e91065c6a76d1e89882e4037c062afac3b00bbc2188c91d4343aa80a3cab3f

SHA512
e4db279abd9a17bd1e43e612bc79910c1749e8656a4a65da078b0bad13fa184c7e7a7bf9fabe87c99e15f23c37e256b0f4f411aaf3b69e4bbdf164bfdd840733

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
379634e48be829f8358288bb42be5111

SHA1
595a01af53bdad631cf7ed9f3ab20c072b310f3d

SHA256
d10ee39e2ef3d353228355f6ddddf580b9d1ebb83020670a7bc81012671c253a

SHA512
e92f5e6c53b96a23e30fbe8c23315770f697488770024c2c7dc3a5d9e4d9b5b5b6c8e6fa9649fb9a6f76ecc1f5020bf046592bb742471d5e8f023f8ec70bd2c8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
a181c7376c1b6a14334e22602064bc45

SHA1
d2b3b4f8c1d77671e9ed81fd3f378487e12d0b50

SHA256
9dbed32c05ec0300ac2813fa5e907c297fc83e86dfc0063a048647fb82fc6c96

SHA512
f75302a7277d45447742d6f9d1000e76d1646dbc3182d0069bb11dc8082794ec199ce2ca01de1de5cb3737645b6011699eeb3f5eef369868465d31eb88895bec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
804d956edffe8b26eceecc9df2a5558e

SHA1
198559140ad2750cb254d3525fa1e3a1c55e6352

SHA256
af4ae6a7f075c759d530b5c5f45e504fd4adc7ba7f5796f26c3b5154e93ea594

SHA512
457632df9a5589f531933fc5be2074a39e055aec7f0687c7a42eda9063ff079312591fb249ef91d94308e20498080b0c2f34b6f6d23bbece483e30bfc20fbe5a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
4f5d2902f372cfda74f31b217f156cb7

SHA1
cba9eaeba16ba648293e672b5d747a954a35d756

SHA256
e94b8b5ebf0c699eb79fcf1ed5514f67cbeb1ae74875748b4818bfd7bec7bfa8

SHA512
46a800f8322a218f8565942a48fdc6e84c63f54869571a17f965b4d75babf9721519be68fae8b494c0313a1583a6cabe84f72c2b2203862f1022d4c9703a17b1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
2135ab746d62333ebdf317e7b8c11079

SHA1
1b471f90aa4407bd3f2b464b02b341292746ed04

SHA256
f09dba6d3a13da9be5e4688a0659afaf94c5e0d2666040ca606ab094277c06fa

SHA512
be567aeef342cd24e35778aff1f6905d0a23b730c7dcb7c17820a16ad72be77f792e9749a1f1dda8e892c536998752f90ed1903a1e460230aae4f14e4b94fc7f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
65f4ce1a0fc17169f8e3df1a6f22064b

SHA1
681a1eeac705656013deec654e8846812ed04875

SHA256
f02d40b127164309342f008ee9e00456859ab129b1e4936f7e4e800820730079

SHA512
8138fc809c15785b3b03930de68a2c94e01a4ef28bcdcc8b96141b6fa5eb68641fb379b3d9a1a4790d65356ec7c945acfdd66e3a4b7b50038e16204ad8432fa6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
38c297e2ff0e1d48ecefe9fdefe8873f

SHA1
9337a0200208a3bbb39b3926fecbbf459af79edb

SHA256
caea516852aaa6719dec14ec193fa17d0f1f60826e264565844421f1bc30f647

SHA512
b7ed541ba90f70060476b400318339a3a1690f632d1a11c37fa9b792a0b6e2ede4382e10fcfadbb6ad8277450b9ee192e5a3429eb05a697d2934e4aea66c5f09

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
6132e26ebf13ef5dcf1b8090ecbc1106

SHA1
9b92da0449346483a788375669d353a96ea0a6b7

SHA256
baca3da04e3b3d739649df4df20eb058f4b3b4ef3e5b83b485a9750d27618415

SHA512
99cf10c2d77ac15045a927f4df9e7c41d4e06e65dfb27c56fe2578730a0ee18caf6cdce94210e2b51fb9a7ce29e9ad32e739addb3e8506a42af7a8f7cfeae922

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
1cca03fbb6a039d742e9dc1f0e8e10e6

SHA1
b0f64627fd9642002adcb46fea37739f3d07a1af

SHA256
51f40fb5d9f0101afdbce11bd08d1ccd9302df1f1c53835a5f7abdfad510234e

SHA512
8a9f589b60be956f78ca6916aad3130b657034cff6a8acdf9ed9ba739e5685c9263d8bfb3f515ef42924415bfff9bd41323fb9ebd3d3559437d2e62db05979c4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
7KB

MD5
f9893923a0a685a081669a68bbd52f39

SHA1
74f28dead9df43fa3598964caa2071c191f414ba

SHA256
3238e6c6faabdd93e333020d58d198448dd2b60f35ce566f0f1f666d9cef2526

SHA512
895c22f682ea5bdcab487d0639cec8dd578ff7148f7c250cdcc865c86542281a4715905fb8aec3548d36cde03dd530537e331f8496ef91e0aa3094f00a4d066c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
007841384d8a7ecd40f38daedb4b907c

SHA1
0fa8c4a30d03e150c9b00fb45b7e65a449a371a2

SHA256
5cb254deda0e6bae76cc7c97172f358ab07dae5e38b838565d14b7272868409b

SHA512
4f9e8febf8900b5a38fba884f8261418f7e773fd58b0b29bd1a833a7286fa6397182f94d5ff8b38a69a44f37b9dee7062390bab4ad2c7b2eb3107c082ab1cd52

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
743dbbb7772700dcb57f992f95b1e604

SHA1
10896ea6aa318c5bb10e7e2f66ccc69b0ee7b76d

SHA256
875f139c98b518b3aa04dcc9a6f5e3a956d817370a80d27e9e59e57b81f7b1e3

SHA512
bbe61aa6ab47db34ea45ee356b103cd0f67888a226feb560546c9af0073f42c64b7291abc4b0369a98956c5521d6d462742f4ab7e81cf6cc8f381dc6315cb491

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
71ca5c790fef868ab0a53f20e614f4fb

SHA1
f98d1303a15e68fe07d6206c4fe684a1f3ff354f

SHA256
7fe381e7dfdae44a6e7bf114834ba706c4b970d13e4f99c86fa036138f0b049c

SHA512
4c791f3388ad33d09b9526c61c2fc88f0f962749c5e1f2d81b8756943145e9a0e385c0ee2ba22a1295547a4bd22a62b9eadfdd5561cf0bcba8667cdcc8aa2568

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
e1ee2bceef523ccf8dfc815ba125ef16

SHA1
a6cbd36204f70e47eee828d6064f195e603fe54c

SHA256
cfcac2d62e4dd6c0cbc83aa6864217d235b90142ab5eebaeee9a5450c1aec9bc

SHA512
72b0b82bdcf65ceb9f0a6ab9213e9d72642b8794a945c29463e8917412075762aef12552fc847065cc14663da57322c57188b23545a55e924aa3f2fbe9b6f786

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
4be511ec12bc828b4650859dfd659b43

SHA1
014388cb3fa0c450b3b5ab4065b9677cb1ef2839

SHA256
187b1561a872d9ec847350c0b1f79f35dc43340fe1eb8e1debd5e556e48b49db

SHA512
3e187de1063efbfc008d1780fc0a86a5024b46cada63ef1f503441a7e8d05a5b8d2e3cf68e0a6c1572caaa2b3e3b23330770f1f461a6a1fc07fa19d3cccdc2db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
02cb237902d2ecd973d671e7b6ee64ed

SHA1
85b76f57c1a9a90eb3cf08bc7bb693c287f97f3d

SHA256
ada19791b1a53fe5e028bf48dbd0f25a0bd9286c874b2ededf3872dbb8355500

SHA512
87145ab0cc9043a6d3dc14b2672c557c5804dad8e9f8a0e942f485fbff5a10cb3e5a56ad538b2b9d05ebd938734c90e01f3c949199c8085a4df3b9a9ff737f27

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
a5bf7db0a3f65be8b08f7d1ec413b24a

SHA1
da70dff4c75679e2309192d3d0a2c1c9623722d6

SHA256
403a6ef78146727a2e6c549838074915193a51c6db5836995fc60473190cd38b

SHA512
1cf3d7bef3f3021d2ea180ecf0232d50e19d591a63b8a5a49dd35da2ea3f67c46c47c881f8261b1af80a2f2e4b07a5d7ed196cfa89f5813631bd91ceadbdfa16

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
d6e17e9f3d4583ab339d0061462b3e6d

SHA1
10be0e196b4a39ca07b0c6765f2f36a42a0331f3

SHA256
3c702c36b83a35a8bca285cffb8b29e3207e1ba5d016eab1c0a21aafeaffe65e

SHA512
a80bf436a78eff7053e69f0f18c6b659b130c07476ab7ff02a36298c44f3676061c87307700851d20a24e69182e711785688e5895ab36a15d7999b068c11ac7a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak

Filesize
1KB

MD5
b27b22941b0f6b0d7004a7a586135d15

SHA1
58d169779cea42dfa233ce9412d1b14384119015

SHA256
7ef19349c6dc736c05afd6e2ae56b803d2a873339225b999decdde3d1782875a

SHA512
855624c656f7022f333a492ba59fd4f01ffb52b2a8e9b7ed0095d1f69f67d29248d90b8621c98b1958f519b1ac0479d16080a899f1c04ae98d73d843f0a79233

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
248b7404617ccb503483bde0afdc32bf

SHA1
5d57ed88efe55c154c10ad42ab551b9a46571be5

SHA256
eded8a21dc31d3c497b48dc1cef2c7fc53ef2cd42ac9763e49ece15445f879ad

SHA512
6950b7862a4c877be216b09715497f0321fbd59eac5c3ec7f7f9623a9a92ccb47aa34923295d67b831743157297d1fa40793e1e5b5eab20fc29bffb21503c1f2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
ec3c0718cb4a97c9bb488223fe170295

SHA1
d1d2bd7c112bb9590e4f4053d773796f4937b76f

SHA256
5227693cedc4c142eb95ba7162141c63530296af78032884595f7d0a605eb2f6

SHA512
199ff6c790dd32632cde0488b338888e42de16d70af7b9f0f87791d43a1bd31705cba4c9a2a217cc237c9347003a1d13744395b50fbcbbc78b9c6ef9c28c8e78

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
2d428708ba8fd15e2362161d18bcf529

SHA1
a60f152d65fd31cf538ffa0a8c8fbc6ccaecba6d

SHA256
51433b30b9a285dafc341f193ce8035e28f871f548d2065bc598f93714ec7f7c

SHA512
0d87a7535ec911e9ee595891e7142ad4d4dde0d842483c46d2ccd10fe605f841cd96c8add84ccbeb0e3caab4fb75732294a9ad2ab2c93b03e717153a229654a1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
d93363d89727220d204b1a933c8c0add

SHA1
9b4aeb7bcd0af8614a0521b8bb35323e9965c325

SHA256
0c313b5e05e51c47054525e3889c5a243a9eae9cbea61b18964aca496dc7bd1c

SHA512
46ba2c3c58ac62f86882d717bb411bd039dee97819520492382918172f8cf5ee4c8a16dfe6720c7ac9f4984ca9b81025463a67222c8525feb8139faa9b7a3823

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
6a386c104de68ea4cbeb546b6223a468

SHA1
6e885b2baceaf1a83609cc9d950faf2167599a16

SHA256
556d58a438e3f0c024a543f1f31014e70603718d09ec6b0ffca7509a4eaa42a5

SHA512
ab0f271f3288b224763bc2d8693b3c45558992c665c0879ad4b4e737029af011195ab8d13be7aabb85be0a91ae6cbe062615c9737a76f41ce246afe186b2262c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
12e93292fe14c740b3c6c1f5d3fb4fbb

SHA1
e2d66b0092c4ebe41769e2941350c51f9c9d0060

SHA256
19d6f668dc589d98c7b18deec2e697734d6d3af2f760f96440f0661fa7ec8840

SHA512
d4718a27eecd56a44631c0a05abfd0b96f8f080a53a9a90f9253acd652ccaf24e163c579cbb9b2e3d36288bd46503b0a3926965bc76e449ce6cd11d4e9d5896f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
dd1367669b6de8bc8b3be165e83166d7

SHA1
64a9f684dff373651024957888fbd990f17b4175

SHA256
732039092e530223b6e727e969f7ebfed45476e7f0c34bea8df1f99713c9abda

SHA512
dfe3d7a60a8815f8ed40a54ee53490812178cf189b270ec927a4b4b8e61ac053eceb9692f85c02a4e6f1793dd348d46e26dab125877a1e23dc45cd2a18568cf6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

Filesize
1KB

MD5
7da6a1fbc7e73e4d60ff32e0c1b2b36c

SHA1
f096f1a04e25c2c8399f5c8b363f501ed356d22a

SHA256
7b1772a99854c3ca67f8aba1d6f8ee431b0b91e16961124aa6d3c286cbcb96cd

SHA512
5431b0d5e942f6fde9dbb29de13bf53255909bcdd0495824f1f1c8cfd51226660f56f81d92b636fda0c2e7f18fad31b0af27e271baf8461b5857fcbbecac2aa6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

Filesize
1KB

MD5
fa921dae57a40a0071ffd123361535b6

SHA1
5665e6ed4c49ae029ef777351da30a448a57d74e

SHA256
bbb542e0ea2cdc4ddbcd8908a77b4017c081c74deff0db984df972837d53c994

SHA512
0c4146e94809492d5f7b327f884c5d26e425d4dd315c677876ce64b6d31bf70f1e6a2d62d1263bc2ab46a36ef6ea224ac38634ab9e3913c6bc4352005ae7e036

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json

Filesize
125B

MD5
9321cc7d5cfee2ee03ae3069ee5d4cf1

SHA1
7414385602a165ddb3365ded501897ca846e7feb

SHA256
2fe912bd9df8987a9991762fe20ee1fd61488a966ac4399d352a8d3cde99752a

SHA512
e12b96437ff4b8d1330ef259fc4aed6f36a8e5aa29f11b9ec2222acecf95eb8b8c2c93e41158ed48deeab1f4e72fd09676cc12304ba35a248ca787e4f9a8def2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D18.tmp

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D1C.tmp

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D20.tmp

Filesize
504KB

MD5
b5d0f85e7c820db76ef2f4535552f03c

SHA1
91eff42f542175a41549bc966e9b249b65743951

SHA256
3d6d6e7a6f4729a7a416165beabda8a281afff082ebb538df29e8f03e1a4741c

SHA512
5246ebeaf84a0486ff5adb2083f60465fc68393d50af05d17f704d08229ce948860018cbe880c40d5700154c3e61fc735c451044f85e03d78568d60de80752f7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D21.tmp

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D24.tmp

Filesize
1.8MB

MD5
804b9539f7be4ece92993dc95c8486f5

SHA1
ec3ca8f8d3cd2f68f676ad831f3f736d9c64895c

SHA256
76d0da51c2ed6ce4de34f0f703af564cbefd54766572a36b5a45494a88479e0b

SHA512
146c3b2a0416ac19b29a281e3fc3a9c4c5d6bdfc45444c2619f8f91beb0bdd615b26d5bd73f0537a4158f81b5eb3b9b4605b3e2000425f38eeeb94aa8b1a49f2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D52.tmp

Filesize
1.2MB

MD5
607039b9e741f29a5996d255ae7ea39f

SHA1
9ea6ef007bee59e05dd9dd994da2a56a8675a021

SHA256
be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

SHA512
0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D99.tmp

Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll

Filesize
4.5MB

MD5
20d70c6e04dbf14c01ab2d756e97854f

SHA1
f172c8b8c0e87d2a9ab064513dce004d16d03e0d

SHA256
c4002339b58bc493ae3540bafe1b2ca0a70bba0f853e29f60e0f6a1680fa9a24

SHA512
13e073cd4b3d53c6d9fdda671a55962266b5c0a18abcb5774092c35f0d0bf2c5d0d9802d8955d32cceb166821634bfc067dac7809c9ade143cf3a3b497743b36

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
5.4MB

MD5
a3fe79081a59d493c01b5c1139babdc9

SHA1
1505cb4053bcd9b55c40227ad6b62a2457cebbdf

SHA256
60c8c024ff020f04fcccec10ee78872bb1e6985463d6370c6af095761d88b860

SHA512
22310a585edb36050ff20356cd9eb5129cdae3ffea2ccd7a54d9652dbd336d7f402ed119dc59ae3250b93bad40e75983184256c0bb239cff049bbb983f487bdc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm

Filesize
335KB

MD5
3c82b760367162487bc14cc939981422

SHA1
a4b80d8ed7be4dd831cec6bebe0d148f2ebf06ee

SHA256
8ee9c78dd5e56936504c44571bc9649dd5480596e3f0ede5b108ced7311b50a5

SHA512
77c485503ab893428d873937d1cb0f94bd10eb0b67ff7f99f79c530a43e930bac3d08f89e8822ef6557864a344d2a046a9063d57df95f74746442bd22ff5685f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr

Filesize
13.6MB

MD5
4400a144538766d3f6c5c2dc3afb5bb9

SHA1
8545344c3ec4070cfa8b110d0bc6c73b93553843

SHA256
a5ba1d305efc72eab7148b079a8c16ff25e72a1745850a535c84ffc72d45dd75

SHA512
17803eadebe397e7190480a34174bff88dc64b7fd803c35f35ca1f0ceafc29f9d4b6c12bb99069abe6c01b8a01a1db96f708b4f6ca5181ed44dfb336c82cc4c6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin

Filesize
845B

MD5
1bea85f6f77b365122fd5f51b10777e3

SHA1
2431dda3ae3310739fdbc59a1c40aadf5b0c5e2f

SHA256
ebb6bfbcb66f79d34e10c57e70b26aee5f99e11207e6f103c660b4c2a005f771

SHA512
01402e189787bb653c14400721acd55ed2ae78f94c4ce9d0c9b9fd8a49ee504136bee56deaf24291e0594dfc73489a973d54f2e19094ea21f061cad2daf35460

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb

Filesize
12KB

MD5
d4663c5ef07eddea19bb7409dca59f53

SHA1
60226d0cf112805a1215a6e611f139949b79b5cc

SHA256
ca22a14d4e428b0b88db3ddb35ae9fd4939cbb8a574981bd017dfc7ac5aa4e74

SHA512
8bff2d9f170e8c5052aff8e4e22a25d67da2317b2ec50c1119a58b09e909459ac76c67520c515391ff6846bc135ec32aa574434d2ad205af74d391b3c72adca9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat

Filesize
924B

MD5
3f02b92c09b46779f5c2179c385269e5

SHA1
f84ceacc1f0554e21bd67c382a2a35dd3a83470a

SHA256
9e059077bdbdf4e63aa2eba940227e67a61e50ade077d4948b491a0575dbfc17

SHA512
1b39ecee512e8d529e43da1b15df53a45c11511a071970cf13c5a8c31726e0bb016226d20507d2276f635a7855be7d70726088174ca110e9e97b8a88265c9b96

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.8MB

MD5
478df352bc79ef18c258b53f662b0885

SHA1
e80aff69534545fa437074818da66c5b06ce85a7

SHA256
95370683adaec8d785ee7368d590cac8de0e7add72c88c24aaefcbfde9ac1826

SHA512
1771d6d85614369c810a52c2044b4e8b6014fe4ee62c1586b28442eafdd0db50c9d514a3e0c94cca2a2450da2fca19ddca74608dea5ab0edf87a7d78b34685bb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat

Filesize
514B

MD5
c036e6bfbc0ddbe89570e9aed6a4f1f1

SHA1
fa20d4a89229855a7ee2958f336520ab7e2e3036

SHA256
cbfbc6f62979269f99df96002c07c922438bc96a545254793988f642f8da8499

SHA512
a7693deee56f0775c3a71134d94e40e43d7500f40f27d52c016b871349d7284902a916d8c07e4a3f3be303764bdfe8d9745d81fb52f1a821da8ddaf5b6ea2cbc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb

Filesize
9.5MB

MD5
0c726aba449c457b8ea8dd82b8296a28

SHA1
c62c9772232b36c8175f8a624933be74048e157e

SHA256
d7ba355d16f17cf6a42d6ca322299dde13c4f38b1671d2ae92d273f883022d58

SHA512
06647a758ce570f3066c4fc4a9875649ed7632583ee253f37d8ac1183a3b8d525f6682d080ec5f5b5614ecd76cb38c1c54516e7bea23550bc1838761ceddc916

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
529KB

MD5
71c2939bcb601b29868a2549fc22a827

SHA1
e4065e0a62cd60915ebae2d510830f50b3a4c266

SHA256
1a2348213858488dfb80c9ae5ed650352879a9593c776e56edea92ea1c1e146f

SHA512
ba2f9a22a3be1f470dfa7ea933eee04d4fcd5c8b38b0d2d3ed38d197e5f3aa3ecf3f82fdcd11aad34bb427ea39ea394220ba1a628c6aed3d6c80289b795b1028

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb

Filesize
911KB

MD5
fa0639e40b25bd1bf1e8a7fcdc6b9fe6

SHA1
785f043b60ffd320a18e04ccbdfa246bbece4be4

SHA256
1630a206db22d61ff1dee4e4b4f02858afd2e25a5d20894265a9cbf3757316c3

SHA512
5ebccaf385e96598e35cd11e79a2cc4edb1c9061deb2db71f1f73d3f2dff50d4e1fe3fdb43547f232ea1e698b667b2912b4c56c7c70b1a2a6e4da50e5b4e6052

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb

Filesize
170KB

MD5
66368f5de3bbc9bd291a51785545578c

SHA1
b14fa5579f016b24868cc5a8cb33b18015d12c8a

SHA256
5585d77f06d8272a5ccac108686ad47ab7ed06629d2384e621c73f9452837693

SHA512
68b0d523be4c7bb4dc26a5d80f4829732f2bcd7d6ba6912f9788e655e0225cde0f2f562fac1848f04f7b1e4ff204d0db97c88bc9c33b7492c87d1299e61e4ba0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb

Filesize
30.3MB

MD5
21418c6e6c52695d69932e755df586a0

SHA1
fa801b864c19236ee94ac1489d70406a1d352d3c

SHA256
56a1a29c4842d8a94c94bc85ad76c942e8dfcceaa3cf40bf936f0cc11d8b94e9

SHA512
a7c71d7a3456612ed710b64805650ea7c1f58bed5a9d7a484532a15799a6662511f79a5f1741b1970018c04a2385f096f29cd3ed92ff02a61dea279668be6b5a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat

Filesize
75B

MD5
a905e9f56e75886c473a9515aed4301f

SHA1
820115c528e5a88bac61f2a4ff8bbf52f6914fb7

SHA256
77b5988c82cd70d1789a14566dcdb7de54c005bccb4346cb3363eaac1c19d59e

SHA512
8b4cc86b4bd20204752673b18f4e47904bdc4141faac2e0f88f18b695c2d349c256091a865243ecc0cd0b3836692ec8570a8944a2c3bc7392f80cee9ceafc65b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\SdkDbUpdatrV5.dll

Filesize
2.6MB

MD5
5c4b6998682070ad73cd246eae251ccb

SHA1
d4e3eef6332a6598e5d63741f3407574c7de5f5b

SHA256
54e0e90cc5cfef91ceab363c6cad54c7190cfbbecf6353181779938a3f8de8a1

SHA512
e1f844ecb631b628ff37068ef474b070e22c5be6453c77acde53e886b7e9109f22d09748a7902e64237f5cc9d05818080c0bb5697918235ea2d4ceefb68b8524

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\expapply64.dll

Filesize
365KB

MD5
99c8e47d747b36be8ffcfdd29b80dc3d

SHA1
9b8e87563fee31abf90bded22241f444b947b071

SHA256
0db4dcdf3fbeef2c4d18555f479a28dde3d67ee6f0d27c18925207142b7a38f7

SHA512
f9cf4ec06585c6cde57011884141782bde83adf186f57f75576c8dade1e868d6b886daf8fa15c55ac908ff995c4b6323c3a8266dbd664b807cd67cf788f7074e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe

Filesize
5.9MB

MD5
d7fccaaa00479d7c0d1924870213772a

SHA1
73db951f1309d0198d11eeae2d31adaf650e74ef

SHA256
e7628ac2f2ec739f6ac7778aa8ecd9c174e3a3a2dbe8239f3ff6635bcd848e4a

SHA512
ecc97ad624cccc47fcade65e332a4e3216d1777da01764749ff3cea9fe04bb0e6f28183aaba86454b52328f5c86be5c8b5b80ed81e015ced443e25be6e19809c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\version.dat

Filesize
26B

MD5
5707c31eb9d9caf9eb808bb8cfe6e85b

SHA1
d54ba687529bba161d83a7c5be1c9c20424d13d3

SHA256
3c34e29ebe8bcf82776d2935d65abc50e59511289a0de2fdc9aa3dacd221aa19

SHA512
b32968c1d0aec0350ce37e2853ace303e3480f8e974e7c2fd974b521ed600edcf39da7f0ed4ab6fcc5f531d2a510809fdafb48b9cdcefc4ed36f9aff3529844d

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
3a211ca9261bfb626ac0a25bb7e29cb8

SHA1
db9b9ef6209356f96f72188b8cfd4e2405eff320

SHA256
fcc6e6db0f5cf59b4799a4a5b1c8b40c699c888ac881048cf58fb356cab62155

SHA512
1147e0b54cdfca78a9def44c50d9d020f39fd6dc91526aaf226a0a915a6ac8ba16b458ce48068397f3c6da7a3a7e75b2c93ec13225eae0c810e2b93f3951fc72

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
c38bf0614011e1a61d874fb851bcddc2

SHA1
6bca2753ff007d4b2f1e3cfc1b0c577e34da61a9

SHA256
259307a829d5765a040baa91972c68f69e8cc2f1b49b7ab1c2124ba532c80cfa

SHA512
c0cca517ecadfd42e010c9f098b0408406e47492d8989f51f7f963ef55e4fd85394f179e1b3e14fea490b4be49a002e9b079e227dfa3a197ef253f98d4ba7ece

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\doomed\1237

Filesize
8KB

MD5
eabec24cb981d7daf4dda91d16110972

SHA1
80a400b1620b8efc7e34c99aa50902e7fb847d2e

SHA256
a27a69d7138265661befa9656384329af6e6577d7748d5ec4d9d7268246dd291

SHA512
6e6e0efef30cd89889f712dfbeddc79bcec08c86dc7875342a95db42dcba29ef710d27ba2dec30fe8527c0f5305d28759ba7eb27a67a6af1f0186dfc0c589789

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\doomed\2655

Filesize
9KB

MD5
5b70f834558eed62d5ab5f8507e51984

SHA1
a409591eb92d912869eaaa2c2d34c1e2b8b74c05

SHA256
9b3f3c362cd8514af54699196cae055a64b5a826de650db0886de2e822f6ac9a

SHA512
a6617839ad623aea301ae90fcae819dc9a492df89b844b750bb5cd3a58a2b9c766dfdb7b29bc8c81dfe114e134015fcf0a4c3ff440e74c7836c580b27f567ca4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\doomed\2982

Filesize
21KB

MD5
effbdc20d794b001a0cc65820f39f1a4

SHA1
c7cf7d91b7154aa0b862b2c19a241116adfcb340

SHA256
a3d4c124c633575fc8a2e2fe1d7f97903a6c9fd6a2c0fa040717132f51d1d824

SHA512
d8a88c440929cf78b86d31134a81786a4623b8b5edddd8f40f04cd92387f576cb5b1fa8477efc657cef77e7cc7284d3a6f806d1bce13dff4a6882cb05ed567f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\doomed\31126

Filesize
9KB

MD5
f881771f471cc269a50edce51b632229

SHA1
10af2daa742a161dae261d98b43d4cdb52a66a79

SHA256
9a824a47ac6591bf950cd8560dc75592c9276f30a10b9f50fcf3121454deb0b4

SHA512
b90d8c133b20c6121227dd2b4048a9a512cba0db3c2c31591edbb0fa0b93513f2c1572f93b87ee69bdbde86fbf5fd4045ae2c3a73cbb47ffb156cf3337b1e17a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\doomed\4077

Filesize
7KB

MD5
04ffa2aeea0f47cb4ea8e2f12142664c

SHA1
00aae4ee6a30affabd05a35990f66d163cddf59e

SHA256
ddc7ee7e61061e5e9fb43c1fa37d6d84989564286e7cf8f3a401d8339529890e

SHA512
52bd03de853318685b07d9d2cc961e11da96557e4f896633e2db8e12230c10aaf5d0f66bc12fd22598b075e1dfb96dd84b4f0abdd2a9c4833fcf139faabf700e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\29CD1D885E9D46E939FCEFE8A566A13D1D2C83C0

Filesize
61KB

MD5
fe0380df35d9e2a6b53919e98f15f99e

SHA1
34898acf1ad9899ef2f2cab0fb30f241c7731ad4

SHA256
b9375893cfb4a5f12bfe76dd2514d81ed74f6ef03ad1ff405774733752046787

SHA512
8a7ecf370d07b4abcd75f24aaf01e880aaebb65eb03d4678e4650de10d2279c32b4f577ed2b15692e33d2c0e7977135c3635b848c453809c31aa0479b61f49fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
33KB

MD5
792fb0fe2de182c95b502d29e4bb53b3

SHA1
10426234bf8ad778efc94021cc46f57878b48e0f

SHA256
98c63b4687e9298bdb447f1bfcf87a25d5904139aaca27caed4ad87bf12606be

SHA512
4ec964db2765ec63ddd7df7c271d34072c0328d13b0c61dbdc03a69a0b70752aef2120d37461c768e2c77e2c1db71779c50f8ada9d3139671a886b6228e83118

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\7EC141FE707EF6EBB3EBF7467F7BBA5CEE79D4E6

Filesize
60KB

MD5
51e91c51e1ba45646e278738ab0ec46c

SHA1
a905a6b33ffbf96bd71492cfb8ce48fa0bfddcff

SHA256
34977898e9f8999b7415cd27e46b6b4ceb7efa462d7b18c79e1f2dfe6028a5b7

SHA512
43c53b81c976136873a2a1e1ed021dc96c382440a8a8aaf2a0812d781cc0d7eec6ba65f0823dea21fe956197cd24e3c9d7f82a06fbe5184593cf4d3f64283b7d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\890044675EF0BBC40F4FAD249476C7C23D818336

Filesize
22KB

MD5
bf08f9e1f824898180ded04410a9beff

SHA1
40bdf18d0657db89bf39dc6a7af707c946944280

SHA256
c5386f64e82e6f9a6f3584508519cabff3242d10a28b6a4c22e43872b2ec00ec

SHA512
9fd3964f8250f14390d33217c947e72dbe613e6128acb43310d50e01bf67adbb9d4da4f578d9620719e62b5ee33cf3773c9d49c5f8fdd5ba6c7af501d61bc241

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\918BDF0DC8EBDBD6BEF063990C085D4A58BD4F89

Filesize
78KB

MD5
e6b37fc2e360ab7f6d43ffbad4b7f5b8

SHA1
1b85c5aefef574d4ad3c72c6112ca79db67c36fc

SHA256
29617217fdec33cb3381ea833bd6d1087d0fc218ba498a79637b427c10ae69eb

SHA512
77866af69179c13958206653e5d49814e938d3823d066e5808dadee0a18d0a2f3036e51fa9568444abf05906e506c11d1431a307df5bc7f4a3574c8312e82dab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\A347802C3982BCAA3867BC11C18FDC8490E3C0FD

Filesize
365KB

MD5
6dfeb17cee4b0eb9a118d639bbf042f3

SHA1
a8a7195a519b911516a8e5ad9bf0be1b5bc0dc6a

SHA256
25bbc4131c3e7b3c88215f4cbce1e96dc0bffaaa52466b3d5b3498e40dbe133a

SHA512
bf7c4c97700150c2dc8b4487111da255031bec01562eb578ceb0dc73f187571db0a79bfd6a5f74ad16f7da47aa25a21cce4d8f2b23e1c09d0aee9af985531827

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\cache2\entries\DF92EF58036DA34908496E3EC5C5CA94D2EEA06D

Filesize
156KB

MD5
2eaeed18105d9ba3cf3370b79685806b

SHA1
78f767804ec7aca858a2b24d42d6d629609ee66c

SHA256
d28f83b1845b2f4f1c365faec147f9bf96e602f62434995ef2f77187803f1cce

SHA512
ca166d715b2d09e6e30badfac40d2145349b6f7c7aa2f22312be16eb7b58a038938ea962f59aff647298158b1ca4ddc6b2e5e5cbacfda95d27c0925b03e6e24c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\jumpListCache\jOePVBW7MKy_bKbGZoHF6A==.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\Sandboxie-Plus\Sandboxie-Plus.ini

Filesize
169B

MD5
144c07c8c9344ece3db50431bfe0480c

SHA1
cf77ed372aed85a77e98464d2acf0eea6797fb39

SHA256
4527c64643dca036057493641241c516925b278982af6809a4fbade2b1e7332f

SHA512
b721f8c3140e1d9655b08c5ee368dbae6317f5edf1fb1bd03c9905a1d37625b0b178c94c003d6465f2582cbfdda6290f429ce7d27740f6161bb92f0086c0b3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31HVA.tmp\Sandboxie-Plus-x64-v1.13.7.tmp

Filesize
3.0MB

MD5
a17f380a3b451ebda7ed227a198c1ea6

SHA1
6d96a8591a498d6f969014648e32eaa39fd2dc4a

SHA256
ac2fd84c32326050f81686f5429f8ffb5f04eee1735d51e4ec0357dcf57b9273

SHA512
5531f5535b0b47d857272b9c6f89d1f82ecf47d9fe8185a1fa9b731e1d4f60da27afbcc4b070d78e4187b479aa0379c4e74d73c330f8068beee492555d65e47e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms

Filesize
5KB

MD5
0d6a12d4704a1547e032af688400dca1

SHA1
645e6e5d3a0b6ef1a585ce355b44bc9410b6050e

SHA256
6e838f08e690d3c1f3a1c17fe98a8a5a0cb8ecfbb7e95d3ad3c20e721f660fd0

SHA512
df075ca16ca18747f92ab9501a2a393fb4bb3586786e7a733b5f477943dd6d80d43907b49d7f36f857297ed7abf9ebc15a2e880049db57e09b80e753fb51ee98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
4dc15cb4deb5bf11d8685d8551943fbd

SHA1
5bbb2d92ebcd390e7ad0f95c22d79a0033841ac5

SHA256
3283ca0520c820e05cb72a08dedbda8616e77c02bd01d154681cdb6d07f4140f

SHA512
190fa2c67d2ca6c583e21af2795fa2da6072aa6e7b4a32eaf761acd192aadcc000f71767fa3eb93fdefba415973e48dab4bb62f44e2f7c84e405d9901c551eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
93d050794aefae9b39e3ded80dac2a3c

SHA1
5f43877cd3a3fd14204dbee1255820ef1707aba7

SHA256
0b64ee8f3d0646cec50f7088f7bace160bb0aeb7ac87dc1ac507c13e17275818

SHA512
75e40061c1aa3eca5487287254e078e551441e6f931f273f2bba52b67146609a3264b249a10f2ff0211bb3fa747ad3d44d7b3d3d346356bc049de793c0297b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\crashes\store.json.mozlz4.tmp

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\extensions.json.tmp

Filesize
42KB

MD5
2ae6f60e9e4de71ff97249362412bed5

SHA1
d5ec5b9b9fc1f5f52030484c4025f86946215132

SHA256
301ee7f1bedc50db341dd82fc22d654786efa80e5324f7db61db03fcd24333d3

SHA512
3c8a88ae907b9a45aeb20f29486c330b532d7651b89abdcf7073bf7811ec7e0856800f6439fcd3683783d88c5262443746f3ac63e48c75498b8532dc3c1822d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\key4.db

Filesize
288KB

MD5
0e8ea54576ade234a946a726449d7258

SHA1
7b7f63bea39ae5c4ce16f343d053bd4ce26157d1

SHA256
71f09ef30eecdbe4836ad0c1f9944558558647c0ffe75af70c17c25b464b6a86

SHA512
3512f46c463a0453197013a56e39bc73df1243943303290feab9ef61618e30070eb33e800d157b426e772ef5d0a752b7c716f518d432cd78b52420dafbb293a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\places.sqlite

Filesize
5.0MB

MD5
60c3da4aa5bcfc39a373cddb72035a5d

SHA1
7b09b5c4da9f3005585f89467fd733e23332e704

SHA256
cd0f41a92a85825965bd4428599d17e33b234344c1c22be55aee5411e65e4e28

SHA512
9802d6658d7774cb637abefe7570246bcd094c85f8287b4229ab3df1f691abaa8ffdf6b606bd5df86a4c44ae3df05706debf6d1047b906ee8016efa168e3212d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
6KB

MD5
cfacebb22cd09b3a331e42ac90a043da

SHA1
23ad73b0a1ba0b8a9364f754e4ade80354e342e4

SHA256
f7c6b0c1e31f539c5d0204958027463ac39d5e582870c17a30fcb0a53fcbc4b4

SHA512
4860c641e1d81d9437f436bcb5c5018b472c28415a6e742547f3a709828de797e7074b47622d8b03305dd4f443d81dec47f86a1327e44946723a466900582470

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
7KB

MD5
475e1911c7d74eee6ea6167b59e3c7f5

SHA1
8bcf6e1a4192e83f36e00bb50898931c94c1c674

SHA256
bb6c5e081bfa03d44d84558cdb961dfcd7e5f2ca1e98da4295d695175207fed6

SHA512
b954a779e17eb934d65b86141d63e807994b5e84402abe4775fc9f20027ce7025d3c9ce82c9140bd7abfe2ca5f9929dbe7e378fd54d15bd0c846cc4888cc294b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
6KB

MD5
de9f2a0a2b8ff48e0fb0d98b8de9457d

SHA1
0b5b3c53415e3831a7ab23c64aa3f975c17a3729

SHA256
25376227babada7da3eb8194e03609b0ec6c1178cd5ce5743e82a229aee8cfff

SHA512
da4b1b4c3e07b56a391327e1348b23ddb14372b86362d20a8319b9c3214897b9c135e43572f8b96ba11a2200f0a0459b2132d9adf433236be64f78ce48a9882e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
7KB

MD5
ce49bf1b5a8c820c592e364f3d01e60f

SHA1
c503cb06f0c2810b7d68d2bf98100ae6d854e8f4

SHA256
fb4738773b00d7ad096b6176b1c897bdcc46031e6da8791bb265623cc6eb7823

SHA512
0d8224f7555e6782da1930cf68f77a9875b05ca5520ebeb584c2255b278df3f049318b4380d1dafd6a1c2be21726f828ebc4b9f32020f3c571357fb01028bc49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js

Filesize
6KB

MD5
fcd705d5241a6d831592f15b72cf1b82

SHA1
c4f281fd3207686a03a40a57beb91053b4a573f7

SHA256
75b1845165d63c66dbc0889927d02b1422cf822181d4b354155f0b487676b066

SHA512
81016c19fdda256f48fe76649aba7b8019ebd07ab5c9ebbb6a725347146c0dce3f94b0e389e75049a8d473ddd533b0c0b501ca2994755405a05893de605d3d88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

Filesize
7KB

MD5
8b1160852354ce6c8101257a59bdb6be

SHA1
b37f4ab841c539b35f8267a4ec47566553978f04

SHA256
c9a27d2a22b8e63340beb78b274a1f691aeecd48cfd5544ba2185a82f8ea1aa4

SHA512
f7da19398640d0bb2bcda1a0c7803f1b44c7105356d98bf3f8e7e51e5550e6b330c24708fea155b0217b843d61495fc487cce6e7463c929bafa54f34dcb60710

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

Filesize
2KB

MD5
6d16451dfbf676866f41456b943e7c3e

SHA1
7da1705333bad401e4937a5084e5eefebd87a3c7

SHA256
789fd4c51b25969400f3de955f919d55c33016e32fbf6305ea078e31111737b6

SHA512
62c15d128432a97790098ea1507351268e62697ea337d903e430fc64e1a918bd55cc591362e278e27f286d716285cf76217c7fa4fa090cb530e7a0c04c1ccf5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\search.json.mozlz4

Filesize
402B

MD5
62bf51b38328644a7b0b19255f01670a

SHA1
ec721b2646846245f5e6746dae3a6a1038bd1000

SHA256
3a533c431f168afbfef69e3c2f7a9636c57356d05a9523ba15d0e86df772affd

SHA512
648b2279c4f8efcda32a3d3de913673bdede68548f893cfa60a847bd8dc33e79528afb12b443b55a3c9a6bf4befb8a565bbc4f82853a27a6dab4148af7184f2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
e08ef355498ae2c73e75f5a7e60eada5

SHA1
c98b5ab80782513f6e72d95ab070e1ed7626c576

SHA256
d1a98a30522d1bf882574df5ed2793bba5c4fdf0381788babea0846f6946745c

SHA512
a0550e83ecd1cf632b4e54bf43744ee9f7c0a8dfcf9a043e018c00d4ca0bba606cfcaaa469b204e7c9dffec1f79b91e16cd4f1c94ff512c45d3dd25b7174e859

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
08bfef6c54eb98d8c76e2c6ea6122207

SHA1
85322bbc4caf7cbe38e970af1bc0763bdaaf137d

SHA256
3a5128b7bc14d58290ccb56d7359991c406513662d4221990c728b88c39779b7

SHA512
84a6f0d3a34af30ee474e17a55a1ae11d307b307de5cc4fe6360c7e3d512bde1ae76719a3bd0e2574f6f3fcfff4b18e53cdf9679203519a58644e32cdae5a8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
72c5a70971968cd80a9dc814b1e9846b

SHA1
0cd1ca0479cfe87ec21d8d630965d515e1c4b59f

SHA256
8a314939c102a67d1e8e2f417bd05cf4bf51c4c885c0e0119518e3f109725bd5

SHA512
ffba2da9fa4c6f5330d1fda6cd207506799735686e96fcb61f883230facf766d0612d56bbd3ffe8566f65a995fd395b20eb430e94219f4a49c1bb4fb47ea3e08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7fcf7aef8f1c455a6668c2c46129488f

SHA1
07e852e0a11534051db64f92fcf4ca31cb7b65c5

SHA256
13b9b7921e97fcfd99cd6922929e7f6ad74bb0145dc644c641d86177eebcd82a

SHA512
728b56db92a0b62161e79e3a27a3f6287e885effcce44adc9fe9d15bc40861d410e9c5d2cdb67fa94f513bfbf8aaa072cae63588de6e8382d670b61698710152

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
2b77f0d6d3a521d7c1072709fac9dabd

SHA1
80149940a195724cd3016a93484b45382e9292ca

SHA256
bd80496d6cc75b6a71c6ae3a46b255cb55b45a0d5059051db602b308e64479b2

SHA512
42928068dc384ec2ad4d02137550330fb1dc287f7c05aabe1035bfce5299f0cfefe3172e3bb7c8207d5d0923d932d9708e64c7169966181183bddbd0f7f4f3a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b2500f9a559e2f2b4a07db439884fdff

SHA1
22b1958959121b7411795131dfa58ce9b93ee999

SHA256
b23b8771b2fb92bca80afa09193c78355e0ebfa51022c6d74ff19a91c2f0d8e9

SHA512
a5c9660991f7997ca0925c0f64b5651b8841879faee227d3fc33338fef521002c259e5e3bba41e8bab08c0ac159522c49048faa23b2cd49f0539fdae22309309

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7840ee8e0e975a126efd08975e504104

SHA1
728c6e0f52defe0ce6432b9abbadeeeeed217c8d

SHA256
91ba4acba3fafde55f8789cd7be1449e545b6744caef7afcebcc25370fa9ffa5

SHA512
712ae62ff97af195dea89eedfb081536566c3499e1c69c76c09629ad0148232e9672e4c194750f717aca84258e3d2f1f529bf9322f1bc07b237d7e9140600bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
c3b6af9e3c650b23464b552076c4e07b

SHA1
870e70698ccb755f8e2d75d1e4f87b2795137ddf

SHA256
06e51e61cb8362df1a935f66944dc43f86ed941bd7c775f0e3f64f8cdf9f5bab

SHA512
6244d3979f7e9ed17099a791f26bca762b47b10b8ccc367b332976c7c6069db7f62cc39d346378563d866c1b6fc6be96676035607301adee6c63c157049419a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
27d73bf207a8fe8a989a6fbfab8407b0

SHA1
ede81e102f6f52ea4ba7f4c838856d4158ff361d

SHA256
70880e4375d529a1edab738c00a250ac1094b60f95387c21a6ab7c037f00d23d

SHA512
5fbd9ed061b3849c0e6fa1ee2f27eada087f3bb478dc5cacba49b2bc9054566c4551c36b9a70612eff6a752d919d5ed2b2cae07fcca06a55a4f8e2c41f08e19b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
a90a4e1cf55ef07a5e58383661515bfa

SHA1
297d7ad743ec7bb402d3d15be097908b6ba7e22b

SHA256
e0963f680fbae0cf7e0a331ae952f2a74f851f979cab2e4c4274f824cbb10818

SHA512
57781bac1d6aa35fd39079058cd1a25e4626556fd2c46ab4f19410bf9ec14b74a62f5a833562543b087ea08643ac9aefd2a0f75b64bfb96c3c0a334af52dd48b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
1ffe471f0a2f0cc85307196cf8c9cdcf

SHA1
230bb271667475978c1d469e64ee81accf315bd3

SHA256
dc79ea546c83752b58fb086e28c70a3c26400c6a278955dffcb0553b1ea4d3d9

SHA512
e08cb481b1da03a2c6f5c515db03371e7473306d608d8cc31074a65e79122570a1d4b822be638836497d066d096d4f54a1f6858efba9f860750683063299bd33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
3c2b92117789692bae599d9d747afe14

SHA1
4d6717b57802a7b7b1e3f28670ecf6ca5205f64c

SHA256
0465af6ead93f60c2ee0f6e06a8890c4469b52ec314f8dc9709770e31711d759

SHA512
c302da75c693d838894f0996b4b5571f7eec10e90c00f48daf779ad7f6b85d34a4dc1fd50ede589a1caa7168145fea9a93edbbb497840a18293b0825d66a1d0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
787ee98f2a5fa8b6100eaed060e1e30f

SHA1
a55f9b49d3a9108676bc197c5cd53c8dfde90996

SHA256
58933ba7ea92582778773f8c05bd3d7d6be86cd0b432f05c5016709280cc5e99

SHA512
1c3361e1387b62f5940e21029c90d163e8a38ba0accf55ada1a135d5c05ad7811419508d23a8a57f8b849b2167633a9bb2393bba2e737dd5ac74d18d36f0eb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
24b322bf8fb24fd42f16763bc950b6d0

SHA1
a17cd50618fc1b37134e285c175c58ee82cadf69

SHA256
ddb449d48c447e5f6db05355658952b2fa3643e14a427e140b2babcf44c19104

SHA512
5e064c3da265f8efb0a67802a83cfc76b9c87337c947ae72b9f3448c508490abb2859d72aa8793b1094a466848cbb15a61fe49e327dfc1addc78741c9b96b613

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
a34eb4fd13c3d31c39e5ee9368a42325

SHA1
ee75596b8c15f151899cfb5e436a55433e9da42e

SHA256
14df77e4a0046db48347f3cdecc6f44bcee577d096709849d58e38dce142f5de

SHA512
21be99c0e1bbe3a5082f16faed993da8c34084498bf84adef705e0d8ebb549a21eac1a18c240b795d4d471c708fcafa6530b6717a765ce1b5ba092d021c5a116

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
3f493af1c5bec71c8fab2a3aca44cf2a

SHA1
6f43e7585539e2c6aa03df9f00cee601b686160b

SHA256
cb80f66cb3402f833326f8a0323c1d507f0a48ed0df35dab5287054e6641ecbc

SHA512
28c4f33bc8b0c74fcf28b680c0d4e98de105ac6b3b65c696d6e1e4327e36f6fb8dfa1cea7dc051ab0ef562f0b3cc20d93d232c4a0984c676ac67f9be7c1d39e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\storage\default\https+++www.malwarebytes.com\ls\usage

Filesize
12B

MD5
c1b963141cf7b96d87c4773b0d2978bd

SHA1
499a039ac9d6199435b7582842088b7aad1ebc39

SHA256
7d341d5aff02b34ae3c74ea429a348d217a95e2f315487ab74ff0fade0f2a9bc

SHA512
6e50e6e80d3837b1a2544f3d6099da0e0732faf413513f481e59dd8d2975819c1375cf5f5972660f9a16bdb7466bb0072d34856379ed00baa5061b584003b67b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\xulstore.json.tmp

Filesize
141B

MD5
b847f28acdec63348ea376efd4278d02

SHA1
da4ae0ce914885ad7fe1f89aef3aa4f324747091

SHA256
7e63f727108182d4afdf0ae5131c9e0692d857b934fe8d93a7d4a8cea58fb834

SHA512
07b89826d35c5b9f056c8556ed5dd0a961f779d1aa7639321b90c56ef65bf6706a653a22f7790543b1482414069d5587c1f1c28215e92a7ffdf0fa4a55537c08

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
18.3MB

MD5
ead33b77add23d0b26e5f7b5da29a95f

SHA1
b823efdf35b36628219358676d996f1ee973f00f

SHA256
98a767d76fa19884689abd84dd7e55010507aac2236307d3a3d77780db9b1803

SHA512
66a9c06d7d6ae4a4bc00d069dd9e5509e9de6b748813e260a0d9f4382ae629ca2ba593ef028ec48997a347812866aafb53cdb1856e3e83e70db580dc04177121

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier

Filesize
174B

MD5
ad11e9496bd324654deae20ebc184381

SHA1
f1ea525f4e4cef3abb73d8ab6abbcd50756e5959

SHA256
ac774a79dcab22e6714131f4185323d66390683beb6d57cce53f71fcef732c62

SHA512
b28695f16493c3e51aeb312c5b2a9ec9ce05c8a17c4ecb4e3fe63306eee9297045c10aefadc0848c01dd1c468dd8b90df019aee2ba4602237a43cc709d739b79

Download Submit
C:\Users\Admin\Downloads\MBSetup.t3FpPMXQ.exe.part

Filesize
428KB

MD5
134c610df372bcf33f4d729ac6344f1f

SHA1
058632eb58bb168a3c8cce85a78da670350a1ca0

SHA256
2bcdc40de92a141df12be7b7e7f740d2f61775a933feb8aeb7072fb04f190182

SHA512
d6e015899fc4cd472cbd43e412e8ddd7ca62ed30b05e6073204a952878bc0051803f1d1d545298f1159df56440950ddb62de3a4fb9251218572d73d4feff314f

Download Submit
C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.mKKNwQc8.0-master.zip.part

Filesize
3.3MB

MD5
017f199a7a5f1e090e10bbd3e9c885ca

SHA1
4e545b77d1be2445b2f0163ab2d6f2f01ec4ca05

SHA256
761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

SHA512
76215a26588204247027dcfdab4ea583443b2b2873ff92ad7dd5e9a9037c77d20ab4e471b8dd83e642d8481f53dbc0f83f993548dc7d151dead48dc29c1fdc22

Download Submit
C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe

Filesize
20.0MB

MD5
b0a7296411bbdf3faadd889b0332de5a

SHA1
e3ae7e3327ca04404cd4ebec4c06d488f6788207

SHA256
c929eaec30989246ad3945f122ad6a134f78a8da0ca06838fee026a3ba060e86

SHA512
a93b2cc001e44e52dbd9a4625594238bf05578810c67d9200d3cfbb3fab9cf38568f39e2b038b9503db4e8a825f6d719b080a7133d6b1e990353e7bfb5d197eb

Download Submit
C:\Users\Admin\Downloads\Sandboxie-Plus-x64-v1.13.7.exe:Zone.Identifier

Filesize
642B

MD5
58003d549d4bb410fc9efe4c0d17312b

SHA1
f918fc496453647816bef1f6b2ec67df79869459

SHA256
3057d63591784bf1404b679002ba8d56e666f1053be642feee1dd58d342baac0

SHA512
ca498445ca59674a47eccc2259848d8b00be3a7d645455f2e721e18a850dc8c844a676b5b7afd509b23fbc211550391600d7505530f0a549e258672f2dc4aa69

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Windows\System32\DriverStore\Temp\{b1f0fc0f-366e-ca4a-b733-f08b2679bc4a}\mbtun.cat

Filesize
10KB

MD5
8abff1fbf08d70c1681a9b20384dbbf9

SHA1
c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6

SHA256
9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658

SHA512
37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

Download Submit
C:\Windows\System32\DriverStore\Temp\{b1f0fc0f-366e-ca4a-b733-f08b2679bc4a}\mbtun.sys

Filesize
107KB

MD5
83d4fba999eb8b34047c38fabef60243

SHA1
25731b57e9968282610f337bc6d769aa26af4938

SHA256
6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c

SHA512
47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\mbam.sys

Filesize
76KB

MD5
113e213914c40631aedef185984c5629

SHA1
57bf886bfe1e4d765ea43e4c91709a5c4a9a024a

SHA256
d314cea3ba19c49342763fca6b64a33f12d730a8fa531ed9f7e75675035ba004

SHA512
76d7286963f28430d8a9bc3b59adf209b5fceb6a5248b7be54c60fff0b931ba2cf46a779f7e66008baa0853ad6ce55a4b9dd56e33574230d1e2588f7679630b8

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys

Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\7z.dll

Filesize
2.5MB

MD5
a144e24209683e3cba6e29dab5764162

SHA1
ab2112cce717bec8f5667721a072d790484095ec

SHA256
b2ff9dbf90cbd0c45cd7d95ce4892377ec7e92970e05f2e56b0ce93861190348

SHA512
2c823981b53b7eb7c1b726468d3b28c234c7e555aab35e759e88d38658566d267a20867f1cb18d96c830e7d53643629a9fa313eecee8b553703086fbb64cc984

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\dbclspkg\MBAMCoreV5.dll

Filesize
6.7MB

MD5
65dae541c8dbc3e18f1bc9150ffad616

SHA1
f9c98b9eee98e94240c425a4548aae1b5d943ea6

SHA256
75249cc6d5ddbb92a76f6750165380eb3b6182cdd4733d8a18003b7dfc88b558

SHA512
4f2755add2fa384d617e7bd6d5d2c793503b54a284eb04be78682a0b6cfa7e6369995ae6625bd085ba2887b5034760323dfc61c2b28ea6db91b9d17a8394e988

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.28\mscordaccore.dll

Filesize
1.3MB

MD5
3143ffcfcc9818e0cd47cb9a980d2169

SHA1
72f1932fda377d3d71cb10f314fd946fab2ea77a

SHA256
b7fb9547e4359f6c116bd0dbe36a8ed05b7a490720f5a0d9013284be36b590b7

SHA512
904800d157eb010e7d17210f5797409fea005eed46fbf209bca454768b28f74ff3ff468eaad2cfd3642155d4978326274331a0a4e2c701dd7017e56ddfe5424b

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\servicepkg\MBAMService.exe

Filesize
8.5MB

MD5
8c89563b4351b2c39d94c81ec37ace7b

SHA1
4c238dcd62b99226b3ac1a67c7b7c2cc2ad1edf4

SHA256
d17e0a77d02d5875318c14af09ee900bc4bafb87a96b2f84dfc9ef7656884228

SHA512
8f1421c8a553acc7d4541cf6d319ab97abf2803a2c0c83ac7ac8d1dc9335eeb0bd911e79a0bedc14e65f1eb523efb76f9cfea0dd71a79e43c9501c954546ef2a

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTempef1d6519124a11ef8127de841f1e203b\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
memory/396-7891-0x0000000073EF0000-0x0000000073F72000-memory.dmp

Filesize
520KB

Download
memory/396-8252-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7983-0x0000000073EC0000-0x0000000073EE2000-memory.dmp

Filesize
136KB

Download
memory/396-7981-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/396-7980-0x00000000741C0000-0x0000000074242000-memory.dmp

Filesize
520KB

Download
memory/396-7985-0x00000000741A0000-0x00000000741BC000-memory.dmp

Filesize
112KB

Download
memory/396-8042-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7893-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7984-0x0000000073E40000-0x0000000073EB7000-memory.dmp

Filesize
476KB

Download
memory/396-7892-0x0000000073EC0000-0x0000000073EE2000-memory.dmp

Filesize
136KB

Download
memory/396-7979-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7890-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/396-8123-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7889-0x00000000741C0000-0x0000000074242000-memory.dmp

Filesize
520KB

Download
memory/396-8244-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/396-8242-0x00000000002C0000-0x00000000005BE000-memory.dmp

Filesize
3.0MB

Download
memory/396-7982-0x0000000073EF0000-0x0000000073F72000-memory.dmp

Filesize
520KB

Download
memory/1868-656-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1868-615-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1868-916-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2388-750-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2388-915-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2388-879-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3360-946-0x00007FF7FE440000-0x00007FF7FE733000-memory.dmp

Filesize
2.9MB

Download
memory/3360-945-0x00007FF7FE440000-0x00007FF7FE733000-memory.dmp

Filesize
2.9MB

Download
memory/3360-944-0x00007FFC5F270000-0x00007FFC5F7BD000-memory.dmp

Filesize
5.3MB

Download
memory/5280-972-0x00007FF7FE440000-0x00007FF7FE733000-memory.dmp

Filesize
2.9MB

Download
memory/5280-971-0x00007FFC5F270000-0x00007FFC5F7BD000-memory.dmp

Filesize
5.3MB

Download
memory/5280-970-0x00007FF7FE440000-0x00007FF7FE733000-memory.dmp

Filesize
2.9MB

Download
memory/5864-1071-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download