cryptolocker | a7b6ca34c012421ba5977d94a3d8e237b344767ddbcc852308ed16cd7099ac51

Analysis

max time kernel
1860s
max time network
1861s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

147KB
MD5

5210e280ae24357361093de3aa7015af
SHA1

1c46adc75b3b6e862821ff46a249e00b93e5230f
SHA256

a7b6ca34c012421ba5977d94a3d8e237b344767ddbcc852308ed16cd7099ac51
SHA512

58e9bb617363524098b356988b30d9abfd599b2d5b12badc9066ede8a2760a3d8ffe747347f0aa04b61487c517402d38bce91fec7dd1c8b807c1c6a6d823c739
SSDEEP

1536:o5kud8TPV9vK4DNvGR4Dbll1qKf+30vD932Os4DIHhqiS:wkPT3V+CllQHKuHhqiS

Score

10^/10

cryptolocker gandcrab backdoor defense_evasion discovery evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

F:\$RECYCLE.BIN\LNEOEX-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .LNEOEX The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e1f1454154a9731b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOeOPR+ieF8ZqqNOxgFQEW2FLFfdSfP5N1DTLyueGL658YhG0l+UCQ2jv6OVZs8477MdsmFE+kKwy1SKrFm+wwCWnMYxwFlUyYjj1fdqPrzRssVyxgpuCVpCHDyASpKtScd6BKFbodTXOsx6N7gFifHdZekt+JERwKUOp1gTPWQHUc83sZBchaRG85SRTCiky6TfMky+48HtWvCzLrftQHNlOvSsDCwOpLMyhCg5KRlKfn4W8Z606qrIxpTTCY/ypP46mLjVMn6XTlf0VX/P5kOjGNoxsyEi99QS6n1WhPxqHX8KUZ7QGeGSeoBEXrkyWM8+n4bbF+WQEbN77feSFJyJHdQv0U305oA1VzuHhsJ0PdF6u8aX0sArDHLvOFu3zP+mmm0TayhrvnH42ZUyO8oW749VKfDYWn3wwNk54F8Q4dCPW9xU5KEdqm7qWGjqirlowb76kRvWUY8bj1wIYRanV1COKkRIVB8KLGHAJ32IYxbOUDmrcBIp8VpVim3ZfkPc9FSFpz1bdUFSc8S4jTQe1NAH5fLM6B0T/ODd4Hg0D/QRP8DtpO12WGt3Uw2gnn4MspXlaGX0CsI9IcBDUiBpos02nmE1knipeFKZjvju0ARXTIGfJ+asFYYASOveUpMUoC9ynk/BHkSoAfPCZ+o2LErdRwKujrJ31LHfpAi++NnklTQMsAl9JYbZooj+a6vHmuAHrzv0j3yWuyGJ6oTRQxSQaqIfzLR0kCsuwEvfRbeR5r2B2n6kLw4U2TnGXc7MtIoZL0amwhpRzkcGMsXTg5I3R/0eF9rVEsRWCAtqE6I9VfXkPwlxOpEOWPleHi8DuLXI1QB2Bt5UPlb2KtXOaX5lydrKNKW+L+U3N3zv12cK/4sTgXwFp9z5nHVpQy9lSkRwMXjAWybtJW1NmLOLxJyIXhyUrI7hK+zLcSHlVoNxeisHpemS6Kw5dyxhrG0G1MEgAPJd72ItLd/yZhAoGCrTgb+n1fIj6IcCcUR/0xNP0YfFG3tdhvmjQA+ODDVhMVpHWbsHwYXR1QM7C0XbNJaiiQZFXhpVn/EurrMm7lpiCLLeut7B6lNUVT0mddD3CHUFhKq0X+34eeA7NgehbMva2bRYBsdKqoMapSvCEAO4gRvZcCv/s+7EAO7EH5An6AcmvA2gmCEUW/UvLvhCGhpBg3v3mzjW1b8kyRFR2JiYVZJ5eMUrNhz167v3joh7/fq+9Z3AomjY8VgICfcvLAZ+lftatU+bOYuhpDGl5Tce0wpwViVraLsPBgkwM4gFxzrGY5H8DBdD9xnIb6v30/KZJY7K6yKXEiGna0W4IIFwofoVdbbMfhEAzTnauXzIaU5v1a/cbtxAVx8ujp9AX6EkQR7f3hze2Gu63enwy5MM1L3dwrOwhvNCFSgb8iEG/ype8mD29FEOnlYhorNExYhVPAxLgqHqvaJDpdO8J9+Eu5h95pb8tmQJAVGi7MGYQxlv2FuW1OXNe/NbWjLTpoQnuxQX/Fesfi0TPNcVm7ot1rakc71npAu88rtCS3445OsIKSeurZ0sYKHsISQfMRlVDTtFM3CUVivv2VnXRiV2mXpLNHH5kNcI4e9XPOXgkX7Daa5xK/0r4JbJQNe3uvTQ1tgS2KLp+CFdJ2e5lVzSfmIGLNNzgAYOlo/0Pq18yEC0Ix4Bn5JvHLeOO4uFT+LggDV9UjQWl1DSA5SP4ukmGMmua1hnKdu8MaY3hHoV2BdnKeBOw9OEgJVWUjxWiKY6kz34am28RsiasiMjYFfx4jefI31PVUAmzauu3g89HthTZINbpA80uE1WJKQE3Gw6In17n0B9MhIDc54qmzOI6s/rexWhaMwFZMsnSLSgE5Icjz6k754qsWC9aMuJAWpikYaeToHrrtDl6509d7AmRE5IgBDbUozggKXm0Q0724uTwo3M8Of9c3HwuvMtylb6aJjatwAsYACxkY79RQkEGqL9a54Ite7sAaWdehN2+l/QkdJWmbixC6o45UpNmFv4azSuHcjM5VoKsBgElY9w8rxP8gxeiTwZPo0A+f/Z0VNjbFPaIn86ar7/oWP7+j9aF/Qnbwn4FfrULncH2hfT9jiqlpWsBGaZCWHSDmUCJWBd5Tw2B4g2O1Gv+/dBssAVIYHFDyxAIaSy4oAOSuMdg6vUDlWc7LeU81h0PqcUEX/IM/+VoHoLtalNfkE7Jn7k8YJVSJny7Ww6EDMt1NPDN/yqoDVD5bfoyLY0XBuvkic= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJMJDLAvOVr+DDRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNAMBnJqr8Y6R+W3NbHNmdGRiEfRP9Dy+/NmLLXjC6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtkyoC8E1fOlWTmX7qt4DuwxgT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e1f1454154a9731b

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\MXFXYGUK-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .MXFXYGUK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e1f1454154a9731b | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFJSdIuhRRSQvppJlkHPjsXwMUUXnQkrmjTTFNUQlmnZHqtDUJMx+SxZGNik2yyva282Zvq50DRZ2xKFPv89vZOMDq3jiWsA+JzvCm0DAmgAL0cmfZVMbUPeDWNRo60Ax6xoSXZOe80kYA6LaktJ6VuNVjsdHyMsJFD88x11M29+d9Ce7bwfns5hyseI/ZcEA/yTLZ/4WHf2QEjovk+5J9FX6vmFgum7wXaZuDdCyjuHJSo+hYYnFNIRuRRNXDzTS0qcsoQnN4As7i+o5ZVlIJlj2ql8Vm+km/zS9202qqivKAneQgLsf4AtvAzLWphknz+ecHMlhWY96PbqCmVe7QVFzk7GMJFPSgJyfH7drDAZdknx6tcws/0ScXhhtvWhEfdsEtNbDdDhrAHPn0/7IiE/OjXq2M60LfuW05BqxYtx+oyD6LD3v5oibf4kDHGn0QuWxKTC23467Aq+j1jVjG8CWKGTqXLZ9ut5en3XNAIYj4XxT1IPOTUINRrSW4Oad4QN7Sshn8gnnzpVqP4N0ES3Vzg9+I2zoCpQ/mJpXlp323uMNhcaXIjUw1lcBeVErTXZyE0mmovgygKP99cByl6iNVWGj7kjjoJOrBupSgmA4OsC9U5hZjxp41dRlseUa2+zXEJ5upnBu1XCCUgFHAplG/wO1MiRgIRECeNc/boVbh8EoBp8EwFEWYJUE+kjjMGXHsD4XhaHmKL1RXoyV+nuIhRHqzFPNIyWDzS1lXu59GmZXKVvmFxkTKm4K1vlJ4cBwbgPMgMhxsF8RMRhv1Hod30CHfRQq0/FBgQzeBE3dwyWHk5EDUrT9EZrg5vOaAE9GsT3Vi5CQCDs6zM3qEdizzbe7FUR97k0ZSBLTJwzVS2KT9GrEjKK4SFGjCDmu6bThGX8R/OG8Ny79Rs8Dvj8XhuLM5dfcvBchbzayxFujKFYuweuDUQqIWaMSbqcE68Vu8wdr8NgcW/QYPWKO3jkp0O3FzYK20eUayF3ibZUJfK9v0gkvX0tqWWV7WhNoLGknTW1YbVgRLIAmcU7Gf9Bp9AaRxk0qWe/sUzRbsVU3JiC3ZdxrEDAVsik37tgqEEqJ52804seY0g51+PspZd60KNgCgYduroAVqg1ZkZ9GibgEtMYRcpF0VrqflOlHL3QT+h2Egc5W+XUQ/+MTcIaOw56Mcqjc714JwXVPiHr9dtaiX/4S/DCGUcGKR1fSj4xbc4pC0zFtR3ZfTckRNEutzwforMtO5StxOQ/LYLvXjmi0SZGg7Iw2tKmpoQz9CHRXFhoYBy3NpU3em0Uwa47yDhlX9R0pbtGxqQ2SgrYQCW/9UIloUIUcbl0slncHlmAOWvYuAEJ5PtuzE3Qu2GlTpxhXgytwGRaCpUBUxmRJGqM/tzkZX3XwXfZHzN/vFDATo6D3nsL5nvXEldaz91n2Od5XIXuatZRQoIBZDRdkgAgbm/hfRpa4NhylBvU9nJ3vbBYqV17eL1UTW2nH/5NXZlPqsFs0PLsEQM1upmBWLX758AwKYQxknb8b3J63xvw2NRWYIPF1Nmuzw/z0DtzQqvRO70quhBM0IxG1c/h/xIPb/gE7qecFLw9JAvwhZgUxMPs3wobTmNIWxU1wpxsVFiofh/elcmSRBE9b8GBUEi2fQrB9DmN/Gvh761Vb8OPwItE2/5tkOPPhHPzZGvXYi//nH9q1mZRcE/jUSwGsFEzoheNIngvm1rnLj06tWRof6AgsQpfrEuM1FKB3p43VRLrK7TTtu3Ye4w9ekF2E8WZVfjzryf9kdEw6wAJx8HH/cNNNuHuSuAVaULVVbJbWFO+uIz2vorbetSXNY44iieaohnOfv/+1RzdXygTf3oELuh5KKmrvcqqWsJMVqN3s8YGAgRsuK78Ge8lVadwRkF0j3mf2c1LfL1x/o26hWPsncAY2hJwTPzir1sO9dn1KyofKg3zs2bEi2uy2PBcubc4KBfmbdO9r4p/lOVZdaH1aG0v4qp6XY6H4pW149Q/5LrG8KM0s0raOGQOLerI4ugyzA05fUrM0mKf1TVYB3qu+xcDggQpwFM4+Iq+ahmSFTrI1UA+BnmgiHoIZiLL+0qraw2a+m8d5OQM7itvk0yP9bjWlxAJQLIPbYeKhiQfaAsE8XsFzity/mmNgk9AnEatZWMd9zEOiOkqBd9lu7cqP3cXULfx2nTACpwykOqu2jjNhEqOn6XyUXmJzfhkMTnkQ98dSgNDclAAz9VRdCQToMQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJMJDLAvOVr+DDRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNAMBnJqr8Y6R+W3NbHNmdGRiEfRP9Dy+/NmLLXjC6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtkyoC8D1filWDmT7q94A+w5gTuwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhwdQcIE/1WEGfyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e1f1454154a9731b

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msiexec.exeMBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	MBAMService.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MBSetup.exe

description pid process target process

PID 4712 created 3436 4712 MBSetup.exe Explorer.EXE
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

description	pid	process	target process
PID 4712 created 3436	4712	MBSetup.exe	Explorer.EXE

Drops file in Drivers directory 9 IoCs

Processes:

MBAMService.exeMBAMInstallerService.exeMBAMService.exeMBSetup.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\mbam.sys	MBAMService.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mwac.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\farflt.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup.exeMBAMService.exembupdatrV5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbupdatrV5.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Malwarebytes.exeRokku.exeRokku.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Malwarebytes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Rokku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Rokku.exe

Drops startup file 4 IoCs

Processes:

GandCrab.exeGandCrab.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\MXFXYGUK-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\54a974f654a97318219.lock	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LNEOEX-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\54a974f654a97318219.lock	GandCrab.exe

Executes dropped EXE 64 IoCs

Processes:

MBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMBAMService.exeMalwarebytes.exeMalwarebytes.exeMalwarebytes.exeMBAMWsc.exembupdatrV5.exeig.exeassistant.exeassistant.exeMalwarebytes.exeMalwarebytes.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeig.exeMalwarebytes.exeMalwarebytes.exefatalerror.exeCookieClickerHack.exeassistant.exeMalwarebytes.exeMalwarebytes.exeig.exe

pid	process
64	MBAMInstallerService.exe
5472	MBVpnTunnelService.exe
4124	MBAMService.exe
5248	MBAMService.exe
7820	Malwarebytes.exe
6944	Malwarebytes.exe
7040	Malwarebytes.exe
7608	MBAMWsc.exe
7604	mbupdatrV5.exe
5888	ig.exe
7448	assistant.exe
8036	assistant.exe
6452	Malwarebytes.exe
6308	Malwarebytes.exe
6156	ig.exe
2120	ig.exe
5808	ig.exe
6208	ig.exe
6464	ig.exe
6488	ig.exe
6372	ig.exe
6776	ig.exe
6784	ig.exe
6768	ig.exe
6724	ig.exe
7088	ig.exe
7896	ig.exe
6744	ig.exe
6640	ig.exe
6664	ig.exe
6676	ig.exe
6680	ig.exe
6612	ig.exe
6616	ig.exe
6576	ig.exe
6568	ig.exe
6560	ig.exe
6552	ig.exe
7804	ig.exe
6792	ig.exe
4316	ig.exe
5844	ig.exe
6380	ig.exe
6200	ig.exe
7264	ig.exe
6352	ig.exe
5532	ig.exe
3848	ig.exe
404	ig.exe
3184	ig.exe
8116	ig.exe
5100	ig.exe
3256	ig.exe
6280	ig.exe
6068	ig.exe
1492	ig.exe
7216	Malwarebytes.exe
5212	Malwarebytes.exe
2912	fatalerror.exe
2632	CookieClickerHack.exe
5176	assistant.exe
5884	Malwarebytes.exe
5388	Malwarebytes.exe
7208	ig.exe

Loads dropped DLL 64 IoCs

Processes:

MBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMalwarebytes.exe

pid	process
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
5472	MBVpnTunnelService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
64	MBAMInstallerService.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MBAMService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 531782.crdownload	upx
behavioral1/memory/7608-7976-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/7608-8190-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/3924-11169-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

453 3736 MsiExec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
453	3736	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GandCrab.exeGandCrab.exeMBAMService.exemsiexec.exemsiexec.exeMBAMInstallerService.exeWinlockerVB6Blacksod.exe

description	ioc	process
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\J:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

Processes:

flow	ioc
580	raw.githubusercontent.com
743	raw.githubusercontent.com
805	raw.githubusercontent.com
215	raw.githubusercontent.com
350	raw.githubusercontent.com
351	raw.githubusercontent.com
515	raw.githubusercontent.com
517	raw.githubusercontent.com
352	raw.githubusercontent.com
516	raw.githubusercontent.com
744	raw.githubusercontent.com
828	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

Processes:

MBVpnTunnelService.exeDrvInst.exeMBAMService.exeMBAMService.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{45b63d43-fb89-d549-9612-3372d06ff08c}\SET91D6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{45b63d43-fb89-d549-9612-3372d06ff08c}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5F26A2159BA21EA573A1C5E3DE2CF211_E3375A509D9058F6A8FFB74D3B4E6F77	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_162bb49f925c6463\netwns64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2E01D413E600DA01958BFB19A6EF6010	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF	MBVpnTunnelService.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckyLocker.exe$uckyLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exemsiexec.exeGandCrab.exeGandCrab.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Reflection.Emit.ILGeneration.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\WindowsBase.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.Caching.Memory.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.Sockets.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-processenvironment-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbamelam.cat	MBAMInstallerService.exe
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.inf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Threading.Tasks.Extensions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\UIAutomationProvider.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-convert-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Collections.Concurrent.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Text.Encoding.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pl\UIAutomationProvider.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyInjection.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\mscorlib.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Private.Xml.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.deps.json	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe
File opened for modification	C:\Program Files\NewPush.xlt	GandCrab.exe
File created	C:\Program Files\Malwarebytes\9bfbdf17144f11efbb2efe55e2f65ccf	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Web.HttpUtility.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\Microsoft.VisualBasic.Forms.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.Serialization.Formatters.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Configuration.ConfigurationManager.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\PresentationCore.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\BrowserSDKDLLShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll	MBAMInstallerService.exe
File opened for modification	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sample.dll	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Diagnostics.Debug.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\WindowsBase.resources.dll	MBAMInstallerService.exe
File opened for modification	C:\Program Files\SearchAssert.3gp	GandCrab.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SQLitePCLRaw.core.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.deps.json	MBAMInstallerService.exe
File opened for modification	C:\Program Files\OpenResize.aif	GandCrab.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\UIAutomationProvider.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\System.Windows.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\System.Windows.Controls.Ribbon.resources.dll	MBAMInstallerService.exe
File opened for modification	C:\Program Files\LimitRegister.pptm.lneoex	GandCrab.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll	MBAMInstallerService.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exeDrvInst.exeMBVpnTunnelService.exeMBAMService.exeMsiExec.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8FAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9189.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9236.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI903C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9331.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8FDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI909B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90CC.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MBVpnTunnelService.exe
File opened for modification	C:\Windows\Installer\MSI8EFE.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b8e81.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90FC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\sys.job	MBAMService.exe
File opened for modification	C:\Windows\Installer\MSI8FFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI900C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b8e81.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F4D.tmp	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 29 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exetaskmgr.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GandCrab.exeGandCrab.exeMBAMService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

MBAMService.exefatalerror.exeMBAMInstallerService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	fatalerror.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000"	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	fatalerror.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	fatalerror.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exeDrvInst.exeMBAMService.exembupdatrV5.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbupdatrV5.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbupdatrV5.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	MBAMInstallerService.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3FCAA7C-EA26-43E6-A312-CDB85491DDD8}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95}\ = "IUpdateControllerV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C510D99-F27D-457F-9469-CFC179DBE0C7}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CleanController\CurVer\ = "MB.CleanController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D51C573D-B305-4980-8DFF-076C1878CCFB}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55E4B8FB-921C-4751-8B2D-AE33BD7D0B74}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19B9825A-26E8-468B-BD9F-3034509098F0}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDF63EDA-B622-44E2-8053-8877E33BB49A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53260A87-5F77-4449-95F1-77A210A2A6D8}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA484BC6-E101-4A87-AAF3-B468B3F2C6BB}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\ = "IScanControllerV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA226B90-F6FF-4618-8AE6-1114E82CB162}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{929A5C6C-42D7-4248-9533-03C32165691F}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADCD8BEB-8924-4876-AE14-2438FF14FA17}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController.1\ = "MBAMServiceController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31BF2366-C6DB-49F1-96A5-8026B9DF4152}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC34538A-37CB-44B4-9264-533E9347BB40}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8258E71-3A7A-4D9D-85BB-C7999F95B7E4}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF7DFB76-BA49-4191-8B62-0AC3571C56D7}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55D0C28B-2BF3-4230-B48D-DB2C2D7BF6F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9704115C-F54E-4D64-8554-0CAF8BF33B1B}\ = "IMWACControllerV5"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\AppID = "{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}\ = "IScannerEvents"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E230930A-6CC2-4B9D-8CE1-03F86A8EDA05}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F81B1882-A388-42E5-9351-05C858E52DDC}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAFDF38F-72A8-4791-AACC-72EB8E09E460}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F927AD37-BA5F-4B86-AE22-FE2371B12955}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID\ = "MB.MBAMServiceController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.PoliciesController\CurVer	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\ = "NormalScanParameters Class"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B860FC17-5606-4F3A-8AE5-E1C139D8BDE3}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FFB94DF8-FC15-411C-B443-E937085E2AC1}\1.0\FLAGS\ = "0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9D47FCC-ECEC-453C-9936-2CD0F16A8696}\ = "IRTPControllerEventsV8"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B243B0B7-0567-4DA5-B8E4-A4CE22A4F2B6}\TypeLib\ = "{6C5B978B-68C9-45C7-9D6E-0BA57A3C7EB2}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE6A4256-97CD-4DBB-9D4A-3054B0BB0F8B}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E3F0FEC-3E40-4137-8C7D-090AFA9B6C5E}\ = "_ITelemetryControllerEvents"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5083B4CA-BBA6-43DD-B36E-DEA787CA0CAD}\ = "IMWACControllerV8"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A34647B-D9A8-40D9-B563-F9461E98030E}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\ = "ScanController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC5390D0-3831-4D42-BD1D-8151A5A1742C}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F3822FA-CCD5-4934-AB6D-3382B2F91DB9}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4412646D-16F5-4F3C-8348-0744CDEBCCBF}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECDAC35E-72BB-4856-97E1-226BA47C62C5}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD9CB7A5-5C46-4799-A3A4-20FB128E58F1}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1BDE8B0-F598-4334-9991-ECC7442EEAA6}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49F6AC60-2104-42C6-8F71-B3916D5AA732}\1.0\0\win64	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07B91244-8A85-4196-8904-7681CD9C42A6}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.MWACController.1\ = "MWACController Class"	MBAMService.exe

Modifies system certificate store 2 TTPs 30 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MBAMInstallerService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe

NTFS ADS 1 IoCs

Processes:

MBAMInstallerService.exe

description ioc process

File created C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:SmartScreen:$DATA MBAMInstallerService.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4572 NOTEPAD.EXE
Runs net.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc stream

HTTP User-Agent header 336 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:SmartScreen:$DATA	MBAMInstallerService.exe

pid	process
4572	NOTEPAD.EXE

description	flow	ioc	stream
HTTP User-Agent header	336	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MBSetup.exeMBAMInstallerService.exeMBAMService.exeMalwarebytes.exetaskmgr.exemsedge.exe

pid	process
4712	MBSetup.exe
4712	MBSetup.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
64	MBAMInstallerService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
5248	MBAMService.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
5248	MBAMService.exe
5248	MBAMService.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
8152	msedge.exe
8152	msedge.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
5248	MBAMService.exe
5248	MBAMService.exe
4580	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4580 taskmgr.exe
Suspicious behavior: LoadsDriver 23 IoCs

Processes:

pid process

668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

pid	process
4580	taskmgr.exe

pid	process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
8152	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2872	msedge.exe
2600	msedge.exe
2600	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeMBAMService.exeMBAMService.exe

description	pid	process
Token: SeAuditPrivilege	5964	svchost.exe
Token: SeSecurityPrivilege	5964	svchost.exe
Token: 33	4124	MBAMService.exe
Token: SeIncBasePriorityPrivilege	4124	MBAMService.exe
Token: 33	5248	MBAMService.exe
Token: SeIncBasePriorityPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeBackupPrivilege	5248	MBAMService.exe
Token: SeRestorePrivilege	5248	MBAMService.exe
Token: SeTakeOwnershipPrivilege	5248	MBAMService.exe
Token: SeBackupPrivilege	5248	MBAMService.exe
Token: SeRestorePrivilege	5248	MBAMService.exe
Token: SeTakeOwnershipPrivilege	5248	MBAMService.exe
Token: SeSecurityPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe
Token: SeDebugPrivilege	5248	MBAMService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

MBSetup.exeMalwarebytes.exemsedge.exetaskmgr.exe

pid	process
4712	MBSetup.exe
4712	MBSetup.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
2072	msedge.exe
2072	msedge.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Malwarebytes.exetaskmgr.exe

pid	process
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
7820	Malwarebytes.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe
4580	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MBSetup.exefatalerror.exe

pid process

4712 MBSetup.exe
2912 fatalerror.exe
2912 fatalerror.exe
2912 fatalerror.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MBAMInstallerService.exesvchost.exeMBAMService.exemsedge.exe

description	pid	process	target process
PID 64 wrote to memory of 5472	64	MBAMInstallerService.exe	MBVpnTunnelService.exe
PID 64 wrote to memory of 5472	64	MBAMInstallerService.exe	MBVpnTunnelService.exe
PID 5964 wrote to memory of 5892	5964	svchost.exe	DrvInst.exe
PID 5964 wrote to memory of 5892	5964	svchost.exe	DrvInst.exe
PID 64 wrote to memory of 4124	64	MBAMInstallerService.exe	MBAMService.exe
PID 64 wrote to memory of 4124	64	MBAMInstallerService.exe	MBAMService.exe
PID 5248 wrote to memory of 7820	5248	MBAMService.exe	Malwarebytes.exe
PID 5248 wrote to memory of 7820	5248	MBAMService.exe	Malwarebytes.exe
PID 2072 wrote to memory of 5552	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 5552	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6280	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6288	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6288	2072	msedge.exe	msedge.exe
PID 2072 wrote to memory of 6296	2072	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html
2⤵
PID:4184

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
2⤵
- Executes dropped EXE
PID:6944

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
3⤵
- Executes dropped EXE
PID:7040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4580

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_1BC2.tmp"
2⤵
- Executes dropped EXE
PID:7448

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_4BFB.tmp"
2⤵
- Executes dropped EXE
PID:8036

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
- Executes dropped EXE
PID:6452

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
- Executes dropped EXE
PID:6308

C:\Users\Admin\Desktop\WinlockerVB6Blacksod.exe
"C:\Users\Admin\Desktop\WinlockerVB6Blacksod.exe"
2⤵
- Enumerates connected drives
PID:2364

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Desktop\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
3⤵
- Enumerates connected drives
PID:7040

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\WinlockerVB6Blacksod.exe" ContextMenu
2⤵
PID:6416

C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWBF07.xml /skip TRUE
3⤵
PID:7384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\WinlockerVB6Blacksod\" -ad -an -ai#7zMap23329:98:7zEvent27128
2⤵
PID:7072

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
2⤵
- Executes dropped EXE
PID:7216

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
3⤵
- Executes dropped EXE
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:7696

C:\Users\Admin\Downloads\CookieClickerHack.exe
"C:\Users\Admin\Downloads\CookieClickerHack.exe"
2⤵
- Executes dropped EXE
PID:2632

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_3127.tmp"
2⤵
- Executes dropped EXE
PID:5176

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
- Executes dropped EXE
PID:5884

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
- Executes dropped EXE
PID:5388

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_C804.tmp"
2⤵
PID:1644

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
PID:7484

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
PID:5200

C:\Users\Admin\Desktop\$uckyLocker.exe
"C:\Users\Admin\Desktop\$uckyLocker.exe"
2⤵
- Sets desktop wallpaper using registry
PID:2104

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_IT.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
2⤵
PID:5136

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_8A71.tmp"
2⤵
PID:1424

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
PID:6344

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
PID:228

C:\Users\Admin\Desktop\Rokku.exe
"C:\Users\Admin\Desktop\Rokku.exe"
2⤵
- Checks computer location settings
PID:7608

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
3⤵
PID:6408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1364

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop vss
3⤵
PID:3476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
4⤵
PID:316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swprv
3⤵
PID:2524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swprv
4⤵
PID:2112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop srservice
3⤵
PID:4956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice
4⤵
PID:4644

C:\Users\Admin\Desktop\GandCrab.exe
"C:\Users\Admin\Desktop\GandCrab.exe"
2⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
PID:6152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
3⤵
PID:5140

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_1E8A.tmp"
2⤵
PID:3508

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
PID:4652

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
PID:5408

C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --ContextScan "C:\Users\Admin\AppData\Local\Temp\mb_2CF9.tmp"
2⤵
PID:6856

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"Malwarebytes" --ContextScan
3⤵
PID:5388

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" --ContextScan
4⤵
PID:3428

C:\Users\Admin\Desktop\CryptoLocker.exe
"C:\Users\Admin\Desktop\CryptoLocker.exe"
2⤵
PID:8132

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\CryptoLocker.exe"
3⤵
- Adds Run key to start application
PID:7256

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
4⤵
PID:7068

C:\Users\Admin\Desktop\GandCrab.exe
"C:\Users\Admin\Desktop\GandCrab.exe"
2⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
PID:7164

C:\Users\Admin\Desktop\Rokku.exe
"C:\Users\Admin\Desktop\Rokku.exe"
2⤵
- Checks computer location settings
PID:3924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1504

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
PID:4748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
3⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:5216

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop vss
3⤵
PID:2100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss
4⤵
PID:2512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop swprv
3⤵
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop swprv
4⤵
PID:3560

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop srservice
3⤵
PID:6328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice
4⤵
PID:6352

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
2⤵
PID:7468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pcapp.store/installing.php?guid=D2547453-E731-4FDF-8F92-95F955A44ACAX&winver=19041&version=fa.1091e&nocache=20240517133043.469&_fcid=1715952551138803
3⤵
PID:7636

C:\Users\Admin\Desktop\$uckyLocker.exe
"C:\Users\Admin\Desktop\$uckyLocker.exe"
2⤵
- Sets desktop wallpaper using registry
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4272,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=760 /prefetch:1
1⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=756,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:1
1⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5260,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
1⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5276,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:8
1⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5616,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
1⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5612,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:1
1⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
1⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5288,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:1
1⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4900,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:1
1⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5724,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5940 /prefetch:1
1⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6572,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6552,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:1
1⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6564,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:8
1⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6448,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:8
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=5664,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5252 /prefetch:1
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6524,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:1
1⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6864,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1
1⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6860,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:1
1⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6876,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6044 /prefetch:1
1⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6628,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:1
1⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=7084,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:8
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=6644,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:1
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7296,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7308 /prefetch:8
1⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7052,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7800 /prefetch:8
1⤵
PID:2708

C:\Users\Admin\Downloads\MBSetup.exe
"C:\Users\Admin\Downloads\MBSetup.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:5472

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=6648,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:1
1⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=7456,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:1
1⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=8068,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:1
1⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=7140,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:1
1⤵
PID:6012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5964

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "000000000000014C" "Service-0x0-3e7$\Default" "000000000000015C" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5892

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5248

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://links.malwarebytes.com/link/pricing-inapp?version=5.1.4.112&x-prodcode=MDAM-B&x-token_secret=0RJqCl-jr1uEbqGi4UPgLilWBOjMMvLv295HRD9MVK0leoup2DzH7TkN3guwvjKqm1bPbHU4DM299HpQLZsQ78QpdS-UDk8BlFhyf2TVyIAU0KDpsIT3YDTMkfnOgev-&ADDITIONAL_machineid=6767daf1bccd331d0597e64ef890b601cef9f898&days_since_install=0&varID=mb5-onboarding
3⤵
PID:7256

C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status on true /updatesubstatus none /scansubstatus none /settingssubstatus none
2⤵
- Executes dropped EXE
PID:7608

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe
"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:7604

C:\Users\Admin\AppData\LocalLow\IGDump\hefpmpwobhxqbxjskbjxyqbgzyxtbgtc\ig.exe
ig.exe secure
2⤵
- Executes dropped EXE
PID:5888

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6156

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:2120

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:5808

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6208

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6464

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6488

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6372

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6776

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6784

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6768

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6724

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:7088

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:7896

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6744

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6640

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6664

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6676

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6680

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6612

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6616

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6576

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6568

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6560

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6552

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:7804

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6792

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:4316

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:5844

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6380

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6200

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:7264

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6352

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:5532

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:3848

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:404

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:3184

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:8116

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:5100

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:3256

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6280

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:6068

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\LocalLow\IGDump\rnxhkeekphjjxnqdbbsxjivjwgdhmhza\ig.exe
ig.exe timer 4000 wulonlpjwyubnnwlfylfvrsygqyklrkt.ext
2⤵
- Executes dropped EXE
PID:7208

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6204

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7312

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2800

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2644

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5220

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6372

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6776

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6208

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6552

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:3836

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5840

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4656

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7228

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7804

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6584

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6632

C:\Users\Admin\AppData\LocalLow\IGDump\zwbjcccmniljetzukqtdpleoelkfnwlk\ig.exe
ig.exe timer 4000 msciiuysoslshmwxdhputqytjhjizrnt.ext
2⤵
PID:6732

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6504

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:3884

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5188

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4376

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4568

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2512

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7392

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4452

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:3736

C:\Users\Admin\AppData\LocalLow\IGDump\yeklkbrzfwqyqdlvkhlcmfhzcyrqahxv\ig.exe
ig.exe timer 4000 jopqhrwxcuxmrgwilakufyoouxvxpedd.ext
2⤵
PID:464

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6380

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6116

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4400

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:768

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5388

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4988

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2388

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4660

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5492

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2216

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5608

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4932

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4704

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7580

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2500

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:1908

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7684

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7396

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2708

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5916

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2524

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4448

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4232

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7032

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4956

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:3140

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:464

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5416

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6716

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:3844

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5760

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7104

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5740

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7508

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:2008

C:\Users\Admin\AppData\LocalLow\IGDump\mufcmwcxdbdatoixjuwiyymtmscejjxu\ig.exe
ig.exe timer 4000 idtnzckzavhzfytknvhleozaklwqnaku.ext
2⤵
PID:4224

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7636

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6480

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5016

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4040

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:1408

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4036

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7404

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:4512

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:5844

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7708

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:7280

C:\Users\Admin\AppData\LocalLow\IGDump\zzyvsrpxsskobdexujgsxxwkbfhhdjkf\ig.exe
ig.exe timer 4000 llrrmblslcslulqvyyzhgviaveytwanp.ext
2⤵
PID:7396

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
ig.exe reseed
2⤵
PID:6616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=5084,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7748 /prefetch:1
1⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=7028,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=8332 /prefetch:1
1⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=7340,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=7844 /prefetch:1
1⤵
PID:8044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8556,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=8484 /prefetch:8
1⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7944,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=8576 /prefetch:8
1⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced0
2⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2932,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=2928 /prefetch:2
2⤵
PID:6280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:3
2⤵
PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:8
2⤵
PID:6296

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2420,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
2⤵
PID:6668

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2420,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
2⤵
PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4884,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:1
2⤵
PID:7344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4876,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:7352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5164,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:7368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5576,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:7384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5604,i,9716709304906130331,14704553225989977717,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
PID:7396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:8152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced0
3⤵
PID:8176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2
3⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:3
3⤵
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=280,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
3⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4312,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
3⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4312,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
3⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
3⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
3⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
3⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3696,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:1
3⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4988,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4916,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:8
3⤵
PID:7140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4100,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:1
3⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4680,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:1
3⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5560,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
3⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4572,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=1212 /prefetch:8
3⤵
PID:7324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5268,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
3⤵
PID:7556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
3⤵
PID:7604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5768,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:1
3⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4112,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
3⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5132,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
3⤵
PID:7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5276,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:8
3⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5764,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:1
3⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6492,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:1
3⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6816,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:8
3⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6824,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:1
3⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7308,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=7316 /prefetch:8
3⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7196,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:8
3⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=7480,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:8
3⤵
PID:6244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6512,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1
3⤵
PID:6956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7304,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=7408 /prefetch:8
3⤵
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7484,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:1
3⤵
PID:6904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6916,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:1
3⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6864,i,663404731024879660,4945003654197157944,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:8
3⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced0
4⤵
PID:7620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2248,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:7152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1988,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=2868 /prefetch:3
4⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:8
4⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4392,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
4⤵
PID:7724

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4392,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
4⤵
PID:6416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4660,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:1
4⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4784,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8
4⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:8
4⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5448,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:1
4⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5532,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:1
4⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5632,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:1
4⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
4⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8
4⤵
PID:7832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
4⤵
PID:7488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5468,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:1
4⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5552,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8
4⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6048,i,17227724269713941286,14378170687795718206,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
4⤵
PID:7056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced0
5⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2096,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:2
5⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:3
5⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2516,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:8
5⤵
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
5⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
5⤵
PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4916,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:1
5⤵
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4932,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:1
5⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5572,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
5⤵
PID:7032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5576,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
5⤵
PID:8032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5996,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:1
5⤵
PID:7896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=6060,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:1
5⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
5⤵
PID:7972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5532,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:1
5⤵
PID:7924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4936,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
5⤵
PID:6632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6172,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:1
5⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
5⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6276,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:8
5⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5072,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8
5⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:8
5⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6164,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:1
5⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=560,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:1
5⤵
PID:8088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6192,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:1
5⤵
PID:7024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6680,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:1
5⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5960,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1
5⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6624,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1
5⤵
PID:6596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6968,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:1
5⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5720,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:8
5⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=3744,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8
5⤵
PID:7808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=4160,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:1
5⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7500,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:8
5⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=7516,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:8
5⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7384,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:1
5⤵
PID:7376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5672,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7720 /prefetch:8
5⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7376,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:8
5⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7376,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:8
5⤵
PID:7012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7388,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:1
5⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1020,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7324 /prefetch:8
5⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3928,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
5⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=5664,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:1
5⤵
PID:7692

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7528,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7256 /prefetch:8
5⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7528,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7256 /prefetch:8
5⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=4016,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
5⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=7580,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:1
5⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6976,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
5⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6804,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:1
5⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=4136,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:1
5⤵
PID:7964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7568,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
5⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7688,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7608 /prefetch:8
5⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=4044,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:1
5⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=7728,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:1
5⤵
PID:7768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=7548,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7620 /prefetch:1
5⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=3896,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7476 /prefetch:1
5⤵
PID:7200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=7240,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:1
5⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=7604,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:1
5⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=7700,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7924 /prefetch:8
5⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7888,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=8008 /prefetch:8
5⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=5408,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:1
5⤵
PID:7624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=7048,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7760 /prefetch:1
5⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=4624,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7908 /prefetch:1
5⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=8188,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:1
5⤵
PID:7388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=7508,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:1
5⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=6672,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:1
5⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6792,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:1
5⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6816,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:8
5⤵
PID:7472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7964,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
5⤵
PID:7688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=7600,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:1
5⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6868,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=8352 /prefetch:8
5⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=8356,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=8376 /prefetch:8
5⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=5076,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7624 /prefetch:1
5⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=8344,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:1
5⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=3848,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:1
5⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=8252,i,11739814843741370171,7664417971767822502,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:1
5⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced0
6⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2672,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:2
6⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1808,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=3268 /prefetch:3
6⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2380,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:8
6⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
6⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
6⤵
PID:7292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4660,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4668 /prefetch:1
6⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4992,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
6⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4640,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
6⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5416,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:1
6⤵
PID:6328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5396,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:1
6⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5552,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:1
6⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=560,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
6⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5476,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:8
6⤵
PID:6496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4760 /prefetch:8
6⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4524,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:8
6⤵
PID:7376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
6⤵
PID:7260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5216,i,12076964695237958850,16565033307940450078,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
6⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:6372

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:6040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
PID:7108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F51D6D243310EBCDE99AFD7E9B887DA
2⤵
- Blocklisted process makes network request
PID:3736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 17B5BB01491C5C647C2FE1339ED7DBF5 E Global\MSI0000
2⤵
- Drops file in Windows directory
PID:3176

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afi0mejc\afi0mejc.cmdline"
2⤵
PID:6612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3D9.tmp" "c:\Users\Admin\AppData\Local\Temp\afi0mejc\CSC999507231D6242828A731FB44ADAE3C8.TMP"
3⤵
PID:6556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jm2vuozk\jm2vuozk.cmdline"
2⤵
PID:6484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC446.tmp" "c:\Users\Admin\AppData\Local\Temp\jm2vuozk\CSC8040567EF8C34FA08585462B8B12C61.TMP"
3⤵
PID:7264

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1928

C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x4cc
1⤵
PID:2296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7212

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\4137823313424648894c98257cb3b5e5 /t 5936 /p 2912
1⤵
PID:7536

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.microsoft.com/microsoft-365/microsoft-365-basic-faqs?OCID=cmmluc29lq9&msclkid=67edf1863f9a1916ce0e97c167daeb80
1⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:5580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:6416

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6832

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:8016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\MXFXYGUK-MANUAL.txt
Filesize
8KB

MD5
ad3a189f12c4b6ef0532765ce0dccc89

SHA1
498ffc5bf039a494f2a928b3c1302f72238d8fb9

SHA256
184cb9e40a2c72bfce88226431b9c01ce2e3ca3aec1a4832e0dc0b947e11898b

SHA512
080c313c79c62f695e1a73d0e8b1f7449a744721fca019eaf54153e3a112aa6a17cf3bb6f0010b03e5b2d7ddf0c512c711930a7df05b67b8736cb6c2268d9623

Download Submit
C:\Config.Msi\e5b8e84.rbs
Filesize
99KB

MD5
15552b65d7cc8ce1221df9e18ceb2f00

SHA1
ff1a4eaf57a40e90cbe77452afe2be1dce55ce2e

SHA256
e22b518251992a4c9d3cea65ca07dde42672f681527210075422b2109ef92894

SHA512
13f4056181f7584f72ab41ee61b19673871de2c70b732ca1a8a8d60f343620d3a2288b951c39dafc4d6e241d29ca6c330e3e651ace8ac597318553deaedf500b

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll
Filesize
4.8MB

MD5
0ea9e23809dada42b3fee0210d8c7907

SHA1
a468e990f09610226170edb07ae0e3839abff4e5

SHA256
60d1140904e0e8b19c1d2812fe80e3b7e2e071dd4a1b27647bc6dd94bdfa51bc

SHA512
b0d5e6f7e84f1209df2adbaa238e6497980a3a44a10de8b6dc38f81d84b8376b85e3582854cf4887d2459bb3590dd555e2f6cb7cdf3f0d43a4f4093175f4f2cb

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
Filesize
4.2MB

MD5
80202b21a6f3df9d0d54f20a381df93c

SHA1
6915dcc75d0b84e5db40656d6382cb217a1996c2

SHA256
4217a62ea3df3bd98e40d205b4fb5f9673c340c366551adb771ff3e34e7bdcfc

SHA512
8d691deae1f7c5243d045940f7f728a874e72550859b291119c9b951bd95232980dc2a1b3c19154c723c42e0aa93747a046f747bbc305941594477a39c2925f1

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll
Filesize
4.3MB

MD5
6867cbf4557635aca16ac6fba455e82c

SHA1
41994b5169762474d9febff66ed3ece998f691ca

SHA256
26de9b9f28927dcc71c40ba623a77a7b47bace9d749d06a1b3e229e296513846

SHA512
24fd41344211e1c95c44a4338c33e0d6c734107757694e3b59773c574ac424cd030bf37fd08fec2824e3111a52c5288bf8dd8a8900457b8749246142d019de74

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat
Filesize
75B

MD5
1ffac4979a3e1b2c52767303620d27de

SHA1
99db0c7b2ca3fee9e218f3fdc918e93fde62ea45

SHA256
cacde245c1071473bcbc234b510eb14e561838057b9782043f4727e8ec744134

SHA512
934adca3dcfde3dff548af50f2926ac452b3c7e482f8f607c115c680427fd49183a342a177493f8d768c87e4bc0dc5c89f162d0e605e55273e8ceb77ed067769

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb
Filesize
12KB

MD5
5a321d6d6fe0c4b1a0312451d7c509eb

SHA1
d9649c6a93c2a0a57617bcd09c99a85e77b2034d

SHA256
ae4953cd9c3084b33d9569251b564c5385fc68c423f2d22764d58a0b4f28f20b

SHA512
761f6da0171e5b3f91afd5183e65b567ba7965ea29ce56eccea5bf954ec7f5895f002a977fc54269f4a7a64b44fd71bb965fe2855229ac41ad8d41d092a7e11d

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat
Filesize
924B

MD5
80993a10626a00d98d62a6208553ee21

SHA1
7e515765361f9422ed13698e64f73cec7e05c11a

SHA256
2e6d974b2b88fad81e4646e7c0882ae90838c80252413a0085c210ffeb73d987

SHA512
752917ebca696065d591e7ea85f7be5e166e5750d2d78899d627820ebca26a0f5c8740fd2784730b0ab417e83d2713922001ec71474e0d80c7669f4dcc7d881c

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat
Filesize
514B

MD5
62b99fd278eeb2c732999a2796b3de8f

SHA1
967a4faf1b60d5072c3485e122cdb09d20693ff4

SHA256
d63d34451964be76bfbc58b109c266679c7ca57830559b214e1966d05e2b2a1e

SHA512
51a0f906f00c26dc4c9285881562e7c2ab58bc4dd0274782e049cf7befe9b52adb32ea0dc883ae916ed00c88ab92620f6ae65b19faa4ac70f1e176c0668a3cf8

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.cat
Filesize
10KB

MD5
8abff1fbf08d70c1681a9b20384dbbf9

SHA1
c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6

SHA256
9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658

SHA512
37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

Download Submit
C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.sys
Filesize
107KB

MD5
83d4fba999eb8b34047c38fabef60243

SHA1
25731b57e9968282610f337bc6d769aa26af4938

SHA256
6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c

SHA512
47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
Filesize
9.6MB

MD5
a545b29abb9db951e9e2508a1bbc8d2a

SHA1
061494912b29c965638263b7321a54b9e0399417

SHA256
7607ca2abc8f5dfe7a100ccf73d885375ec599b0648ebd964ffb8bff39c821df

SHA512
e7e33f5e49570ea74d427e12c049a7f0f89f7e4d3c7c511f59170cfb166bb5dd49ebfaa5a968dfdc15758f3177d7d39beebce26e593629aa0eac630748b403f1

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
Filesize
2.9MB

MD5
46f875f1fe3d6063b390e3a170c90e50

SHA1
62b901749a6e3964040f9af5ddb9a684936f6c30

SHA256
1cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec

SHA512
fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
Filesize
288KB

MD5
589a48dafeb9c78b9d8094ee4ac4b055

SHA1
0629e032dacc0335ba1e3061bf10eab93f3d624d

SHA256
c39ff9286ce4346089bbeae39afa198c032ff473b480760408ffaba11f63b08a

SHA512
2fc385198d654f2e6b4928a7292c5ee14e703b987711395a2a10afd05bb1cb09f79a212158e2869c94c83685efdc3fe9a60906407dfa5abe8dd38e0b45225659

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
621B

MD5
17d5b3b2d46ca63955b4a4beecfcf524

SHA1
3376bdc4641bd51d1da9179a6bc9f4a2296097b0

SHA256
a02812dea843f080b7b402e1c2f1b4668138ac6514cf72af6bfaad3f35939754

SHA512
742858c64964572b46501201db5db61c81a9dff0b73d1d3563adc9d61cc31b7ceaff6d8274b084662384b87ce9fcd770c837a5a8a15dbb30e55c145bfa0f895c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
654B

MD5
68ff77a4e4c433dc3728e852ecdac9ca

SHA1
5952201efd22b73b54f2fc08f2de788aaeb31b5d

SHA256
6f436582cd9ee1639509d32e4febd979cd9d228627c2871980e0d1b0e77b23bb

SHA512
701143c8e5d244ee08943cca67a645a02511723738986dae1182c654d3e2df5c20ea33dce80dc623e012f077211d3687029a3419597bfcc66d05ac2ed1d3dcd7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat
Filesize
8B

MD5
17412178172b24c5e570f6f13c42f4c0

SHA1
f0aac01bdd57f034d9cda7dbec9dd97c0dcb81eb

SHA256
2f2bb8b0a74e9049f4ee9dd039d81bc853fa8db3f311a799032f002b9cc1de41

SHA512
3b9808f22e3455505da42b26d3c0c0d56cbac41fd0d2076c3363273d9e77064047d8fc7b969612a5f5c78e0588f510ddd5b2173be224b1b5eedc5e51e9e5a92e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe
Filesize
3.8MB

MD5
eaac9032a5151ea0d7b74ae4bab32b35

SHA1
f2c1f886868f6b9f78aeda8cf95df5051239c1ef

SHA256
807379fdd7315c29bc1e96ed224285ac5ae0226bdfa5318642eaed6bb0ca3191

SHA512
91fc6c387ee270372c401aa27aa399c5f6091dbcf1e94058c88e5edb473a7876c9de632cff5a4d6479a2a9bdcfb499c8ac6cdd3bd954b04db89685ccde0661db

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll
Filesize
2.7MB

MD5
b7e5071b317550d93258f7e1e13e7b6f

SHA1
2d08d78a5c29cf724bc523530d1a9014642bbc60

SHA256
467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064

SHA512
9c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dll
Filesize
2.8MB

MD5
2bbf63f1dab335f5caf431dbd4f38494

SHA1
90f1d818ac8a4881bf770c1ff474f35cdaa4fcd0

SHA256
f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364

SHA512
ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf
Filesize
1KB

MD5
5d1917024b228efbeab3c696e663873e

SHA1
cec5e88c2481d323ec366c18024d61a117f01b21

SHA256
4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8

SHA512
14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll
Filesize
114KB

MD5
f782f049b0e8c13b21f8e10e705bd7e5

SHA1
5c11f955e3983c50ea46b5d432c97c9148ac8e9f

SHA256
16c450a310edbea07f578f31368f168ec338011cd117406898593e86ebb83dae

SHA512
eed29c42b14ff26a030f53d61d6dc8e3971e478dc7646b26189f14f16699b6bedc170c4bcc37efe2e8f3048bde37480033b49eaf1a4712b88464f5da0efc18f2

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.cat
Filesize
11KB

MD5
cffd7ecf8765733aa7a2c36ca5f1eac0

SHA1
549b0974cf92676a7589466a3ee29e1dd45afa6d

SHA256
89c561a58d649d5f29fe1c576ca46245780369845df32045a64739b4056d8bb3

SHA512
47006f07c3270f358ce67c235739ebaa17b8fbd9a05da9f05a079322a003f8e6d704d3c5353e1a186df74b1bd6438526f6701a0c173563d676846c0f0f230be6

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.inf
Filesize
2KB

MD5
358bb9bf66f2e514310dc22e4e3a4dc5

SHA1
87bfc1398e6756273eee909a0dfb4ef18b38d17c

SHA256
ff51780a5a854b2c18f71ae426cb066a13723ef6155e24f4910137c9e8dfdc17

SHA512
301ec5ec5c0813951843011f2204924240235494999136ea30a557cbf58146fc6043a8866b344fa7deb927d7c83d44e2aaf45adca7d221aba5d36715b9a63e09

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys
Filesize
196KB

MD5
9c4bec17ba2add58348045dbc762ab67

SHA1
b00ed0ca3634a93a23f70e79bda67c945dc915b6

SHA256
9c3b11ba1d4e462d9470fa0b50a61fde9f00cf4adfafd8e8b19f1e8af369cdd6

SHA512
6aab0e3d3c189c18ea6540d1736b64a518958c62e1cb0a2874826f6cfd76e3a06fdbd28ae0b81e2fc8fc20601d00d804d86fe9887ab6919dd8090a696fb52b31

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.tmf
Filesize
63KB

MD5
05486a31377c07a62cbd8ecb63b2ea81

SHA1
15503875354b6686e9a9ca7a6bc333fad33407ed

SHA256
d1da47e79e90130249e75cb40f41210256f90bf56d6036e0e75bdf3bdee611a2

SHA512
e1bd08bfdfaa9dfb128cd85ac0a2950747e6d18bb24aebc78919a180994e333773d0d30b958b00804c4af535b443be1ac28d6c3237256eba62d3c0812009c975

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.cat
Filesize
11KB

MD5
aef40e9e7ca500f8d23f53a9b7b4fd1f

SHA1
9d6c9f4c18b6d57e43f26bb2593c11264a1eaa41

SHA256
8e66264dc7478e517b72af31ca7a308be15ce7dc9060e5f0488fb186ab1220b3

SHA512
f6857b87a244dd68ac14016bd6e25e31d45b1b00fcbe70129dccd33ab8db1d01d4c31651f5f7c08d237c76c0291a35e262fc7c25670ac11166354841272e1277

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.inf
Filesize
3KB

MD5
5a9717e1385703e8f06b27aa10a69e87

SHA1
84ee67a9167b5eb6560711b9871de98898ad07a5

SHA256
47b7c516bb57c612de19f0ca865590af95b6e32bf873a0fef9e011b2c5b483d4

SHA512
dd3c7278c2c11ad15a55fae6d19b96dadd92f85b7f0c8ce934298258af00bb5c052a84a98499b8867b0f43704fb307c67d03692ca69dda4d814c6c17dd73df44

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys
Filesize
217KB

MD5
ef356c49f9dbbfa13365a3fda7dfdaa2

SHA1
ac5286b5570b83b733f5833e92a220e2ceb0ef7c

SHA256
a507ab3164163a52c2039a02a1f5b7ab55fc120b1c1aa73930184086bcc5597b

SHA512
d2d88333f367d0ccefca84b4a24185dea257b30a15c28ed26b00f04ac90b3b2c4e4c5c42e4bdb97e07895c4a5f3d38786fe811d3eb04bc10a1a4b7a55795d8f5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat
Filesize
9B

MD5
35c919c92586d90651a5183e962c4a5a

SHA1
48653cfa8c7a378f7226b3cc55052af55091f5c0

SHA256
69cbe3b65794fd3ddb7e49ce394a6ce5ec8d8512d4a5932f24417c4c7b61e1fb

SHA512
ea1159f582119a37dc4f3408028a00886bb4760cc5c3b51da53f186cec81ac2aba35ccf24bb2d35aee6effcf787f548583bb41977827c3ef0987a9daabb2e9c8

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat
Filesize
47B

MD5
886beaa0db09da25971bb993e5a7087a

SHA1
af9cda22380fbbeab52c31fba050637869cde5ce

SHA256
a982945d0cf6e504ccf3580a697a09e8c116ff7fc630a4cc352300b30de0e716

SHA512
5caf543de76dcbb4b467c03e1b45d4478b227583809f35ed5a1d8cec391fb98d51eb7d5967d3021a88c4f386b7e491825da2dd5d3f2dc51127861afb7f49b0c6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\AMECls
Filesize
587KB

MD5
08b19bcd079a74af5e7e5158a93b1aa6

SHA1
bd8c4bcf450eb7905885da09c02a0b80deef0574

SHA256
24ad5c392aecea375f91eb394eddfc837ee0b26d5b53d7c769eb000fafccbdf3

SHA512
36ab2e07ac082f2ff26aac29968d3814a475df206f92377e37192738c392937e69bec749730794a96dc808130943a58864af8222cfd23f536ba83f02008753fd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\AMECls
Filesize
978KB

MD5
f540874ba5923caf954eec2e558a6f3a

SHA1
5ef40395a94b8db3f58c4a4eb0ae9c52013635bf

SHA256
320603a950d917bd2da56575adb96c06c930e63ba5163434141810c17adc633c

SHA512
844cd80a14963f40e9bda585c2f0f0f59395fa3cf56b083e4ecf53985a465a6f472d7f98e15cb03c12d5c96b4610d3e6b42389110f29423905f9a936c0e8be5b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ARW\ARWFI.dat
Filesize
8KB

MD5
2582af06fa8a623c8f0e28303b5f51cb

SHA1
c1c3d35fcfe965539cd3939b4b965b46ee45ac34

SHA256
b90c66cec3e684dbfec8ea1f33d97e7231198c5081a6419e648b50d67ffd2cbb

SHA512
13dac86d4e7dd172fc2a369c599dc0eb094ed704558523d47f9419cce8c8eeaefe49523b12f4d7c766568e062033b065c9ab18bd4527a36fba040f3906a786d5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ARW\mbarwind.arw
Filesize
1KB

MD5
31f4ed6c2077a6712cfc2b27762b580b

SHA1
57c68266fc9b49c5d7dc62a15eb6636befcbc84b

SHA256
1ca6574269eb2e6daa059cec58c5e999fc6345bb8a93a7b3e22fefd34a7ea8b3

SHA512
13d9727a694c88fde149517beb4d16938f328486065b9d491151b06855312cd0b5deda67a2ee4ba85280d19d7d6b648bf0b6ffd3ed9cb346ba9ed0cfe9ceeed6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\BlitzCache
Filesize
259B

MD5
b5b7e6671a2d353c11f1a5e7147ff775

SHA1
d3b25e97260285508a9a45b224996943222c4bb1

SHA256
9369e71feb4d28727f1796dfcf3ccb822a5448eb446d1f1f60c0e5be16996582

SHA512
2896cff9284fb8bba681c02af653ef72de54e1cd214f9bc66a0575e99e2a36fabc482a087a25966d7bc1b98f426708d6137197754f534bca1bf37aee7a39cbcf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\DDSCls
Filesize
46KB

MD5
25f9984870328771801dacbcdcbf7514

SHA1
d04cedc7332bba106f9ef98edc343f400a3384e8

SHA256
d47feef4576bb2233321a49a7b129b9606999935b33809686669c3fddc504a51

SHA512
384143676e7cd75c70a82a67284e1853e6e437d00adb2b22d3d786f36056a0c00fa1e83e687d6ecb6af400a9d025a32dec72ccacea5600ebdebfa7d67aa0aafb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\DDSCls
Filesize
333KB

MD5
d624f5eb974ef9da0e0b1d8a5a0de1e2

SHA1
459d8b9b689b70ad5d6c6ee35a95c0460da27cdd

SHA256
6dcfba91acf61a3f047fd45e393ecfcf0d69f2d6a426aeed77e0be3653418adf

SHA512
66b6c6c83f9361a7d28ef2d57480a602914737be12a48882715714782256aad79bfcb8fb284702a1aa71f253476350d1c29edcf2157de88de5941e23240ba845

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\LOGS\mbae-default.log
Filesize
1KB

MD5
b8d36b95073e8186ed1908e9a9fff635

SHA1
7ade9c12b8ad090950da5bfa388cb5c09aea984f

SHA256
67201ad018dfa5c5e655082979c03994f0904aac0900d0a234675357560d5255

SHA512
bc3334c356c40d26ca670f2a5eac459347d5adf76686811842daad6bb5f3f7d994f605456cb1bf9b9e2ea0bc3c73b498845473df1ad039ffcda3c05694ab6aa2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\2c6f21a6-1451-11ef-b831-fe55e2f65ccf.data
Filesize
2KB

MD5
cb5ee90847d155cfafe1df0f6a023189

SHA1
3e6a5485402afba5287a1cdb46382deab45a28bd

SHA256
ea4691b6c968b31a2457dcf9774d687b683cf86baa87b42e5afdacfba37353f6

SHA512
a95c4b149561acc3919089f5b28031b7f575750baaa03ce105e6c684cb6d5255cbaace7231798b766d033d6b3d6ac41c55b86d75fea010b4a2e0c08b6227f01b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\3a5d117a-1450-11ef-99f1-fe55e2f65ccf.data
Filesize
2KB

MD5
6a0d99ac73a04eaf6d863534a8330f4a

SHA1
2a6f313ca792e773899420ea69a6f7186fb69685

SHA256
5e43a44b7879c8af6a7010956294f4786cef1a1860765c5391adada1df748bf4

SHA512
81f73e3a08ddc6835744936f20d7ffbb01cdc45347bdf4d9599cf4c51fd7b3f12950c33da214f95849ef54bc2db842ef948ad4ed8ca3b7e551f4e6c0f60786db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\3a5d117a-1450-11ef-99f1-fe55e2f65ccf.quar
Filesize
68KB

MD5
185ce8d771748a5bf9ab2d1d0d06b2d2

SHA1
1fb8fd4da8127d1bc85c48b0f5099325e880c28f

SHA256
909955b7f012f18559a4df1f7fc936052f1ddd2e7734c4504a2d748561aeb125

SHA512
40db5829c89a31422b7824cee44d6084399b8406a75e754b4a72ba1f9783d0bdcb8c8f45b101f3829d707a13c4674e2707cae3e135a9d0b30911476288c3c618

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\431ff4ee-1450-11ef-afaf-fe55e2f65ccf.data
Filesize
2KB

MD5
152ea3edfead8314fcd43e59ba39bc90

SHA1
a2f970c73fdd47572aeb754b461839ffd3174e40

SHA256
a9c73f5f54adfe52bff6a1e8accc51be44941ba053e36e6abfd4f328fa5eabfe

SHA512
5801fec1416a227a64f124ba445fa569449c1edf201d456bf9c0937c56d1e3cc673ac606161bd24731fc116bdb20bb93c9b55a20e26bc303e353e63bbfda1012

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5214b125-1450-11ef-bc23-fe55e2f65ccf.data
Filesize
2KB

MD5
b46e9ab11b38b006e5708b45d30ad1c6

SHA1
f4ce9c1867b0535c3c56701dc44ae67dfe448ed6

SHA256
1040b1e705f7597431c3c21560c0a59e5856d7bd5c9b413dd9cb0a7216d09a78

SHA512
c8f8c4821ece57029ea8ce9bdca7e51698f6deec2a2f4c08e554245031689a49186e86d608535859d642d6f9be3ff3e0a9873452cf15600e0259770e69aa431b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\522468b4-1450-11ef-9877-fe55e2f65ccf.data
Filesize
2KB

MD5
930335656f30595da87a038c7498c9c0

SHA1
db02342be92e1acbbc2061ac53484c8ca34bd8f1

SHA256
810db8dd5c9b5ba6f5f835c7b111dfaa45040a6bff096c50d4dcabb883c5b890

SHA512
721105d351fb7080604d0fdf5671cc9a91e553ad1ce6d54a987789307247d78dbfd461ab1081334ee2ca5f226bb31a9c6917ed272fc487a8fca07f7f5e805c5f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\522468b4-1450-11ef-9877-fe55e2f65ccf.quar
Filesize
8KB

MD5
7e6bd1f0ae9c0536fa6d5e40b521114a

SHA1
c085869f018c4b60f4a6803d72d55837ce733f67

SHA256
5b831d7bf141c2ed6bf9d2f3590043c46bab15302abf7f39103516e9eeabd4b7

SHA512
aaa51be385d757541974e5b1acfaea77b2b3dc0ce0f976fc4c4a26ae697e9f2eb64c4e1bdfad99ea3da80b1023620e3348799615506d1d504d905990caa51be9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5224b6e8-1450-11ef-ae70-fe55e2f65ccf.data
Filesize
2KB

MD5
9fea98d9ca32566c4a2eaba66f02b654

SHA1
272e8d45dde0aea30c7a10ea269eafd49a9ed3f3

SHA256
6536eba2007de7c53cbd1ccca8636584485b6e73817b7865f34274010de989e4

SHA512
f2c10f9031e6e3d5cf1d59afe834cda6c4f72be8d3c661ec71e07cb3d6dc279862aa72af1e30b23dbdc1d6431321197296dc475f2a0107cfd926618839c1794f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5224b6e8-1450-11ef-ae70-fe55e2f65ccf.quar
Filesize
8KB

MD5
b4312fa0deaea1e368a32c591d9b8a24

SHA1
8dcd1193941f129880fcb8d7a025bf78313b4c90

SHA256
eb2ac5f1bb28945ecd28317a4e7893537a293a35e742fe1118db403afc70fb29

SHA512
90160ec78583bdcfb081161485a0de405fdb97af16ad60b7d4816bbf08707bfc0ddead6159643aefa1cccf95cf1854d299d6e3f027e64844efdf41e331a9b8c4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5224b6e9-1450-11ef-b874-fe55e2f65ccf.data
Filesize
2KB

MD5
71e02e45147b855a1ecef42d78d511a5

SHA1
fe3f1f7b19c62ebfc0c17bedabd49487503b7bdd

SHA256
cd58938b7d44744efcca6bcbe7bbbabf89dd1946318b90b99f9bbc27e302fbd1

SHA512
436f9802bbdf677d245f0170e410c21b6317fcea677bfc7bed342353a9de34c0de2e4796eb2fa4d8264f448bfc491d7b2ce07d16cd1daa95b630fb302d019bc9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5224b6e9-1450-11ef-b874-fe55e2f65ccf.quar
Filesize
8KB

MD5
b53d6aff74f8589ebcb849e42188f4a3

SHA1
86b4e8312f4dca716c44c9baa71cd608c9e109ad

SHA256
a9574b0ea39e7687ca49fe399726f4ac5486b221d6bf0082041b2e90ee77ae57

SHA512
6da948fea9fc562e46fcc11d8ed76b888f9dd7d189d76bbe904a7b9bf92f3e48061899415bd50fac9b84822d713581f8ad40bf2ba753f1db2c9832148550f531

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\525e3d26-1450-11ef-92c6-fe55e2f65ccf.data
Filesize
2KB

MD5
86b3e5743b782ea2ee14bf1f4e7af753

SHA1
583a1f80443c8ece073b8285e75858ffa5461eea

SHA256
13cef779d437a47647fde8eb008d8e210d7742293eb76c013d9da35653f6f62d

SHA512
36220bdfce5ef6725ab4637eb9fac98d8bf1f58f0cb28329f58940a4fbeaac4915611bb90f070ab499cbb2dc5eed510a45704d882ac3997bcc1e4120e0083f96

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\525f2772-1450-11ef-83b8-fe55e2f65ccf.data
Filesize
2KB

MD5
211e358a586ae87f0785e19f331de0e3

SHA1
bdfa15e7bbb08cd667b8a1d818a3b2a83e541494

SHA256
20d55be38c1427da2c54922664014ad063912851ad7871710cfa2a1c212b593d

SHA512
c2f92db504897556efdfd7c3f45b1a03f0e5cd3a0f0e252c055843166df3db31919f79c8a40f9158fa2c03151c6418385e2d636a4725cbdf99e48fbe62258fc5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5269882a-1450-11ef-9980-fe55e2f65ccf.data
Filesize
2KB

MD5
de77441af4436c2f99e08b4a717003bf

SHA1
d6dad1f57eae936ee9d55dbe11b9b7715d187528

SHA256
11b27e2316bddfbf06612c5f8f6279a081e49fe988b0d025e2db24ba89cd9948

SHA512
bc503a4cce328508f8c002af72f16c390f668ee8d6035c9726fa8d1e74de7614044d2015e40fb70b5079e35c600b831bcce06d297fc45b1cecb0021141458f03

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5df24236-1450-11ef-8939-fe55e2f65ccf.data
Filesize
2KB

MD5
46b0530f5a06fd8c1afb8b9dc11b178e

SHA1
eaa20a1138272c9a6b6584d920715b929d1d1c2b

SHA256
cf2be3f7d9128f27c6dcb7409a21753df1113a8468164e33c9ab997786cd4b0e

SHA512
b42053dab922d833185c23e25eb09fae72e8588baca4b250e11648a828cc46a5c0baddfab9f11a5468d13e137a0be317967b81388bcced21f99753df59a5c5a3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\5df24236-1450-11ef-8939-fe55e2f65ccf.quar
Filesize
2.4MB

MD5
a7fc61ca44bd09ed3b1c961d6051d35a

SHA1
2c8498b5345b28b3127c07c7b55568d1182509ed

SHA256
0848a4b4fe8a4889811934b092cb4d51b77f3ed0b0090e8d759536e588979911

SHA512
3f45cf23386b0a044a6398cf7543e7ea0d7b5fa11a0a2dd75704f623d0cad888f7f264996728530552f03596a59a9601cf601d8a2c649cf912f24671b2a97a67

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\7898ecca-1450-11ef-8a68-fe55e2f65ccf.data
Filesize
2KB

MD5
54f367d76cbcbb2304b6f5eb3a5894de

SHA1
6b9c9b36ff3e5a7d32d1730dbbc0beb67fc242cf

SHA256
5320514767eecb3aa4f09d89a7855efc6c28f1d34e2ad54a4a58c50f0ad5fa8f

SHA512
c72c81e8c6608a1589f218cea67ef07fc8dd7be2a3de2d7714c918d69ec6a2a5683a2ddaa6fbb97fbed0cb5ef136a3d63bdd3719654d8e5aa12b2ab4b3a267dd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\7898ecca-1450-11ef-8a68-fe55e2f65ccf.quar
Filesize
414KB

MD5
fc885eb63b1c9c21bb8c6f0bef610c0b

SHA1
064238dd71b4ef4a81d1bf3c83bf1c2b49908fd5

SHA256
a7ae935a70d8251bd8d9c7ad9157fa94aaf12a845d5314f5ae482b41b6ab3332

SHA512
7ca635373aae191cff3b1def1cbf920b32ff9592b7fcb5590c2af38aa5381103de6d98b33a4ff7e24abacbb2389e4bd3f9b6ac643f1e5b44d15d7078c692a240

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\91483226-1450-11ef-baad-fe55e2f65ccf.data
Filesize
2KB

MD5
28b6f95356cefb2c67ef20c3dd8b7e38

SHA1
3554d99682b3a0921cc2ffe6e2b562d8f7e89b8b

SHA256
bbdc5f3fbda249e50d27fb47243a6589edfa8c0374976295c6d85edf1a29c5fe

SHA512
359a5482817e9ceefae23f528daa08c7b6f6565a0309e21b6a85f43357992dae2cee0878880ce553503011c6bd1d75a63559ffa007f7623398fd07ede2b8b530

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\9e9a2816-1451-11ef-95ef-fe55e2f65ccf.quar
Filesize
666KB

MD5
b05cb8f04eaa26d31556309639c39360

SHA1
155c669d66f9d695c78dd4cd33e97f3ecd56e3a3

SHA256
e80764d442790e8ed810292924c66ab333027a1872a0cc7030eaa54a4c9fbf17

SHA512
662304592b4ce7342702a5c76f62af2f9258c10c28c6f395794e1a41ac482287fc49eb0a37a1bd575f9f5bf69e9f0f263aee6c6349caf2c0bc52aa5ca6c5e36e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\9ebbe08c-1451-11ef-befa-fe55e2f65ccf.data
Filesize
2KB

MD5
ea3a8252f66645b26cce0712cd563dc1

SHA1
42c4d623fcf61744e3a6aad7dbfe3e0faaacc256

SHA256
678b540408f60da2d66e977b70ea336a42ea18e0e77b67806e78eb3ed0d071c7

SHA512
d7d5deedf32e35b4a1192865ea224447c94d329b80f84315420aea9e4db14ec84275c5d4788b074b967a51fc5a93ff5e2f16e82aa7328ad0da090f0875bca29f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\9ec185dc-1451-11ef-ab0b-fe55e2f65ccf.data
Filesize
2KB

MD5
6a8683bac40880fbebec0709e516d424

SHA1
a55b54bed2ab33c8af1569a838db6ae118d1db36

SHA256
b63ad3053c1dbd23c6e3dd01e7325fd9949d2b77b8416fda7819682a5f6a3745

SHA512
47cccb258299421f1fb1f8395a65aff72b62d49d445af2b77229fc57b1d880530562b62dce941cce5a0d74b6c99c58d36cd8508d2b0eb2c8ace20a79cb5cf56d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\9ec90014-1451-11ef-ae80-fe55e2f65ccf.data
Filesize
2KB

MD5
d425617e130a4754de41533a011ed96c

SHA1
ee801fb347179fb98f3c29ff398bae4349b8a8c1

SHA256
532e1f27469d4cc4fafcee47b17d2e0af428ddd6aaf3c534cc11060c96fe13c9

SHA512
61b23a414dc28678e8df1c8f38a294f32e8d8b375d4fed1e040615b4d37f0ff32008867f11a58bd9405494e40b520b6d7ee17bba0fe7df6c90221bd9b411e87e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\e4611586-1450-11ef-9fc6-fe55e2f65ccf.data
Filesize
2KB

MD5
500a25c2e2d9b295d17658675596e729

SHA1
f60677ce568c65b3f37940fd11ab87adbd1722b9

SHA256
d968233953ce2e6e9405d8df1e799af0e5341048f44c1331b5dca1cd1ec32c2c

SHA512
6d06edcb205a96f0279a98ae0d36205220b6ab25c625d5d00309bda3305cd159d4a52523ae4ff820e5f08b6e7de3f957b20f2545f5b4e2b6708ae77c8412880d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\f092cc60-144f-11ef-bc9a-fe55e2f65ccf.data
Filesize
2KB

MD5
a3d0547d081f9407d5cf9ee363718231

SHA1
a1f16df6441ba1f12c2d257109d85cb4fc8bc896

SHA256
99db6118491389265cdd728ca8494c1ff77e5c5604de1fb9455bf30065728a99

SHA512
e880a7b117fb9b108101d4af0b929d07d09d0114d08adfbe4fb9bf134028cb63933fe826abf7b9faca2d0a5d470d3256e71dd3e0287798e08d7d94dfffe892db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\0a055086-1451-11ef-9283-fe55e2f65ccf.json
Filesize
5KB

MD5
ceca07b74f21c280f8f2e565e8c1d108

SHA1
cc4c98da1cc24d07ad717cced803afffa8da7a37

SHA256
68091eb0b1669150bb065aa5441b4e68d085de91636cab808f84169f9e6c109f

SHA512
fdad464fe36038bbea255e6bdea34eb7416b25cbd015399cf7eec9c3cf9d67c5070d62cd5d9bddb4963b8192860f00da2467c9861df8e8514fa96368f4daf89d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\0a055086-1451-11ef-9283-fe55e2f65ccf.json
Filesize
5KB

MD5
e1884976b03ee0dc8ea1a813218b3e62

SHA1
9228ea31e6f9d546a09187040c425f342e8685fc

SHA256
ee4e4c20780c0e44fcccb49771d73a9a3af69d85e3fc12ef6a0c0e46a53487eb

SHA512
b8b180eae35c123dae08e847f92791124a1b464bd8fa4488a1b871a440a1247dc17b138465a9113e65e1a1aab5286c8d48d0b033de4982c67e4368beb4e623ae

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\39846550-1450-11ef-a443-fe55e2f65ccf.json
Filesize
5KB

MD5
5d476d5d095fd84c2baa91b174f87ec7

SHA1
6b6a1a7c708c685f45590b1a0d18a0c3d710a0fa

SHA256
4db45add2b90dbe6092bb8c5170f4f40f701cde29c2b4500a12ca15c473e1f3a

SHA512
38af2c646505adc7231a23448422791d358f766c8aa25f608c57b5ce15add059070fdc10212a555f253bbb6cfe410a5669038c716ea70eb12153e245fbc27b87

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\39846550-1450-11ef-a443-fe55e2f65ccf.json
Filesize
5KB

MD5
06db3c72d261ef5e705730c548baa810

SHA1
5443227c6ae35e9779235a30cacda5ad082f55ef

SHA256
3e701074c67cb1dab37aef76f21059b288575a64f8fb24f2c9cb4d353076df15

SHA512
67e8c8a36ba0907e6131e73dc26e58e5c1328402ab1e69f4297e9fd4fbc1b66c178e0300c669dc2fb2170dbdf67ac35e7de23f887a49f1bdcb41c0fbceaa92bd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\421032a8-1450-11ef-8211-fe55e2f65ccf.json
Filesize
37KB

MD5
3b1b7f1028aafe1ebbdecaaa3765e4c5

SHA1
d4e980ae0234447330ee7fc2fec21011d02acf1c

SHA256
0d494b8a75b6e0b23bda5ee88853dc7cfed55895c853ed6329eb7af20eb5a78a

SHA512
fa03e15da0c08f8f2068d61c8f8eb2e81490106fd92cc72233d5e41a5dd68e0842968976e3422acce007dd0e89ef8a529ea6fe59bb3907004c8003f3a2959e35

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\421032a8-1450-11ef-8211-fe55e2f65ccf.json
Filesize
37KB

MD5
8ed52ea87933e85bb63a21b6e6b3dd35

SHA1
c62bf48b3d8b023e3e9dd6d66318fb2d5fd3bb11

SHA256
89038b439cddc698cbbaab2f7d8890f5a1a99d4a6d22bd7f7c195952e716d98f

SHA512
909275091266afb6b295483727cd150e73653bbe4e9fa7c957cff996c7461578026f21c7241412258166851b169f303be7a94526c44051d4b0f7a0c7c6ac16c0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\482c6ab6-1451-11ef-b6ed-fe55e2f65ccf.json
Filesize
11KB

MD5
5dde268eed3c5d3bfceaed07362188de

SHA1
f8229e859c4436b0d01d5bcd14b5c19f1168d6de

SHA256
dc3c407b24c7e4c6c2bbacfeb62d11a05410b5b94acbdfab8ffc20580a27ba2b

SHA512
193a3f02a5fa92e6930caaa9504aae51916d7bc96ba038549bbba5f60f1e157ad79ee16addb4e8ed548498f295f5d934675c50dc667dfeab28aab16bc6453d7e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\482c6ab6-1451-11ef-b6ed-fe55e2f65ccf.json
Filesize
11KB

MD5
2eaff7da75b1345bebee9996d72a7608

SHA1
2c916a20dc6b49447f013565da029ac63724fac2

SHA256
f56006b5c1b753002f4093265967efab0adb17964836511cdd286fc3fcbcfb28

SHA512
40466a9f49aa638763950984143eebed792b8b470e8176906c6aec38eb9874b18c1ab726ebeb1587c0c686ca7d20509946dd581624fdf803f031c8aba7a3a9f5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\57f8c23c-1451-11ef-8b35-fe55e2f65ccf.json
Filesize
15KB

MD5
075a0508c23ea9c23187729757684049

SHA1
7a335036c5fecb6e1f1d0d83f478183d16fb36ad

SHA256
dc8cae9b3fcec27f8e9d4080d70541feac01501ba36ceb3264eca76daa07b91e

SHA512
a20f7c056a131a673a71062f2725c9dce42d696c7d66493a13007823056a25eb2cba6e1d54cb464909164925b16de6e3e80e3721208f4ce4ce35f461ae2fe351

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\77a1e218-1450-11ef-88ef-fe55e2f65ccf.json
Filesize
5KB

MD5
a11ffcb8a15dec2884db560a8806d10d

SHA1
c369a1f2d5afd3b00d9696469bf34d5c23692898

SHA256
8f78197a4cc495e336b2b0dbfe4ec7920a16b8feae02b2dc31ccf51f8b49d02b

SHA512
b7f1337ac1054404c89c6f701322810b1300e38f3c1aed5b7a04be69c9c22815a69e1d1a792339da00cc09fe1b4de3c7c4c509b83af3be1e074e94e601854002

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\77a1e218-1450-11ef-88ef-fe55e2f65ccf.json
Filesize
5KB

MD5
1f2ff18ba500545426cc4a4f8e471768

SHA1
42306bf08ca95b4d35f85d006170d78d9bf7f036

SHA256
c9937358ca702d8855b3c5c6785a1e75955b3f1c0635a6896539208160055671

SHA512
54a8fecf09519207417a635a8ccc9ec75caf39f92f20e49d083b8735009ceea8ac77f72b626ff5e53b712521bdc64218f078bfa4e0fdb776cfc6499850151b23

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\8f1a2f0e-1450-11ef-bc02-fe55e2f65ccf.json
Filesize
5KB

MD5
5cebf5d106b9c905ccd68cc788556bf3

SHA1
897a4b9baa8060e12bfd850ae65cf69bafe05265

SHA256
1f10986fb35019768a099bc694fd8e454ddaa050ecb7da4a263d99cfa2bcafc9

SHA512
84965ed9a3fb5adc070eca6a3cdd09d28197c19493dcf8d6e643b6d432a9e69feb8d4daf2eac306e1614861c28ac1c717b4947a64a63ddecf665262c49380a93

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\8f1a2f0e-1450-11ef-bc02-fe55e2f65ccf.json
Filesize
5KB

MD5
a16d0e9d1979679775cfb2a34e85cf6a

SHA1
75fc1a1e90b83c2eef80133951c22dc8406cc4d4

SHA256
a2a1cecdce851fb2b5167dad69c312586ae1d7d1d89c9d801d87d8eac90ee1d4

SHA512
76b57f7c04ebf2772f59ab2fbbdd72be155a01391a2e931764676958da8b5c20dcabfce026f3e0edcff01bcf5c20856fa8a3114481f666a2305392225824b2d9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\989aa01c-1451-11ef-9be5-fe55e2f65ccf.json
Filesize
19KB

MD5
b5e7da89333442733282c59236fceeff

SHA1
76e579c9473a95c5fb7ca1ef36c1dbef6f9054c2

SHA256
87f5515c2a350acf64483c6caf6e02910f18c9a2f51a2486302aeb34c815625c

SHA512
f840806550e0d0d1239245425528265a3439eea539278874c6d5b72cc1013138ef58c5a3580b747101f4b68da2cc5a7d9e9413e8c58a19d8ab8f37fe08b7f051

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\d5842b44-144f-11ef-bde4-fe55e2f65ccf.json
Filesize
5KB

MD5
dbb1b4bdd1a9870f42f28b8625be8cc5

SHA1
0d42ed685b10b1bf25f792a8ed07b7ebaf41b310

SHA256
54afd266c68a1dd7041ec6ab0c89a66dd4c28a7584a8d8b073931411b860c314

SHA512
b4042be276ddc15db9a6cd9966b699283169a7b77da44564aa015d53debfcd71e12ec09dbe6e4701ba14589259e649f690920ab0ab69bc773d0759297256fae0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\e36db5da-1450-11ef-820a-fe55e2f65ccf.json
Filesize
5KB

MD5
0807ee3bdf480f526c84177123625a13

SHA1
9544f5d5b8dc09fc23f56d1254bb83812977ee7e

SHA256
a3c30ac301f31cc348d538195fc97e0cd8f354dd1adb10b9ff16547e864c1e2a

SHA512
37012442148b030228683cf5682519417cfeb16590b0a1b07984d8041efa02fd65cbe8f53bb49b0661f10dd24680ba6297da3c6c519a786995765da908f6c14a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\e36db5da-1450-11ef-820a-fe55e2f65ccf.json
Filesize
5KB

MD5
fae8b8adfd5897baf7d390c03ed12232

SHA1
37c7d48baf0710712ac82968ca48ab38fa7e37ec

SHA256
a8e726866d5c52c93cd06135292cae1f7973ac2f9aea7a4c3cc5c0767e418076

SHA512
4c3edcdc8d94dc70c78dc7ab8a8446502a5c3d18a4c37425db6caaf5673884cafa8232d319de532261d784f4fa2332697cde249608a973bae6da95c3e20f09a0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\ef8aa9e6-144f-11ef-b681-fe55e2f65ccf.json
Filesize
5KB

MD5
eb44993c23d86eb2cf0c75f9ee4f8441

SHA1
50bf929969a50858661fde3700758cf806858c78

SHA256
d6d4afebbeef28d94e8397b4c7e723b0249309d2e8c53124dd707d9cff8c4ff8

SHA512
33c05f6f840ff6054fe5e5d9d2eda583ba50e4911961ae9368d3835ca535ea2508ecb3deb9f983a35786e3ae9c68edfa93baabe93606b74cb5082f3c5e68058b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\ef8aa9e6-144f-11ef-b681-fe55e2f65ccf.json
Filesize
5KB

MD5
a37f252b3c04cc8289bd5b4ad95be5c9

SHA1
03ae364c77f0622ee6877605de5d6518077a8981

SHA256
214c59edd0361e8ea8bc32915c060535a5c8bd1fcc3e23bfc5797bbb4dfdbdfe

SHA512
97d5d26414f2160a3993d4e7c147c7ec61be924f0cd74b5a27cea586dfc26791ac31a323547a606a18ca2f2d044bd0ca96a460859aed3f7b04d2c1b179ff8b26

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
1KB

MD5
e78ffedf21cf8bd735528c0f6a0b210c

SHA1
419c90ee0ab3a3616cedcf11d0cfcc4ca46efaa5

SHA256
6eb20e4d2e4b2c8defb8ab2921e692bc9fdb8d0e0d28e6d49eda8f5b367b6865

SHA512
f4b4c673e162ec3446a1950d1f342c30c0d04d36821c094119a992b1d09727800bf7aac43678eaa7ffed0b68734faf9ff18b90c57b4a8535019a7a63d01438e0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
47KB

MD5
a42799067a2c52f02b3a6ff3d90aef38

SHA1
494c6310c5a2d411337d1332bf547b7b72a81754

SHA256
cd2c91135c52a014f5738151e3aea895886ae6bebb56bce7281631f9e3dd980f

SHA512
4368a9ce86ba37ad7d8d4f36022a711443b957a32f91b9f3e42591a34815500afa06384a32d7213fb0effc1a0e0f9ae4f96ca298ed279e7571affeadc32566b9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
2a76c9da547ad104d211d209fa02950c

SHA1
6b2e32ef30b571982f27733a1c59da856e990a9e

SHA256
fb04a4b7a4153c8d51c47b8eb7ce53d4991e5395d97698c0a4b88308422aeecb

SHA512
42c45d5a262c5248e737444f7fe04c93a3784f7d314c62cf1ba5398f27d850136a0e618bab11549259b41903ee22d7281dea9a8ad6d4680d4e86b4f892575c6a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
89KB

MD5
588ca230e11228ac9bdd1f839f3e5f87

SHA1
91054f393ae9120d3c0166f8e00fb77d92b11d1d

SHA256
b614354aac49e6f177f5d0390cf6b7c0c975d005bfe08db0d82f7945c5016650

SHA512
ae0f4632b029a6ed6bb8368961381e153c6c6afa631b3cdbedc74590be653675da54431773b9294ac6b3405e3a4a890f70a4fa0333166e0b772991c5e0325737

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
607B

MD5
e550fdf79f47e599177950d91f8d9728

SHA1
77debc69b364773049f8d9aa105f162bd48795b0

SHA256
645f48695008ae013ed72aa2907fc9d277b702272c2e1d715776e0d4c80549c9

SHA512
a8c2d15db81861145fbde53978a6d4b34426e8aa205010d9c4da7f309830c902007d07db50df6cafd7dfa6ddf6c617302b1e930c5c71001a2faf50b8143f9abf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
608B

MD5
604a5859de448cae4d2ff37e3cd0dd68

SHA1
981d3191df04d77cab193ad85749a316e87eb81b

SHA256
d0f455b859889275898d70e16e812eb49dc0126b3f88b4bad8fd03a8e18f36fb

SHA512
f85d8f239bfa9cd01f476a13c2ec6b92d1763b4a795737953410185f19d4182483bfd2632d347085ab45cdc8c0bfd7fe073c820cbcc80873851448d408c9f52c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
1KB

MD5
e879aa1e18cb47335d73cd265ffa1eaf

SHA1
46e26cbf2dfd8167c4ca353a0670d805ca10f721

SHA256
5b1e770718cf149cd206503879457b0df27939fe6e6cef1603f9dd03c6ef7c2a

SHA512
5b678640254ce9eaaf8f8cab4a34b802f57d68e25892d0abc6030a8188569f3aea68dad777895ed04b1fb3132ba35fdf82964e924d752f6c6af94a2fc7934284

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
1KB

MD5
b43140de669fcceab6603c977b6857f8

SHA1
0a94a9b032c3706c64472bc5f18d527f9a71b6d1

SHA256
76e7fa86c2e759cae53019e4206fab717947ec34b6df1f58967b185c5b0ee669

SHA512
0019aea657a0d5086ac9f046a9dfc8795f7b14e24bf2c774e7388a0b8b602770367096c5a26c2d2f3f4af4db478877edd119713505eb9bbf27178debbd042ed9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
847B

MD5
b76aa4c405296cac2e43ec700cdfad4f

SHA1
f48de1dbcfa176cf2059e09feb53f001270775d0

SHA256
177f28dd5bf3584893637ffd37dca745ce3c68f21f951d865097ea71612cddad

SHA512
611864493aede55d8a1821e91faac979237d0e686d7d5144b872922336cdabe86982dc849c34029b1e887f58d737743345173fc52beaf67f69bd89cdf444c4c3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
846B

MD5
e175a8d5d4b80fc3352f0b36db422aee

SHA1
9ab4d239a67ad9d15fe4ca0f354ce0bb40d0f5a6

SHA256
ec193be35aa6d2d06860adab28fae0d544b7a4241bec5a7e24880d0f28e2eae4

SHA512
b959f7b7713bf2ec8d1be6fa763c61a525cf00d65982433b9cae6150a289c418cc3ccb0a25aae1feae689f6b659bd189da7f1475f83d117951af833836c735ca

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
1KB

MD5
45821f78a807c98b2d382ffcb8f6fb7f

SHA1
636f927ec7c2f13753cddab05e060a074a88c2dd

SHA256
4a8a0d69210b2f08109dfeb5b084515e7de9464733b4051b747c40b7bf4fa010

SHA512
2b9ed9965a21ed3fbe7ab78c188000b7992182d7cbce63296355da918a4d5676f341945d4a48589d8aab76105aa91fd256b2988ebac349ac0af9745632731f2e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
13KB

MD5
ab088c1e4deb4444bf491205e701a48d

SHA1
ebb6809151c96eaa431a67d197e5f553500b5f51

SHA256
841ddd887cf91860cfde0529f4ecff4338cc7000a35b91506d87f9049a4a42f8

SHA512
043aef42a2e971ca322c113b0526d0f1ee54994ea1c8c098fa4de24cdeb77e71e390be1044d24ee10109fd6b6edc31917d159941e4f9fd52ddf629eefe8cbc73

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
14KB

MD5
d620989f56e5762daa6a01919041dc85

SHA1
235a2d79792a1845947729b0bf7030a01e4a2592

SHA256
aae513da7e5ea5d994f00e4de3251a7f10d8a95b579e3715e6ba834a45a38a57

SHA512
e2d412521fa7ad4b69dfa4cbe72a2c539f6a47b511e7fc575cd11ceb2736bfe4c2fb5bb1dbb8e58d7261450722441bc76b03f3f418bf35e59b25e15207f57a43

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
15KB

MD5
e74ac70f0da29fc895051663a5f7a7ac

SHA1
44bfe70afa043a335688109468d2907b5fd99a68

SHA256
8758e9993ffef0fca4fc3d0ee320d8c523a003dcdf134a3820df7aff189cb77a

SHA512
101f40ec1db2fda12125f5c76843b9dcbbe0a12aa7616bcad76da0730b002fea2e7ac25496d31ba6dac8f610893c52c6a89c8eb350069f8b938b09c9197b1c74

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
16KB

MD5
bd5a8a4babf1c60881f202148bf37528

SHA1
20d68812b26824973e3d1f0c064df62ea2b7a567

SHA256
b74672be42a0c48fb524e0b4474bf310f6748e23ce8ebede045fe24f8fd88151

SHA512
f1c39790ab7c942006fac9627825838f601755cae3dfaca81e60638e95eb965e7f5f2a2955a4a6f717239f0b2228444e0288d8fe90ce7ae8d646be73669d9543

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
18KB

MD5
507a3e2cf83221a20e293bc0cfdf4164

SHA1
2796cf5110b978a4ef65837e647df303d81ea19a

SHA256
73cfd342ec04196a45f2efc1d656acfdbd48ec9f4151c57c070ec635d15bbc56

SHA512
b3f28a4196beb4fe3dc617e95aa24850000fdaf40e70bc57190b19f8e188b1ead1db2b8b56f24b2d612bc00e502adaaae05c36fdd84d548d2f0068ce384e434f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
827B

MD5
dd3a61869d8bc1a1e030e6b91e891f02

SHA1
79bf108aec6deedf264aaca63985e318b26576be

SHA256
03316f9aa9de9a4932c037b5e3c72609444f74f7fd170a6c541b9859ff046f8f

SHA512
ce7b6dbecdc40241908d2a21415557d7cb2f5654de2f51cd9428b317dbbdcf2d4e2ccd49d4a79b8e2be920cb01c8e6b6b679052a5c937b8231eaac0b6e5f6b65

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
1KB

MD5
f60933fa529831e455a813b5eb269784

SHA1
d9669fe72ea4200a37b5bd092e3c2b47d8225b17

SHA256
f830ccefb3e042d4f2ff0d454a724a58326d049db4b35914fbad5c38b0f27b43

SHA512
abf964605803a62a913f45c8ab0bcdbf906218396064e70db57b7fc3f3c3fcb5a2b77b8b0f8e51be22b7ca9839070ffb5aacbb5fc7b4e5f7d6723c32f72aa6df

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
2KB

MD5
83008632bc922e67798b265dc7c05ff6

SHA1
0118b9f9783b02a9eb3e69e2d5eb9eefe476724a

SHA256
30b64ca03bbbf74a6f01fce9852e39b4ee049bd17fc9b0d5904fa2804cccc48c

SHA512
aabb97a7a711fd051c1bae0a0decfa113fcba295159cf3bbff72292d2440f0885d09ed0261505c695deca0440bc28e89a178e86f691c5b7d144d4ab67578c5f7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
2KB

MD5
e3324435bf336eb1ce9cbfd03195cd85

SHA1
313e47fc48e9c3e102f00f2d5dd4c6c642a3e49e

SHA256
b85413bec2e4dedf2bf680fb2da90955d6eaf1e76b0c3475dca02c0a02f0373f

SHA512
b435cc716100351a74cd0252163f2ccfb7ee7f5426eaf157406de2ce86416c9d2ba5e44ee8b24a30cc5312ee9fe0a18efe0cef4d934d89db6c927e4935d2b6b0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
1KB

MD5
ee3681fdb971d213db5ab8f520124b09

SHA1
01924f1569dbbe3591e9f7e014870c6f405fe6a1

SHA256
d3b0039395a3925790c8e6569e861ed38c36a72e078fb2bb83fe763cf12017d5

SHA512
d1c3370ad942c3c0a500dad467d2b2a590d27a7de79cf0cbaa8d69d02172122481b265640e2ca4795952801db974f4a7ed17a5fe4f5c241f1edce9f767e2be64

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
2KB

MD5
0a788f2ad224bb18b262dcc11df69777

SHA1
0c50cd59be2f633b2365801f23c9c60f24bad945

SHA256
8ff724dd5c5ff1b5f15703ac3ca02ae8a422a6cb096819d9afa2a81fcf61f29e

SHA512
b42e8e795e0db95a32de8ec690a7b3d7947efb878d4ea7eae9986e7ad3c6793c647e326dc194fabfc820095dfff482de01c2ca3f3eb1596338675adc2789b925

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
4KB

MD5
525c6d9c772d9760e24914b4e09b5b81

SHA1
bef6715de54d4dde0e5703ccfa495481fe46cd71

SHA256
f4b62e807472e431a7b67437d71f9f1fed8ff3d0810160ed5c54615dd34dbaa8

SHA512
c8aaa55cbf951132034ab0c8e8a8c737b3922a7369be0d85ca921a17e3e5dcba0f955a1c7235a4d4ada5a49f55d0436d3cc543ec8198a8b6c2e0e5e0283d0e4d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
5KB

MD5
fcd40222c219e0809a6c16d9cce935a8

SHA1
105c3d4a6a1a080bdcedaac8a22a2fd2c8b02968

SHA256
edc34909d7ff83943a35a9888f4634e4b8825e3c625bbf21f3180db06c135bbe

SHA512
103da87a67642c2ab869df8f0760c3ca7de3db91d8ebc41d20492dfb5b4cc82a7e73f39576e44310d9895f2900530c2ebdc7d494ab629128394463dce1f18f42

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
6KB

MD5
741fc744d6d175815e22142f42595b51

SHA1
79c4b1d373e944e1b65ca73e5e97d987ea0a88d4

SHA256
a6a904e502a008619c1f5989c02fa7f529bd8ee76d7dfaafc955a08ae94ef3d5

SHA512
fcfc234334b366494ce08541f4b12acb3b241f6febcdfb7942e8b0d38050a7296d5a0d0004c9fa9c076569a3be64492918d8036565db436502a7da1d27972c34

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
7KB

MD5
5e4a89637ddaced552b7a36e1dab7fb8

SHA1
540f34ff5ba0d1db51b23b1b34f4e8da4bce7bf0

SHA256
6948e1ef3e86f9c156841ef06763c203af06541d5247d5513e5d8994d547cae8

SHA512
55667de39776eb3bd4000ff50fb845d11ae3f0f2ea25674705973a4c091160dcf185c29d51ec93958a7f2e903be4049717ff302a82f4aad53f469f92607387cb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
8KB

MD5
fde5ef91fb0ac35110d48bb685cbf238

SHA1
cceec5b08a4c8f7a75e6fa1b2faf309d6b7622d1

SHA256
1a3e6a9980c446746aad895ea863b9ea0fc8c49e0a1b4ba3c470e5936b2238a7

SHA512
0908f8ff6169c41b5ffc62cad06120cb4ce6884bf0f5e565ce765aa1d4e10ba4869bd9e46a264f2d37217b5683feb189613aca9751308a582c999c1b2e58178a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
9KB

MD5
b7b040ba2bfa377647f778bd2bf9c262

SHA1
d5070e19d10886d5c6671c0c32c801bbe8116331

SHA256
bb3ae61a6215aabc3c1f36758ff91b3b76c4e96c7e584a17b6ff17a9008d11ae

SHA512
f3bb2ecb43a79557db775b3fdee013e20fbcb0311129f8881dad2011b336656cecac6222697a4d8fe1ef82f87a8a3f3c899a063048b42c2ca1e349cae21f6d66

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
10KB

MD5
4b037f67985337f9067dedaa06eee518

SHA1
71ecef65e84ce574f4d1eb283f26a951332c716a

SHA256
ae524b808db3b98cab4b191d404d8b2159d9da0194f6cdedf89be26fc25108c8

SHA512
6cb7fcc5c992eb38e6691f46e1881165d6b0b908352dc732d48592ef386a9bf7d224edc573cc50c800195dd4c4e8ff04c239e2d26e57b0a0f7202d8e9a546de1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
11KB

MD5
f4ac5489941b794876706d4ce209965c

SHA1
bef7c2d8d72657657300990fb9440fe99c55013f

SHA256
c8fa8c8aeba60fa97bb2d9c3059591eb45a293fcc63680d63575e211e8bd64b4

SHA512
69d0d68a8a9979a5316e5ba755dc37eec476c8e33decec03ed5624656fa05113558b13d1909942f3e3a9d1e9a798f451f7bcea1c9d73e0f184f79355c165c039

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
12KB

MD5
2fcfa2d83fc57ae9d6a53a55819f84ca

SHA1
6876ba97ba2df350d91c4f8c5c7e1f1aa13238d9

SHA256
2666cff94d0e1a45c05200648ff4c1540ceb00449f9a52dd2bafb64829a612d7

SHA512
f01e09447f2759ff495e31a16d71be1aa16d235da44908835998f7bb89bec607757f3ce9dbff23450f64f0d20a2b7ff2c789187e1f74f873c1bc333c7b41ce77

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
46a8249e0b89948641a4ce02a0defee9

SHA1
7de42ba0297ea0c5196a99985ef35ff56a70d70e

SHA256
d0c499911fcb390bf713e1eee7f6c8758a77c86750682121196ddcafea6b7599

SHA512
c53db724f476a10e0a94388545f089ef01489afee37e35816b5ea852babe9ef88dfb62842dae9f045b03c50a9397dfc892d16cb9fa2e5fbbde1d510e00bea878

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
158a45c760e7e0a4c717e584ecf85e24

SHA1
d8e2c156ef2208fcbf9bb6bc8c973563e40d302f

SHA256
8196dded1dee2475e8e6929b06e664d30f8289439965c7719c74159886bdad3b

SHA512
367242ddd8a57df57e105869a2666d5abff92f63f2069f9ca16530aa94ad7d531bedadb7480e85f47ddb552afeabd50be3be32622f04c589facdfeb23bb19e4a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
954071ffd6c0ea781ac9cfd7c3f1262a

SHA1
5d20424f9f34c85c71a2703339f56d408a699add

SHA256
56e6ae70cb26af89b8449897f25bbc0747e92119586e9b6d734066fa9e206d3f

SHA512
eec6a889af388b361df032eaace34f755ec73e55a58eb543d308b3778b99adfa567091482f362f160d446e544a0fda705726aa7e0fe913e28b91022a1239a39c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
c329f54d5c2d2a83a675b3a7d5dfefc2

SHA1
52391380175e82d155f4a15d4866a9f903115469

SHA256
6b548c4f58c2bf5678f179ef815f7c8f5b47b89d09110a360900a46ceda8e918

SHA512
4bb35e250f8e15b2ea8ffad8b9a6f1302d51eda06877e6fd2b32cc558005e9b4de9eeb7cccb3cfa6784816d7180ea78233355605def3fd83222a52f40ae94b76

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
a67802039776988726efda3b9a0912d7

SHA1
7153bc79999cc088d7221a01459fded56185608a

SHA256
59fd66147246fcb4688ee2af3179083009877a173bd58e61b26dd286305a05e1

SHA512
81a956b6274836616302ee59664e51aa069313ea1f0fde1c6b80ebba1c55e6c0e76cf280135d0f90e4cb5696860b2bd8a129a0c2196b6f5a1bad3544288b783b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
814B

MD5
b09a4793a17467fbd24492e4f116bd29

SHA1
aa383ba0c4d1b1f8f9c226efa7d1c6f5f6513691

SHA256
34366dff583b8df692bf06f34601b1f1fbc294386244f4663a8f0877e885408d

SHA512
e8e1658b23ea7f2c793d71a79ef80366d970bcd533aa2e4ef59137158c563091a7ae9b52991e480c624c5902bab750be484fff55c85b4c3434587c383df9581c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
814B

MD5
ccba6b7ae91b2bc96cb211c1b39b515a

SHA1
2ddce0e4b10bd96a5d63c42883650a569e69a210

SHA256
f39c4f2e37ceffa0770e4da2d66d0aef166d2604804b934be49bd015345082b6

SHA512
5eb7e9c9fc7f64a65d410070152c9c9a745386d4ee4de768303527420653303b276636763077b80fd7126370a2b01bf706d899f4d88ec3fa6ac0adb349710c0f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
816B

MD5
8062fbee14d1df653ac440de47ac20ff

SHA1
b421d3486a9ebaea184ddaf8896cadd0173b1c24

SHA256
1ffd28c7e0f466ce1c7faada43e65293df6164cb248b491d11093b2a46c52980

SHA512
0c752aa3053f2f5b8a22c30efe16704e8c439aa6bb9dc4fb8e1b8a5b8e172b0a5c6c125d70a3ad1b4bc83f642e4eba1202ab27775dc49902cf20f54d7ccee080

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
815B

MD5
bd41ba0cef89fe0381d60f5a0527bbc4

SHA1
e1aef1e29f70cc29d01c95e5982d5e3d0f3c22e4

SHA256
6cfba4e13dd5e8935cd9f461e525a860523540d424e292278d113b71bf6da223

SHA512
35cfb304b5977f6eaaa16cac26a12a0d84c1a8f4057346182f094f782f11630d31d2b56adef80f3c504ca9645baf7b06519b212529d02d50a393cac171b4f802

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
d8b2fb9ee8e2fb415929d004ad759a59

SHA1
0165c613bef7e14cc4e293dcefa456b18479c314

SHA256
dd36fd1ecc025b3d6f7802309852c1094048a7f983367cbad07c697db54d98ea

SHA512
205eaa120c8b7ef3051a2bdacbd94e0f3350db5e2e1e210d72c4007372d8de89e1fa0fa8055d40c3467aedb05cf814a4676fde87b864c465b980fc69e1f9014d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
130b8f8ab8c30143810af13255b6e677

SHA1
075e87e402057a6143434eaf96a1b61bc43dc803

SHA256
ca2f3b07c51906817c7379415069354e45ce61ee9234dd21e796e61dcac39e47

SHA512
399ec71558fbad13244c8e41b8a9b00b2f7f05ae00da2e07cb6d726937d412fb107b9593a550424f9088bc0728a31e7d071e8dce5d26c5465203a9d3030c8cbc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
e1d96b52fa5b998bc0bfd04a68c7db59

SHA1
964763ef4ef2d5ed9ab27f8aa61482b7690bfdc3

SHA256
4b25eaa6f51514f300d50307d676b3d5bcfdb655c2d252c2631dc744bccbf372

SHA512
264ee2ececb903dd40bb2f93b94e083a6cafb38c80ea51f1de61c8666ee4a38b63b314fc8f882122487a740f94a42cd17b333780c7fa6a34aea2e26160678295

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
83e490b83183e827c2062669587cc87d

SHA1
76a68409abe9fdb523fe77492efcb614369ca9a7

SHA256
ac7359b4793f8e484b0d16d8e0dd8a8dccaabeb21907e2838eb7253693ef413a

SHA512
aeb300a06363dfbc9730d8ceca307d172bafab8401bbc13533b20f8724451c9294ad7cabf284e0c0006e4946c5dc79d45f7c1d715e286c5377af0069d78624d7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
7ef445ad5b7fe4f9de98723f29b2eea2

SHA1
c7b36bc7ebfe4b8008631d6e89b64e5ca088a3a5

SHA256
a07e23bb0075fbe2ec5106e7cb1050adfbc3310b2e52929abfb799b255566a92

SHA512
42ea2320f181160ad6f0b989f303f6b69fe30156a8198dd33a4547976cdffebea4e6514163ff5d8a46bc111ad22598948ed4b0b578decd64e26406ad160f277a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
4bdee94f05ef69cf0677e3ee67e75ddb

SHA1
37e165d7dbb5f2561de83a073a943de78af9d570

SHA256
3cf0b059bfbaa0edf98fd35575c3d25b64b35f11c8f8c39191ea8e74da592106

SHA512
48f093695127e31a34620a6f40ec9e3aeb7c44db3debb4959b2940d7be2083f592ef5f7164e4586e8170f9f27790aadd4a956453cc76d371b38c002de9d4935e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
45391a78ca0143aaf40416b9862de917

SHA1
9a041e096287b5911986c8fd536b09531452220d

SHA256
d961a00d17dad97f6e637e21308861b8853bf12c246ea5c77f77149a8223b3cd

SHA512
9bfe7fa2dc48f868e6292f5a9b58f22aaf121045685802325a90f55e5c20a009051bd1b5ad0e42aba4fe966efe2e86767f8b6cf947f81c70e44bcfba1cad4026

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
382aa9c01660b314c203839e6ccf758f

SHA1
2d711b9d57f4671f4f5003f5a8fbf50f5ffbb548

SHA256
236b16c85d82879271fad09234aa6163541a18a08664b65df991342dceb107a3

SHA512
8f629810996d752c98f568e059d31d035cec80be0f23257d25162a31b65e38b47ef39c0a32d4863f102b593f531519e488892756e8d79aa712f782eadd6e59c9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
4KB

MD5
196365c661476786e9bbe332c4e33771

SHA1
655609a21052060b7eeeb3719032763def0f8eb6

SHA256
5ebdff08df072e219876d9faedd336e2f98ba447efcb2e4cd7d86193a8366131

SHA512
8a463ec2b8c343bc7e2df03b458e79c1fd0d2728ee9944b5c6f23dc4056da9ceba28d131b2bda6e0f087b9a2866936fe0c9ec0793e2b467ece53a7e7395169d2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
a6e08fe8324e72a96ab67c87d9a4f02a

SHA1
d1c6020bb4aabf64661144b7e9f471738f524d81

SHA256
a5c4aece7d5d84429bab081bfd63341dd3eff12080513ee82a4d0b46dd862623

SHA512
59402317ccd0c4042187b8cf9beabc45e4ad1810acbc15bf9a514ede45cd96ad9f2a07760e32fa657d53726b771baf6d22fbecb3dff00059241d1f5022e5edd9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
83ef9f50153eee762f0940d35c2ebf55

SHA1
46d7beec128276aab87acf59c82c73d64ab3f095

SHA256
9c17658f8c19c3a68367c60842216d575aed402c055311c216f029b2e3c23ae0

SHA512
741007f8d42d85a24df052c5569ae43eb5a3c0cd49c9f8046d8ba5e57819b2cf4a703f6d4546f68ece276bd9717081513945f0a5aa4266baec5bbdf2b6707eab

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
5263283b2ba39dba2e4755a16bb78600

SHA1
9340fe7ff27eac2086ddf4920c4d7eb8127c65b5

SHA256
82b7f04502b7eb706483799428478514f02d90622ea81fc31d21f4b519724392

SHA512
a2e0c231bd061980689c0f546a02211daf089ce06309235429ec318ba9dd96b557a4a6a049393068db746055a9690238f9bca83ccc9a77e490f3b389457ac365

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
43b11aa2e4df48cd14cf225ce6fb6a8c

SHA1
87c6a25dc7f86b336d67614257559b0bc3d41713

SHA256
cb117e3f6c2a3474c0a1f0523239dbd7861001317a558a0c83efe2e836e0a886

SHA512
6d6f04130c2ddc21aa558f2b4e6f7126d478bb2ce1133d6285422dec267659417dd5abf0d6828a07d64e52790d0a528ae9679b5afc5ea66a273a4d92aba3f157

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
283a9ebbe207cc4600282451face19fd

SHA1
5b93b49c73af9dad47afddc3abd9b39eade0c68e

SHA256
d331b53ab510fe428fce4fb57ffa47d490542847a166d6accde7d9df2e68ef80

SHA512
eab664161f7d4ce9e4c1050218bc5fa7d1efdb10636f695f069c2ae3bb44fbeb9b0ac68d3b64c1183dde58cc69a286e884b38768b60ad142b4cc7beefbd42a9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
2e0f7f6b208fcb9611cb2a589b0485cc

SHA1
a8a04a06580c8e1cff8cef391afcdd16710c0179

SHA256
560920de1eb808b87ae27c3435b54320cd7b20eca2d0b5ea323baddce2d7e829

SHA512
941cad5d62633f3085edc0c58ce0187c707931076d7c7367441db25e3e666b2e10d4a8143c4a58b09b2b712622fe301c3d58585b0992a1e663fd80a09565277b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
aa23ff18a30e8c10574acf88dffd1022

SHA1
b9025a304dd94c077c836e3c17f0117d45585abb

SHA256
23b0f7b703e315cc41bc016db85d21690246c93fe0b2cf44c45e0e0958419a45

SHA512
69e75b71eb099904e8ce2f66cd5bfbb7a9c1627444e16455c2656cfd7fe0215c7fe47ab180f967b6546371c6b8a6c33dfcc69d06f2e35c7b7f40feb34dd8c9d0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
df529ea22c72d23985c5eb3878989d84

SHA1
2b3b32587d0099594a1d22216f12b2c01b97ae1e

SHA256
81dd08df0638d1a3e74e6fef1808c59f9db25aefb0d7d78583db465a4611e61b

SHA512
f3da2f6c26075cbc57b6b50fab0759f14ed5c894d44834037142034490785d666fdb324342a2cb0363a09220f6dc328f7ca01a5a4527942180ad3951d25a1808

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
97b89cb14ef9feacf3e295b3d2794e8f

SHA1
a7b17b16e5bfc292f8a41f8c7f8ff7f12f42c058

SHA256
68fe8a76eb38cb5532c21170b661128084e6913e9c333a6c30e7ae06d8c4f146

SHA512
182571db01346f79670453ca5f48b39ce5f3a09f8f437b2a816a7f93639bf86578c4e7a87afb984b0b0fd679efe5e648a1400bc11d935225bc78b1584148598d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
205189a326930a3e2509498f3364808c

SHA1
7177a02fa571abea681cc3996b154604c44129a7

SHA256
d019bf5672b04bc631201a700d2468add5752a21bb4d3e1aa36a0a10f858f5c6

SHA512
37afa5f9a250f5f9a6ea693a71840d305d2b1c12a229b94e7c0083a83841dba6be2788f9538c9e60e95d039be92c8f80b551d5586f41031c7b37d174927439ed

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
a0bd4a99ec1ab0b202e05fff275cce6c

SHA1
1bdaf9821f3b21cdd5f10fc95206eea3a334c87e

SHA256
7c4e70d047c7ab03fae4d1e64f333d2f083baa2ccd6c9258a3ef273a5401b267

SHA512
d0b86e5c9ea215e32fdfdd71e8ac6131c58e6bbc00d9f2e0ca3fab3bb58ab006c9c4c4fbc353c9503884b9973cf23d218f1b9ac2c9018ce454e8fc6572eda21a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
e420fd227948e0c85035fb722e3f5038

SHA1
5d540bf545f0a2959903329ba5ea9188e64d2076

SHA256
94330d5cffa071e7f398e3ac64ecf2e938d45a4c98149f1ca5f47da91c744abf

SHA512
2af8fe932f91d832d5f3e0ec021aa7861b940ac09e18bd7dc6fe32ff8fcfac824c846a8d6dfb80c1cff7dafc824fdd06da1f6f8c330b8755d3ee1e0b17a3a9fc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
3853129129877c318d6b3ae3d02276a9

SHA1
5d53161b38dc3c733b1b7c45b1a15bdbc624bf17

SHA256
a389e875cc3b50813c4927fc5c3cd88fa2e5aaf215a6bfac9139a70ba3ceb74b

SHA512
e08ea8ba6617057a2b806a961ca9c8bca03a550dd4b07c47f751630e7aad8a6416f0ff4f2911286fd1aeb3239f783900e9dde4414dc19d6995158cfd127ae775

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
91ccdbc7d038f0e85740ebbb71cca98f

SHA1
9fab0fed8f2631ecb4bb343da8f0d61efd8128ff

SHA256
7c25da1a90dcf0ea80aa141932e2f29f78ed4b91e8254d811da51a8c280f1829

SHA512
e6a9e9f449801572c8c07dc90fc1a2432742eaf53c83aef82efcf384b306abd410277b3a40139e1a78c96f31d627b8bacc3b77a44019d027d57460b1c0701bfa

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
7cbfd2d9f295b4c294b5804081398680

SHA1
61e220bf3863427944b0e2baa9a5a11558f6a5d8

SHA256
f4a3784d28a7bcea695cfbe4178e495ffa94e61ae390a0644a25a54aa90f645a

SHA512
c19f43a6ff18cc714687b8e72e7a156076195192a70030e41b876f0c6bb66dce4b7902209a56e2bc289ed29f033c7bd92cb71ca537b01b72b835f9d4f32d1a37

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
763aba7d85d74485ff7fb9dcbc591406

SHA1
bb6658ae4135b147deabf19183ebe14b286b4349

SHA256
d6b11184cb20079009869c4c07fd3d17a045149e2374672d8ff4b6b8f2d317d2

SHA512
25a6c9c12c8f19cad97096a66df36f41227e123eeff6f8a539c2dd6ffa66264f39040e2003e5a63a1aacc745d27ada065c0217b1a295d588230b4a7ce461c12a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
e0746bc0587f9b541577193b4320bfd1

SHA1
fbaf77a2bc84902de8411c3b7a15d105a27f470b

SHA256
a56ce14e1176be10d644eaa9635596acbff3da7ce77c2c60f9cd3bc69ed25d00

SHA512
91445a9d6d05a96cd6b7285c96c49953954fe1cba177c567440e71f93d4d6c422fc053095b34a1ee3bdbd5459e4352303b15877feb09f597f500b01f7bf7da8f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
3243f59834730716dc4fe56439b9ae6c

SHA1
4428214391aa0fedfd896c36ccc4f1cabb820f90

SHA256
97f537ec75e36a7fe04800ac7fae2f2501fd83b71ddc8487e4712763038d3491

SHA512
c92fee3e16ea629bcf8d59eeee40e61411c2aa1461bd367db1be71a0081aa0e091c042121055f1b53a50cfafda6dc591570fe88c0a0c3cac76a7fb97af216674

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
5bb90aab5821f416dfd96813b88236cd

SHA1
616644bd0df7fba26ff26ec479cbefc483b5d5e7

SHA256
165bb6d8bd9a6f4fd6597176374354cfddd208bd3cf19bbffd710ea9df7fd767

SHA512
ff0bc5da2cc1b519e1dedc650e7c4b2875c1920615ad795492e8b6ae841eb3a8fbfc41b2c945785b8d2c32225d31918e028d8064ea4a10f847ddf7e3239f223e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
2351e36f4698f236b795495ccdf8da0e

SHA1
39c368b1e8728cd580998321469648146fe2c694

SHA256
0882200f526c5d239dbfd8a661354e3e7aa4dafc5924d839c4b71d9033ef6928

SHA512
d3fe2c9151b5d0f2f541264e3756573ddfd5c6cfd4d7572e79e4f5bfd9dfb8a730a44027ae8c60d40b8bb0859aa29b75e36fb28c90f0c17a8d7e6b9fad4509d3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
efefc4c3790455c7b671f43f69743b30

SHA1
f1dc657e5f7f84f229a3a137940cae9432795254

SHA256
54f526819b4842842adde8c4fe3385851db3732fb115b580f27e31ad1eddd708

SHA512
f21062f3b89d9479fc180aa7d53f081fe88f021fc2d50ba4a2d87c2f7374a63695d7752bec6d5aba464c6e68bd40932a586039e13c592d833022924eb1716ad8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
88e43acfec39142a3d4ed56f0f64896d

SHA1
f9b3817604f5767734210d6b1da84897c56b28a8

SHA256
59f3fdc3861fd519afcb738dd6356824bac092d7843cd49b42c31febbd1df5b1

SHA512
62c9e5a6784070baa067ebeaad0c155722d67ead58bc94994ea06238ca3c1fb972ff7b2e65ff6d57dbe6f2aafe3be4a20d446515bdebbb8f2e6b809c7cd10703

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
dc2cd89a689e4b9a1ce1d438a07b5d92

SHA1
9b45b3706a5d197260f457ff47f5bb8be75afd22

SHA256
ae656cd98dae891f812c39cef12dadb83e8aab7b8290988c49404d7ccdb8cddd

SHA512
81b9d1c9bda7b86795ea4f91d862cb8c9a1b1fcc5b9bc384634fb4a261faa3243fefeb94335990a082392136a1e3702ad0b47c954ac015da5024588cb0c3b993

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
923f0ce4fe7c9df6ca95fa03c1b72a43

SHA1
0ae36c7290f30bbfd42a4f521e39f77df788bd65

SHA256
e6e77581dc8bd41ad002608d3dbafe94398164d3a5cbd642c8c75f351f1a7cd4

SHA512
069be8e9d9a639241fd2a8befa8a9e5f42c009e2d4ab63cc6c6af8e92b685b266bf4c664c55b08e610427d710143ad206bdcc0c4b66c18af8a7488bb906f08b9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
29f9bf18d33e9bc5f786ab26d69ec0af

SHA1
298aa9e2c835bfc291fde926d0110c54b678d6b4

SHA256
2fba477a03cc3134b898868da2376128f8d877103da2bc3be773b264a3dfca59

SHA512
15349db7f31daf13f5fbf753b2bece2931f509db2c004103c8e1fa7946562bed7cc4ad714df5055f2977930b4bc1946211ed0e366a11dc35a9a1b8abe822d67e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
c7e7b9ffec4cc49a3a32c728407080e4

SHA1
97ce30dfea8afff65016d51fd95f82ecb5640678

SHA256
ee4adf2a0cd991100fad26beb5c5a1701da84f4e5b696abbf385706331ee3511

SHA512
ec3a640142e3f3e3eb4ad1dd8e1715a411a0d1e12e9be73d3fe934bde4be15d9eb5ff46aa481882979203be2f2da2223d2a18fa67431b246260828e19fe0f31e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
c7a20907f65453e30402b311c88593e0

SHA1
75e8a85e3e7dff9d6b2cb6c859aa66ec6e975ef2

SHA256
01b8e49d2fb6da14fc5c1d027295690ef8cbfab0df0a0bae8d19014cac222517

SHA512
aa69d527f8c16a9e69659b442738eefdd946c66de916ac7d38ca94e4646cb85df7ecf691afa846de8edf0ca87cba3dbebdb3a22e4d5382178799678f234fe251

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
ea60b42e1448aee7fd93cc8a9d83ad82

SHA1
d95b5c0298e6f30701e497dbef947f33c72ad0d6

SHA256
0bc85230145a4ddded2be96cd6b568ac2548fdd792b2506cd17e0f087b2324ee

SHA512
9ab6128f82fa2993008425462ed96228bb551613fda9b8e08f47a094dc8b10284b180769b3e010c5691e057a099b98b0caf73a461f38e7484e110fb9a12b6ef0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
29ed0aaca1243844eb984dee25d88452

SHA1
41128da3709e830fd86ad06939d3721a1f976f94

SHA256
5bf1be15a75c97a523c589536dfd06461303f2a28909e985c5b8cfe18eda7007

SHA512
1d3f3a5c43796b13a9718759eb296a50ffbdd5d035343c6b635097ae1e5b08d59f949c098556eecc14b1999d8ce3281c3ef6730079e17f4283d0ccee257d0cb6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
9dac3293809d0af62a46e17e2c347332

SHA1
54dd3b68b3805c63b65a2c5127b2e944e835650c

SHA256
add0961f228ec2b6a11f1c722b1494da3f3c9ac8b57140ffd0df9a662a5e18ea

SHA512
1f7b85721c6a70c86fe5a099b96e149db01296201bd582469d8eb36a6d7388e65fde20e6da27164724f2555acc2b472f6d8fa2a062c9079e47933a0ad011bd34

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
782578adad115fed15945c100e0da634

SHA1
1385eb66e179e8d9b46245f95f2fa6ee071c5619

SHA256
d906e5d8b5efc46c4430eadd2b9825388d4b2254be6d5f229bd232faadad9aa5

SHA512
d66e4200461c64a995b0e6ae666436a659c3469fe2b8cbb719968bb23bbd05b19ef6135284159afc2e12989d0cb16896d349622545a0157da1fb2e9b19ad96d9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
4c2283fd38c436afa03922f22987cb98

SHA1
72268bf0dae4564ef14bc1f3c014349c85e719d4

SHA256
2eec8e4b97b9fdbd355b4c7150f87a564358ba5ed794fd202ad6cbc1ebd75a8c

SHA512
b70ac537c756f74eefb8f9318898e3e238e2e2bf0f7a3ff15c95328716103fac81bc9eacbf89a0ec7a8292ac7a7a986a891ab49c87f8939d95b053133fd0da9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
8a2e4e2785829116ed74f12a0e02eba5

SHA1
f0cc795968a3507a747fdfbb137e9eace83818a5

SHA256
2c3c8c306df60efe9e34021cd7d64047cd278ab061058eec9beb28e54366189e

SHA512
cbb586d5acd073627398e26f58fa373e18b1fd51619aaf8de86648f4d1747ea57e03312a58987cd33d462cc6d624c0f4857210ff9e9566b46b8585c035a11d6b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
90b668aca5e4b414b25e2dd49724c987

SHA1
44b9a5a3eb8bbe721c27827906a47b903f92f270

SHA256
7f20451165a0731dd99828be25a0c2f8298659b388bd27466c0c0e0b9af3a519

SHA512
aaa32f9cf0f525a5f7f40476506d85c08a927e284733fec554fc6e09932fe9d95c3e3d1f34bf57d2369f493fe3e3d1798b6f1bceefc2765ae6a377ed8ff9e92a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
c5d1ba0342bca28ec401f5b37e7a965b

SHA1
358479d62dd96ac286fb4f4476bc33c1a36f12af

SHA256
08928fad6b5a78e10fc2798f66ea79715e1ef9cd22f74427826014527b53708f

SHA512
9dc69fecd134c4574194a3351c3faa4d91e5bf7f65d5a389fbed7d038c57deb44ae7e9df1ea34fc444eb909e762a03ae524714a15af5528e141cbe56805a9bef

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
4433005cf86846a5ae2941a6f729b22d

SHA1
ccc8aaa98566d67d664ad8f9472e57e3b8089a46

SHA256
67003fd590ceaeec5f3f425ec1f5c364067bc766865447c8a60b1f7c6c319faa

SHA512
2d88ce75c4379bbe76f23f80230dd65dadb77931085524d7047bbb83b1029b42574a83cb34f8db11f8279bfbc78f7c9f248622ce29f021d9247b3dd903546c0d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
096eccd296f8853758162ec812cd93bb

SHA1
c19bc0cbcdcf721ab293c736930aba907ba784ac

SHA256
097f6a113d3dbf546a94ce398bdb536daf27a2f49e2e2d734486c511601ea23a

SHA512
f7fe872bd74719c4a5b3e1c26964e2cbda55fd7c4ea278a3cd6aa12ad019bf6b70e5bcb9e834ad605a6c28937e01829b823cf74503ac06eb1811eebee85403e1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
7KB

MD5
441e8dda0582dcf83b2de3d1f336e641

SHA1
11d31cc34f16853f4e4f6f3e358b319bfd1f930b

SHA256
b1d45754469985eb2ca8e092cbcfca284eb95c6751c56015630a4335979ef4c6

SHA512
6d3cdfab6aa9754d7e288f8f44b59794d7039316bfc253ba3645c5d68fb6f381d21f0348ca1495bd1d37ff0fb134e3439ea05aeb72e3dc14442ab8f108f9a3e9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json.bak
Filesize
7KB

MD5
8c2292b79186ecea7c9474c9204d0058

SHA1
dfb4dde20a275abf4648afea78c03537ef3d0015

SHA256
eace6934d4cd70666dcb5204c5d5e92041109ef284ee71e1cddc0e0e628e3edd

SHA512
75693bc6a2f03e20424ab4742743fa12907861d14723dbce8bb4a90bfc8d1501250e0814b64f4920deb9169244e9275ee051f73474241bebebdece6787156620

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json.bak
Filesize
7KB

MD5
f210187419bfd578e07acee7655b2239

SHA1
4ab6252ebb3eb83a7aa418d39e407a0c5a93c6cf

SHA256
a7dae3eb5c6035c13d9a9eb7ebd839a6cfa1ff6cc5e89673db0c634e610a5ae5

SHA512
7e60ff1813cf3259f9c613b3600e84dfde58b5259fa5afa96d006951b05643f2989b3e474a305ea9b5541b0ba3eac93299b6a4f4358df6ea982e39d2b80b7ba7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Filesize
11KB

MD5
fcab29bd3767df487eb175140d01f387

SHA1
80d5b7547c0b1fb9aedbe22b9052dfc961d770f3

SHA256
7327ef952df79cb76ce19ed71c898f6db1aa249355dc3f64feac4226570388fc

SHA512
ec37285c528bdecba329f79fee72b92f081c5abf4b759363af8e3c841166da46aaf4f72ed43502ddab90d5156ddf5fcbb58453238cb408af964d0b81a3a51286

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Filesize
11KB

MD5
6ebfc70e0cd820801b65da28e9b45224

SHA1
e750aeeda913a94dfb1401bb5fab916c9ed9d272

SHA256
8681c4d96d971fdd3583f5f11d85b67d208ed17424822408087a5e21087df614

SHA512
17767f5fa09436bb78e8715e0f5cd3c988ea74fec4e14b2d2018b394584949b8cc226b7fe48fce4986f511b81cf55f8bf6da62d9a2d0dbdc1ed02cccf6102a16

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
97b0f07c36dcd1453560c75669c7953f

SHA1
a2784b2d05c70dd2506ddca899b5c9572d5295a0

SHA256
343a315a13846d6ebc3b8f2a0df39ea2b7cac4e4bf54baa9106ea04bef2cfc7e

SHA512
8175ba94ea679acc8cc13518a4de649dcb14f0dcafb7a7426aebe6781874627755e44e81b7e8c0955c3eb6f3135482ea7c443f75aa2671a166708d6f5720609d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
d66dc23f0741f273de2c100505531c54

SHA1
b92ce49fc5854ce55744f5f4edf549b6b47537fe

SHA256
c4cd10ab4046baab0bfe8d86c5d286f138a0e10c0eddc1bdcc8bea5844f750ab

SHA512
d4654d22f55ad42df1e1b32bb49e5785229a14d89521b16f38d8ca65c60028dd15d004bfac7ccefd2931e1a1da406ce8362051d3f852d2f821163e638edb6ab7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
1eadf7d24f16457f27a2b3ddd777be52

SHA1
eb1cfc946558d3be1cb1a12183335576d5f8bad6

SHA256
0afd714dcf9a28161112d19c2a709e941ae5c1a631461353476fd99071f03de2

SHA512
9a06ddc9e46ad50ca53d56542eeeefa1564da2de38b793312b19e7c09ab5560e24744b423a7e2ce4772d2af0aa2049423d6e29ee72224e5515780cd8f4e366bd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
fedae5d36679cb11211d18ac578ac70d

SHA1
952056d7f2bfc845cc7471508e8fb0b806b9371e

SHA256
70b7f35294a738cdeb0b91e7091d89cf5c6297451b59c1532e3d33fe9ad90853

SHA512
64dae2036f51032b497c9786065bd416e338e02520f1488613e010a92852c2c9840deba5e24e81c02edd9b5fc5e2a28b4c57e98462f1526c25a6c5d0ee92ffa5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
e2b933cc1f9d847628a8ebd049a2c149

SHA1
a6b151f2aa4f688218caab015861178217291aa9

SHA256
01040ceafc84f5445e774ae49e0c2b266c7ed539265f9e22103f98d1fd9eb468

SHA512
d4bc6a9cea8587f64a554817f480dcdad2f2a005b0fdadf75ad55bee5b3d8e224228e5a3ad971f0d41545048e3ceedf9f5d17a6a31b772906c1ffda779dc6924

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
2de471c3efd5e2d28cb3756a101d1716

SHA1
bef3b0a19cbbc314a141875e99e464b66882f9c3

SHA256
c1704caff486c3d66997123dd9954285ffaf477c593e6b7f3bbc50ea46a33063

SHA512
aa4f75809e9ef6446d55c3f2b9a9ca6c16e07cddf0751e4cf3a6c246737e720cfb70f6719dc7268811f023d136111278fb9f158ae7c5261dc7fbced9e2bf3271

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
c20a3a1ffc1f76367e669809d992b0d2

SHA1
5f6fcafa6459f5b41395b7beb1be450876752fcb

SHA256
66df4459c24f827e86cedbc691a869b6cae01dc9d1cd71f905a6782caff0e17a

SHA512
7ccf70e443eca1f14b8811950571dbeffd5a824d07118f22b9f8f4c564e86223546a89dde46b9548dde7bf48c4b20c31a260ce269e9876463384d0633ebf527b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
5a93cff8e6f45ca1192a78811770b241

SHA1
1641b447f87f318362aedf427f133fef219d3163

SHA256
caeabeede095233cccb85d5674186859779bb0a1163528e2360d3771e07c954b

SHA512
7b5cc27eea0b6951d5adcae5a0f35084e2215e6a5170c4287c5906f9908a55bce7dcdea83ae999299177428f782ff4ad8d55a83e70ad78f2ae3e46af8915c951

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
1be147f142c2793c89f917ca20f1e105

SHA1
2206ccdb02773df967879038f20d03979460de72

SHA256
8f33c54b65d97389bf57d22fd68944ee3b81d7fa27fd2e6e9dbfbe91077fe408

SHA512
ca003eff76492d9c21ab728775ecf33a5b8ad8373334f389222befb9f99a6bce55638b9d530849436d8b6517b45ec545232a81d88d2fdb058eacdcb1de186752

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
e2e90f43777fa475e1a645f693fe116f

SHA1
0afc994f10b1ac80991c6fd45d6d1291b70bd6bf

SHA256
c95ef27d588fbb9280840aeff3bc52a810f0d5891c4826376e7bc4a7e881a178

SHA512
23f283c9f7a6088f4103de5266d6ee56daaa13b09c4637e1dd268073ebcf33c49443fa50139bd5a6584ff941281197f87e0b3fa5bc281898b4abb6d5a496bbc2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
406cae02c2b4aa84a4fcfde26e965215

SHA1
c855b85e777bad4243afd6daf03b382be1dbe763

SHA256
d1a6e8ead7d760bc113d053d475b762b8e1479adfd6af0b3074074758a95c15f

SHA512
bd53b5cb591971883a27a4da9957e12aa1c3dd035f8ccbab4f8d7099fa12b7bc72ac71907e872490e771c78c0420729efa9bf2c5a60f94d913f744ddcc86407e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
1cc103827fa3fcb615e7af291dfd9fa1

SHA1
b850a065d113547a4c98993ea6ad1a7490938085

SHA256
22ff8d7d4c07ea9c6dffa083f4d88680d75f88f8e4de6e42c294cc114adaca4a

SHA512
6194493ac13f86216ef9286b00247be300c916405e984b4be97708e8033b27cbd4aaeece9bc85667f66b357226a46427dd45bdc20fab58eb73108f726dba7d0f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
862afab6fb58259a7ecc846dd16c6dcb

SHA1
af081b60ffb5bdae44964fc22e521dac56236997

SHA256
724493c3621952b06bce9453419aa5e4f20fbd8fca299af0222285cc7f306d4f

SHA512
7147d5473efa095b32dd0471531ca5e4b173e999fe1bce394b6792fdb2c3f01a3ec358f8d2042f55f75af7fb0b427bad31488bdc72d0430fcade98eec271e17d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
b9b14ec25a33747c4f31517febfccb05

SHA1
270c68e7341dee402ef5a617239f4ff6fd559366

SHA256
596e20ca4e5f1895560964d2fe3ca0ce8c09d8f54c8696b2ec4f9be38937b1f3

SHA512
e354e50814a4d7d7f1e57d4dfe6214adf34e1101dfa77c32e827e926e9631b433f60362b494837bdc6d58c4f8cd24972fb33a644411c68785d1bc931729581ab

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
779856a8265ca0f4cb7ab3803b3aa901

SHA1
0178571babe49aaeeb188ef8e1eb6b57218ff20f

SHA256
71e59f5084f317140b8e6b2539b0af0ffade00e5a6c67f72e7a9716d29dccc09

SHA512
5293f35826e6b2bf79a39a2990c9cef2accb849189b7a3a03882154590e75050f9d2e5a7b2ead3e77d49b00446d0aee02c032d012bb3ff3545084129a7d09955

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
605d9295de09bfa1d2ad7bbfee5cd5b7

SHA1
e8492c035cb9918dfff9b3c26bbf0c6273ddf894

SHA256
f5503c125567e46aa980303cc7a649ec871de6b476c5c7232def792bcda8114f

SHA512
87a4623f555c9b04e0f57f4edf9a3ec2d2400f24d3f52e1239277789131d44e137c3102a5295420c59742603b00fb4aa41c8c48b2bac3d4751561e8695405080

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
ada8d05bd301f145bb8e922ebedc4632

SHA1
7f686658f172291241c7732a3cffbca4aaba6882

SHA256
111692fc09c2279d9cef4b3b11805dbbaa0bda7c72d0c802716dd5dc63182658

SHA512
034f6d7bcb4cec94ee47cde338538bf39ee84d868363287d3e6725d015b147f2d043fc562edbba0e82fb40316f780cc48a6b4e7fe4219c3fd1d891bfbf8b6ebc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
afdd719ab86ddc9601ef33e5dbc769fa

SHA1
4dea8429180a1d4042170fb09b77332957ec6ba6

SHA256
73e607855e9ee03cdb1a5388a1b0afb48bced2e0b05bc810655139ef6b9a65a9

SHA512
0215ec0817278eee7cccb92d2471885bd952cb77dd94b0b61934f6e79008ccdba54aad1b3d2fd551984070e4a058187a765eb8e49a3898344027b7275eb71b88

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
1b18d551e70ae9cbd178140b05b2ea61

SHA1
a8439ead8ff6c5456789286f9a45b48b5a69f4d6

SHA256
057d6de06efba8faacdd65ba82989f7e2745b6ae5987f4344c6df1dd78911e7c

SHA512
8f5eeaaa2bd79eb3e81104a679ad8e64026036b469560e2806d9e9ab56b0ce0eb4b2fab3479c4e7edb3d042e8cd835645d94aa913b7ac9423d0615d30c66fab3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
f4655c292e5c2d20f261ef94484b8555

SHA1
7401421193590305915a13d8163b1cfb6060b18e

SHA256
852405c9fb12fe825c687cfeec21f45b7cdaa8ce3df614632a7e5ebefff41f16

SHA512
5d7eecaf8e0b4e2f9960afaed37f95103506b35d0bd6b719f1e5ee433fd4b63a53198708a0952054cd76171f03477680c48d16af73716d4e5cfbc2713feaf977

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
a5e9aadbacb366be11581eddff4f9c0f

SHA1
ee1d5ff7dbc1af9c849f0ca844d224312fd1a9c3

SHA256
97a2282b33023fc672e9c48b54a389069da9dab00576a3d47431edc0424441c0

SHA512
aec6b94b72a4996912f2f2ccc031bce946e8b99d106f898fd665281ec21dfc9a5e99f89281630dbfc22dbadbdc9aef2895eb2c58886a1e50e5868847b1ce11b3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UI_ApplicationSettings.json
Filesize
616B

MD5
99b110161e0fd2aa36fc9ef9b2d65e6e

SHA1
89f4c51a655abd7ec1927ed50f38de907976d205

SHA256
02b56841801f740a32583ee1bf95c60a6ae43dbf87844779e31028b7b32296cc

SHA512
0add17faf136ccf770862e820ddeff300efbcac2a2f11a9bea2ff90b92f20b2e4bfc9d61fff7825b9c7c4defad853431a7f6f6ce94689428ffc9469c46097aa5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UI_DCountInfo.json
Filesize
157B

MD5
959cce662010f577f209410d7ac98e45

SHA1
f2736831558935308bd5098f9f931b5878d477ba

SHA256
cd3fcc47232c67b422b42899dfcd3dab429bda5c017646614f80b1d3440102e8

SHA512
27e87ab54e1e51f8eaf886700ce7019e29090568887567684998b7bd9eaae206ee3e493975adfff1060952179af5a2c7bca737e28eb708d252913625309570ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UI_NotificationsSettings.json
Filesize
161B

MD5
ddfc5b7cb6846a992bb6e85a2ff8b74a

SHA1
9b86744fba06409d7f5a601dc8ae1ab1bb1085fe

SHA256
6ebac031161ac81624a8f539d732d51bfe2dd2d989797541e9a6fe51964fbed8

SHA512
333ac227265d919bbb59f86af94f6152eee5b526caadc8fb8ee79614aa10e4eb375d7eda987e8ed79dc33621fde9392ee14ce267a7c60dbabb00c1626b3de515

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UI_SecurityAdvisorSettings.json
Filesize
223B

MD5
ec3c66d2456fd33bacd7e37c93bd0a8f

SHA1
3bb34a8bff4cd4e66049362f170c552135fe50db

SHA256
c9c67b0004ac78fd8b0b810c519f1cb1e6486cc8151dfc02eeebe44fbaf22904

SHA512
c6bcab55a5efbad040e3e1b80e4becc9d174eaf36bf17482b27ebc68ca30ed500efcd718ca0fe9db55345a32c2c97a767742821762d3f07698640b8937812cbf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
acf6e6fd37fea7c0294313f03ba05b3f

SHA1
771184bb88f665a5b67bda4971d453e72008bfb7

SHA256
fa15a5c9ddfd03b76fc152f258c9e6995d3f6979e0f8b7181da9991dea466184

SHA512
ed2e8ad2ee45ef503aedeb9f4eebeff9f0f73e32a832eae3bdd430deacd257267e111a989e00464eb52511c109078f39cf3a27e8cca02bd00605951473c7f376

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
51e3e2196d466962c77d492c20252cb0

SHA1
fc0dbcc153b261cddc96b3bec58c5043b74d81a8

SHA256
c93692873b10789aa578cc63fcabe0a0e014c8ceaa0cac4eeccfc0f027b62c73

SHA512
7d08b8c2aa79dc8dd50aed647ba9f91507ad57613f596aaa332d7f2c369bc4a7d56c159470aa1e1536d9cedb178de57b010238a6f14f1d08d6c4ca3f33f80d03

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
df70d52b69d9daf6f59aac9c594ad95b

SHA1
3d571c95fc35b713b3d0e3d6d3c6305a8938f77f

SHA256
69289e7b7cbdecac73fc3ac260ebe09c4f9f0229679b0537651b35cf7cc93f6b

SHA512
c4a66da3e71a9b32a3c3488dda6b27a48b704d029ff60d858637f672b830a8a7e1aab47d2e0cf67a8a0d8c910a36d9beb87f702333af9d0d7d1c196eddfd974d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
670287a59b06a00cef0b55febb0fb46f

SHA1
b8ded6376769416ae4a5569215c4dc50af5752c2

SHA256
00827d3a0abbe37e7fbed81d9ff420175d849fd29006ca141a7cc75c82b7d8b3

SHA512
2c4ea3b8be8650f5d6baa64f680090f4a3f2f31218620144ff8447dbe913b142c54ad2c6ea8f49a32cdecc069129ae270ab8a7296b490c4a111b511c702798ba

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
5009393de98b972cacd1d25c2d23db96

SHA1
43162d53aa28a690719eced5f2a3e73b1c32da09

SHA256
c8618de9717ec430dfc07a0efa424fcaa3f8fddc364a8e00f617dc7243cd55ec

SHA512
1a95e190ac79da190d89e2f141391c4f182dd3c4658524df97a312c8c944bbd7a336603d7ac33e9c645a8e700b4da41d514d0fa8b299a2431d82ed12daf3a670

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
91b4cfb2a64aa26bb7a79f10fa0445cd

SHA1
07aa4400a2ba1a95bb613509b2b94db00f1b5213

SHA256
54746fe6cc4f9b639b83daa578237250901bf86f23abdf5f9c0d0236dab3a1c0

SHA512
13fd366a37aef641321650e87374b0d3f97b2481166f8b6ed31b05a3be5cb58f25ece6ce424e7470baee2d79843ca21713a1dfb7f375831916bf9b4c50577611

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
1482f22eeea23a356504bb87cb787d56

SHA1
0204b85297b65bb85df240bc57c626025cd30919

SHA256
8c3e615471b4d92e2cc67575d7ffc1ac60dd3b5d0bed7f43288c55ec639344e8

SHA512
3b6b3ac2d7d4b60e787a4a73eec901ac55019184836c58e5d761b02b55cd04b3042591eb0b8d8f7275c176f1ef8022d43f634f6dacf03fb2ed09f49232070e25

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json
Filesize
1KB

MD5
9fead2fda0e3101b7a47b73f5dd447b4

SHA1
b95232c4b629df568f883f2b76659151020997a6

SHA256
7e245eb2578d7c08de1f5247fa488725919a1c5392782b6785ab250c25cd66c7

SHA512
2204ef6aa972b1befe7958a86d1792ba607fa8980087648549c0e41e0b4f1bf57cffe94a563442432666754bc1eb762de08ac1b66aa5939cace63ba6a9dbd124

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json
Filesize
1KB

MD5
82e132c813cd4d27950abb8f97404b55

SHA1
d7962a483fe5849a81bf933810ec62d59290eaa7

SHA256
d9e532f8519c2f9f8862cd06edb84d91b68ded61e9d28780117281a307cc1097

SHA512
be0ceea3134da628aeb7f2971d308946329f1842a918615dc340027911d117033633d6b49fe705ca182e2b31c562b6d811f73b115a88a135bbba159ba954ee82

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json
Filesize
125B

MD5
7ed883264c4a36a4921dcbd200b96edb

SHA1
314cbf46f5cf8462b01be1418c5aebd5b6ac3cd1

SHA256
cf25f45e648678dc8b45c8a8463d7a46d3a27e243e7436f4fbd44e33c070ee5b

SHA512
8b71abad9ccafbe9d8e143e1e077e6a90a7745a9253b703931fcce433653092280a1a78cfe2534843b48179144e8bbc2f98b8ebaf5051f1619948c52818cd7ff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\telemetry.json
Filesize
387B

MD5
32e32d1ba2df479ab2917633dd55ba77

SHA1
4b541b9290a7d794d73d1f826481eb95ae4a30e5

SHA256
1831c17d80e0216c6b8912e0a1cde1501a7dddb4e0ebe6a78b85889886670726

SHA512
771aa2f9630e6aa087b384e835badcd3f1a0ec575c6aab6de529a84aa618df9782e02a5c974d63eca5342071371a1410f36947599194b9a12d4301d085095f43

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D1E.tmp
Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D23.tmp
Filesize
504KB

MD5
b5d0f85e7c820db76ef2f4535552f03c

SHA1
91eff42f542175a41549bc966e9b249b65743951

SHA256
3d6d6e7a6f4729a7a416165beabda8a281afff082ebb538df29e8f03e1a4741c

SHA512
5246ebeaf84a0486ff5adb2083f60465fc68393d50af05d17f704d08229ce948860018cbe880c40d5700154c3e61fc735c451044f85e03d78568d60de80752f7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D39.tmp
Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D3B.tmp
Filesize
1.8MB

MD5
804b9539f7be4ece92993dc95c8486f5

SHA1
ec3ca8f8d3cd2f68f676ad831f3f736d9c64895c

SHA256
76d0da51c2ed6ce4de34f0f703af564cbefd54766572a36b5a45494a88479e0b

SHA512
146c3b2a0416ac19b29a281e3fc3a9c4c5d6bdfc45444c2619f8f91beb0bdd615b26d5bd73f0537a4158f81b5eb3b9b4605b3e2000425f38eeeb94aa8b1a49f2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D40.tmp
Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D57.tmp
Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D63.tmp
Filesize
1.2MB

MD5
607039b9e741f29a5996d255ae7ea39f

SHA1
9ea6ef007bee59e05dd9dd994da2a56a8675a021

SHA256
be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

SHA512
0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll
Filesize
4.5MB

MD5
20d70c6e04dbf14c01ab2d756e97854f

SHA1
f172c8b8c0e87d2a9ab064513dce004d16d03e0d

SHA256
c4002339b58bc493ae3540bafe1b2ca0a70bba0f853e29f60e0f6a1680fa9a24

SHA512
13e073cd4b3d53c6d9fdda671a55962266b5c0a18abcb5774092c35f0d0bf2c5d0d9802d8955d32cceb166821634bfc067dac7809c9ade143cf3a3b497743b36

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll
Filesize
5.4MB

MD5
a3fe79081a59d493c01b5c1139babdc9

SHA1
1505cb4053bcd9b55c40227ad6b62a2457cebbdf

SHA256
60c8c024ff020f04fcccec10ee78872bb1e6985463d6370c6af095761d88b860

SHA512
22310a585edb36050ff20356cd9eb5129cdae3ffea2ccd7a54d9652dbd336d7f402ed119dc59ae3250b93bad40e75983184256c0bb239cff049bbb983f487bdc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm
Filesize
335KB

MD5
2608105aa68ea3088df2b1060247b6ee

SHA1
bb233d7bbf68b9e580fe55ed28172cddf18615cd

SHA256
0796023d5de214303e782021febd9411edd5e52a92fb9ef2ed76a5e44e91a5fb

SHA512
48cac2c97f158d58c58439c4937c2b63f6b990d076da0b0b29fdc9a9a94c7e381afa1364f652e09b0943ee5bbae073aafca68161729951effb63710812726699

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr
Filesize
13.9MB

MD5
4d9905dd6881decc32b5cd5e7bc24fda

SHA1
50fd49ce822d0b8122be721fd5ce9307bfe87975

SHA256
e05dadf2017e115f1ac05af30732150b8a87d0e7cf7b976b5d0ec6c3d4e98812

SHA512
aa4de2ac1d3900b761c67a8700e58d7f527dd104fac7f18e6cd4b00ff4e51ab9e627bd628be83447fdfd7c5cca18e410dad192ccdf9e9ece72c488006dd8631b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin
Filesize
845B

MD5
1bea85f6f77b365122fd5f51b10777e3

SHA1
2431dda3ae3310739fdbc59a1c40aadf5b0c5e2f

SHA256
ebb6bfbcb66f79d34e10c57e70b26aee5f99e11207e6f103c660b4c2a005f771

SHA512
01402e189787bb653c14400721acd55ed2ae78f94c4ce9d0c9b9fd8a49ee504136bee56deaf24291e0594dfc73489a973d54f2e19094ea21f061cad2daf35460

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe
Filesize
1.8MB

MD5
478df352bc79ef18c258b53f662b0885

SHA1
e80aff69534545fa437074818da66c5b06ce85a7

SHA256
95370683adaec8d785ee7368d590cac8de0e7add72c88c24aaefcbfde9ac1826

SHA512
1771d6d85614369c810a52c2044b4e8b6014fe4ee62c1586b28442eafdd0db50c9d514a3e0c94cca2a2450da2fca19ddca74608dea5ab0edf87a7d78b34685bb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb
Filesize
9.5MB

MD5
c3a7027d9a707f95db4bc5c71d5b0aab

SHA1
107bd8dea65f81929a1833bb7a115f7c1ef5ae74

SHA256
1f082ea28185f7238fc921643f41de5c46d89eb3b66a9086924694343db4912c

SHA512
37c6d79014e0a220ded995ee32043d2a6c8c0afbf55510e1f32db09178696891897d097fe0e3892eb5602d305db58659e95df574e0202c81c86e07a7d06e8b43

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll
Filesize
529KB

MD5
71c2939bcb601b29868a2549fc22a827

SHA1
e4065e0a62cd60915ebae2d510830f50b3a4c266

SHA256
1a2348213858488dfb80c9ae5ed650352879a9593c776e56edea92ea1c1e146f

SHA512
ba2f9a22a3be1f470dfa7ea933eee04d4fcd5c8b38b0d2d3ed38d197e5f3aa3ecf3f82fdcd11aad34bb427ea39ea394220ba1a628c6aed3d6c80289b795b1028

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb
Filesize
908KB

MD5
46ce3451e9ac80acd5b720af0c189472

SHA1
c75f44564523597f5d4894fcaa695043d273a261

SHA256
3285bb64dbfbaef1897220200861d9b538e74372575dbb5e789d4ea3efd2b45d

SHA512
1562b6f6d155261a753280a9e0ec73617cf61dc987fa20c5d69a3591b725e34560ed5f81ac70d2bb7629ee4c70bf87e67eee249d22c98d3cfce0e3389ad379c1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb
Filesize
170KB

MD5
f1140374592f32473b08c28c0c4b5864

SHA1
166665c0b71be30b387ef70683780bf81c391d85

SHA256
99b205c736c14afb805bded86b96fae95a014c70c4e3f1cef482b8fb7606b6bd

SHA512
24201abd35b9b2ff01f52c0d244335c47f7991f00d68710a45d70b909ade26fc43e1c27dd4a0db30aa0a730c7299bb0fe96c2192ec49a054a8d73c3fded089bf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\version.dat
Filesize
26B

MD5
2ff776305ff19320fcb13ee607c83a09

SHA1
e7f1ed8744f951b8dcae6474e3d9fa8023332171

SHA256
ba7fce5996dccd4dcab0ff6abbc9d3a2cb2007a8c3255bc5ae17a19cf83e3180

SHA512
bbc06559e548fb5fec5db3fde44800d98f5025ddde58e942a886205418c5e1a7fd35e44c71b6c2abe61c4a1d876bae4a58b1d771367f1cb37450c341b9f15344

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb
Filesize
26.9MB

MD5
7810b87e0765e9bb983722f9b0dc90d7

SHA1
26f2f3b0404985e9e8ce21cf239f99cecbad3b50

SHA256
07cc24d5d7a3c08b7ab1fb763fa05a74ef9d376c44ca8e5db649b3dbd69e8724

SHA512
1fc3f45b43662c118818382c9560dccd2e5439835428072e8b0a3610ec7402f8a711c479b10b1407d905cc959fcada64d3c7b0cff5805b186007997303eb711d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tmp\3a5d117a145011efb05bfe55e2f65ccf\3a5d117a145011efb05bfe55e2f65ccf.zip
Filesize
21KB

MD5
980206a13564b46b9c98b617681a6b2d

SHA1
d21c494ca496105508f9de2bb0fb468fdb5aca42

SHA256
310eb6d54f314ab8bb7b6ee791466b71873d2609ecb1368b2a422c073d87301a

SHA512
16799317269a13e79768c74b88222c0d2674bc7cb2268738a85e7785c3bebf4977d3b4903e6d13cf6e8872c922668024ddee6d588550bb2adbc052ec3bb9df0f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\SdkDbUpdatrV5.dll
Filesize
2.6MB

MD5
5c4b6998682070ad73cd246eae251ccb

SHA1
d4e3eef6332a6598e5d63741f3407574c7de5f5b

SHA256
54e0e90cc5cfef91ceab363c6cad54c7190cfbbecf6353181779938a3f8de8a1

SHA512
e1f844ecb631b628ff37068ef474b070e22c5be6453c77acde53e886b7e9109f22d09748a7902e64237f5cc9d05818080c0bb5697918235ea2d4ceefb68b8524

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\expapply64.dll
Filesize
365KB

MD5
99c8e47d747b36be8ffcfdd29b80dc3d

SHA1
9b8e87563fee31abf90bded22241f444b947b071

SHA256
0db4dcdf3fbeef2c4d18555f479a28dde3d67ee6f0d27c18925207142b7a38f7

SHA512
f9cf4ec06585c6cde57011884141782bde83adf186f57f75576c8dade1e868d6b886daf8fa15c55ac908ff995c4b6323c3a8266dbd664b807cd67cf788f7074e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe
Filesize
5.9MB

MD5
d7fccaaa00479d7c0d1924870213772a

SHA1
73db951f1309d0198d11eeae2d31adaf650e74ef

SHA256
e7628ac2f2ec739f6ac7778aa8ecd9c174e3a3a2dbe8239f3ff6635bcd848e4a

SHA512
ecc97ad624cccc47fcade65e332a4e3216d1777da01764749ff3cea9fe04bb0e6f28183aaba86454b52328f5c86be5c8b5b80ed81e015ced443e25be6e19809c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024051713.000\PCW.debugreport.xml
Filesize
2KB

MD5
94c2ce90927dbd9f6a6500dfc5479297

SHA1
e9a5e6ef1c93b97adfbf7810ee77bfff520a4d8b

SHA256
dad9fb4fe5b0ac763f5e0c0c39b6d67b6c1b26d4f1a88034444cfaceeb13268b

SHA512
63377332b4b2c7e7acf015be9923bb88c92e5699e9c2125ba2b4399987f748e0d83451cbf2c9353ee2c82ce8edfb68102172f32a59c234edfe4de4ea5d8699c5

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024051713.000\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
f90b1b24a30f6921e3b5f11972182142

SHA1
856298f66eb80ea8fcc93369a1ce6c850c8f2e54

SHA256
70b31f95b1ab10f42ece582a2ce06a5b7c38fbe2d096e9d57e1d192c37d79e89

SHA512
dac5023f7c047dd739c170968375aaadb1f3f7178e29b14867ae65d7b1277e3c69bf2087b2a381737224b3e0a93374cadc0958a57158d819d24fcc52eec830b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
d681ac4d80669a1da4e920ab05b02301

SHA1
b23baed297208e6daaa2b4cbda4fef3fb14268ab

SHA256
941c17a0f7d138aeeb8f5134a5e333579b3813b094344b73cfb535a9515a8135

SHA512
eab83d8a9f0888b4880657307ffb4d1c328cba32f025e4108679d71ed19584070f8a30fb5f34ff84f6f0576e6cbf97d3194918edf6450e890ea597a5302557cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
9dec35c5e4e25445d5c48f4f29c98b80

SHA1
22df2e84df0a443041c44b27449288b1902efdd1

SHA256
ce84197674d62f2bd6fa83d22ffb471892875b22225bfd60918772797f5c8672

SHA512
78d87431e02d05c8d9520cf057d09beeb3cbe53b3f16c70f3db57a122dfd70531ffaf44f81ebbd62e0d33928072e0587a858f9b5e23187661963d635e157f1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
2e5b3e37006605c9b56a6b02349b6e67

SHA1
8c20ab3b7d3f23bc6649fa4c9362c5cbdcd39d57

SHA256
6fd51d1b39a3c0d1cb41bc8997e478843ab4bfc4f429929ce940bee8f5ba7c1c

SHA512
c7fa67670d73e3c6bd6fd0d7a71fab31958ad64ff0d9865ee0d238af03ce75c438b7e9c1e1c45d6947320f11e5524097be09b8021c89626275f6f4f8391420c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\97982bf7-6f74-4256-9003-561c22936656.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
Filesize
334B

MD5
78c98b8242f26f3ffc0e4103c51d0527

SHA1
8070603db89c1665f02fa72a4aea1b46bf6765c2

SHA256
6aa8b33a0008107dad788c5120d538cd4c7b5f2a230a8bea6cc978cf181644d2

SHA512
4f93e6b3d035996c09755d1129e53ddc575dcfbe8f72172b1d1a0f16b6403ecc730affea7dba821d1b3816e71df44f95792a6135ea760341bf09a20ef7279efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
Filesize
334B

MD5
dd173e41657b60aadb59251597b002d8

SHA1
0d637e8e7cad1a0514fa5d2839f9258f9233b294

SHA256
41b8a885b764f237f004611eae668c3da4c76b501905bd54a8e0b807527279fa

SHA512
07ed34df0687bf73e517287f043ebe6edec834a0db6185ab1bf1d3d612d816bb6e116c1e131642e70c7b751b0267e2522b0243b0f799622c4040bf7a61fdf4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
a85c7067edd5e421f65a580e44072743

SHA1
a7ba62f05467186b76d43cddc975e88f4a59e37d

SHA256
003d63d130818d20aace3a0c16efbee46516a1c9085f8b0324288107e58a1e3e

SHA512
2a4361f750a372f2fe109f15ab0789f856b9ec1f6617b554a5b4a92775286c7b1edc4aceefc93db1adf48fde6bb7920e70a2577d93ad92163b482dcd4c73b4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
c77afaeccb02d8505c269077591675bf

SHA1
cc12489ab10f1be6e6e71178a4d3440b13a9c6b5

SHA256
16bb26d29ba84ae79e5b31d62f10320f1c7f0dfc75eb406e7ced5128ae39bc59

SHA512
3df03062eb976aee2b08935d41c4a2e10ddb75d8ecabf476c301227e62afb98ebcd9b019e661b12d73ed1f17240fb06ebc6539c02eee46fb78b91950c54204f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
32341870fa23785a16f6c79840de1b0f

SHA1
b0106274e40ba2a833d1a59ec8bec5254898b87b

SHA256
92e745247960decc0de87ed8359b75021c741a7e86c6825c51149d2484df9173

SHA512
0ebb04118c476517d425ef40d08649bf52d5ee2fcc3336f6107290b4c7f3a78532be9345243fa91b8bf4be2389964dadf0930efd0d21003ea7d286c4ea9b3873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
d54e7efeba6c9b76bb9960c6834f729e

SHA1
d7c4f9d2f21203c463839cb034e82ea0b673549c

SHA256
8bebd01f5e8e13390a3ee083750303eef8b8c42cf8c9709ec05225bca38bf124

SHA512
a288ff555f136bf47334f4a4fec7b3ab0d124c8914864411f59f85a89e350e404f5b5f8267d20eb62b846b171c47d988515cd96a1d5738b5a1d11a83f31d91b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
6ba6db03e491034dc1a444dba62ad721

SHA1
da6f58b26663cb7426160ea9f0a7dcebdba4a433

SHA256
aa9232356722d740db60af2f512d83d752e1ee5cb387fc3be1f3bdcb10316082

SHA512
58d02009c5159b5f6c8e1b25664032981e7d6ce9cc7d51540f06c45f06bf712002683e50282cf6b482aa5ee7c594ae45890d46215381f1e9ac565c5676ab99b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
611f162bb96d59ef3f5e603a011cf8a0

SHA1
bb6d170005dd9aad75e4e1660755a95fffdfc899

SHA256
ca7f90decfb8e131c3e0933cfc26fba309ac44dafb5684dc1d004d4bfb82858a

SHA512
844088f11825747693e4ef185e55fb5f341a00d02f511265bffd9b86d844ecc2acfff3ad8da45080319bb26537174d5804b47c7b51e2cb398824c1a5eb3a4488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1
Filesize
264KB

MD5
8f91ef25b3a9c884ea75f0ffe0809ed1

SHA1
7594923c916d950b710bc45ff4375d58181edee6

SHA256
305e0e7ef7936ae8eb8b019fbe72f777e5766cc54db3364b56135467e45a2082

SHA512
b1fdf856db9955e8e7bde315a0c6fbf155d3b2336aa2e07d01259ba387585062d5aa1606d62ac855afa55a68fc4fb73ceed1454d2f47a82bd1cf48a83dac9dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
4ee8c67655b5bb09bcc196cdec216fda

SHA1
3f8b2958d85e75db23a5a1b4fa7df6da9e2aa2b7

SHA256
3d8c40969053845aec19cb038d5a88f09cbb9c93be5f450e3c52b46ef24e0b7f

SHA512
08b0a4f9a77b41eaa0b8cac332767bb15a8efd5b382dab514c4fde910c0404c2181b58cee5915db93ff6340c4d28bee42864ee8054985ecfb78edb60c36ea8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
b11f011a84bacfb7886876a3f3dd10fc

SHA1
477b32b64f02eab43df3065a58bb9c8762fd86ab

SHA256
fed6ca83f3047d7dafa8d2adc09b3a51aeaf7e85babbca8d0cd45476732117e7

SHA512
bf4ba8d561577c17559b280bb80559a8eba13fa330c5feeb1c423a570ec1d44f35e4b551cd28ca7b9a41333a76a5ed1ba0faa3ca9fa97537cffdafe505e3f21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
4f417563d5527611b31a2d635178cf1b

SHA1
e8c6b843e5a2f3ecaef3bb45dfcb1067f78c3979

SHA256
bbc9630dfcc5266a484a2b340864100eabb7b711807db8793015df361b53aff5

SHA512
6f2baacef82fec5fd0560eaa19bb4f4d6f667574ddcb712c45c6e951e038dd4b5da1000ba9a49776064a45ae45084dc81bc54496c0faf5d73adcea3ccbbd2d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
211B

MD5
5efce71816ddce509dd4911c909ecd6c

SHA1
29a852b8943bdd2369f151a7ae34d6e818892f29

SHA256
21dfc3d537bf6623383e334908ce663c36706fc1f30a1e8fe1685713ee78165e

SHA512
8f10594fe0edcd4b815cb173ea89e2ba90f347aa0745463345411c8845e8df9e35139ef47060774844ab44db979e8719c7e1463c35deb9b1d9b7759a43e906ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
211B

MD5
ec6cd0a9f1dda7a1b8db5714e66cb501

SHA1
01c11c11e839f37820d75bc1dc104e603c65b9bf

SHA256
923e30ca8aef04d45ad4eb56644779dd8db5c8262a37b9455bd9269c9ab2b23c

SHA512
03c278f5204875e05cd3d86a75decfc5174af365aba5016d7fa6d0f67df16a52a80e13f9e31678d5a5a79b093fb798b07a789712980a9ff243b978ce41dc5993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
210B

MD5
ebe7d45f4d77d2a3ddc67f81c9fabef3

SHA1
3262c4f89c2178d96f2ce25ed53c3268523ea596

SHA256
8beb2d8da6740db9b396c0db1a1e3d5b0e9f38ad41f4face5a68d46a66da0fdd

SHA512
6f02eadba3014c5e0e8701e4d60bbff33aecd6330354640a3c80dee8a0b011b3eb2e5451ad801ec51e081a1f232312d201ed5c57bc6f63328aedb0a1f97be59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
211B

MD5
da823bc5da6b1ab10771c4eb5c3ad3be

SHA1
90823a95e758451fc4474453781eb6d0beaee301

SHA256
2cde8d26d18c1d53241c9401ef68c6684901535bc6b803dbe82fac1e7e7e39c9

SHA512
fa7222b0a1c490c975b69c31c6fe12f2dc352802f04514a3d265808495b99ce18700d31736b7e34c856fc0e0a7afb58df0a5eae7cd4ba857268f39dbe11e4e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
0a939f230e598e58ddeecbbfbe810b21

SHA1
8c9541313ddbb6cc81819f31f394cc45a447d323

SHA256
867029bfafa35c50e820c7be9609bf4cc22806de4dd4798b1331b33b5983a162

SHA512
3c7847c570e238b2f66bbcb84e7649677978e7a5e15cc38587854eb65a8ea76f1fb483058da6ddf77a28061adf1f7a234fee5c99f54eb6841c1511edb559799e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
4028d4e5397be62ddbb70c06c1349165

SHA1
32115375cbde26b38a33f4fedc4aa765fd74a332

SHA256
3bd2901af1c53b1192e05165ae8f27d39111c9ffc2c32e4e86dfc6f96ef986bb

SHA512
bad7e1ee4d1247bf94844e90280ea358eb69475b52747324b20be86d32f181378cf2355ca723369c2f4fcb2606516ab2e6ef4add1bc0b56e76e63b4a78adfd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
8274856c9b90925f28fd037536c5b28f

SHA1
db3abc0645408356baf97b21ba4eef2b13959741

SHA256
d2001ac40d04abea15c1392c1fade8cd0e9b611928c7997530ced76d6162e7f5

SHA512
659f2a2fe00d4052a55e8bb2be67ec4be739db130310ebdeeb438ef7d9a39cc1f0caadb0a3c92c07ef792d5efb973ea8bab4b9c3198bab50a90525f8f270b961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
9eb1dbe1dbb7f3196a06d0c908d1a1cc

SHA1
f9b57ae6b52394bb71643d75ff8c0a1d6c8f2380

SHA256
3475d69a654a5e58fc89488e724b8a81b29bc65066e63878bc0da84fff77beaa

SHA512
3605c4234a731a4bd0aca8dae1176d6d3950f2e56756c5f343c085f686029db283d402076d278c4125fd2fcbe89fd87e87d2ecbdf7b9525eaad75752e7ee8e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
064140923bb7b82e459c28e91e40d253

SHA1
00af3f51c6d359857886146d04d3da3af18f9947

SHA256
ce8906b3c0f6631a0f9c88f92294b5e5ef007b3061968974689c03013219a5d3

SHA512
e9a3fd9224694ffd55ccc9cd1212380eb471ae255882378834c09d6853a37da573d7afb12e751bedc3fca3d9a8e4a184032978f172846531ae4ba926e8538bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
42c7e608f71b99ec0e02b176526d71c7

SHA1
ff431ca197b34868da93d709a5b6450f3fe32e48

SHA256
3ef3e36bd58f54059351e70779b2ffd61fbb1c76af09c13980b8cd7b26e4c93a

SHA512
d10795e90e2d6cb1362e9f0a94e055089bd6997c4dd915b6caac675271636a733a08b621ea6d0af662a968dcee8e01bdc2765434bad57defc1297bdeea6c2b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
a2a4442e4b23d3ee69c1e52f6e095374

SHA1
2d048437ab189ae92defaaf805d990ddb6d7c194

SHA256
7c45c15abb48b6347f706efa2ba350b58bdbf23208521dc9a88cbf3bb0a726f6

SHA512
6eaf5489ab3d5c19a212b3b0e8959c70a25f71c477bd681f2edfa58155ad72fc4d989fc65dedc52aa57039769a47218c097f0959d080d637772d8a23d771ab70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
06d6a8f084c78777fac602c201d16564

SHA1
b39f9f2046266cbfa53e8559a00de2aeabf09606

SHA256
3e8bc867009e0fdf5c49bb62efb59f7e4b02f8c3c6a1dedf6c4559ece623be68

SHA512
5475a112876ee1dda5f4e5190a96523133233d3b4ddba7f072df6d63345dd24e41960ab8048cc512433104a3e4fd3e67059d2d411ada1fa5c0d3b4f729b43f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
4KB

MD5
877120afb5fbd87ce43f7015d2e99ca3

SHA1
0778fc1ab229b317815e88ed7ebf345016cf1646

SHA256
a5f5ec94c48182b3109cd308b3b856ef25b68fd17191ecd20ec83c2991bd626b

SHA512
95bc1f460fb56e72cec1e3fc9ed77f4daf5661dc080fcf35e4636262f3bb3bbb9f00450fce2fab714a996b3c2a866b97564a4245a521a6da41586fe50e1ba307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
ebb6f8ca4e6ec844c9fcfb37cd4e2788

SHA1
ef58e469913260f5477964b2c84163dcffed2a06

SHA256
34818b19377e5eb969bcf4a9e3e7b3b7b17b5c23e11a2f8813187e57005a26f6

SHA512
617edda232166d7f44ea189b0fe6d5cf60d4ea721fa7ed0902b52b52e1b2efbcb469e82fe669c3f7ded0a0d3f4f47d2412acf969876c3f8c9aa731fb5c4fffdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
23589d87a30a7e740069124f8d158df5

SHA1
3730e9882d6a0527f9a3db4efe4a621b8d724332

SHA256
d8373c5a2b96a519febbbb1a575ddc07f0a9bd441d629b44f6dea82c0f06ec3e

SHA512
da0610659c9c56c41a5b221cb7084381586992d51211f3bcab73cb3a449d970c5c8f53010b574aa7e29439a83148f0abceb80b04897396e5cfdced600a14cb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
9965f05196d21df78e7ca173b1cbb743

SHA1
fa6a5b1c4186f9f33b8828fe2784cbfa0cb082aa

SHA256
eb3cd7673c9e9e897941d14d8f098d74a0b70c53f881e102a0d6ebf54a605775

SHA512
36893b4b0cdebf98a7dc67d1c4c5e3e562cf729ce1f82277b9f627ce740fb881fef7702f6753aa2e57caff55e39a9c530b0e7be7576b308a5f455aaa211dbb05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
36fcbfa5a5a1ad96fcc38f43a31ec143

SHA1
2420a87624e1d887382b8efd92fd0fd6fa1e090c

SHA256
f26e9feae49a58cc95135362106aff4b77dfaeb4e5546c8c17435baf9a9fd61e

SHA512
5b2e9df72e6e930c996d36918452c0db9d789c9718165e844752adccdb8ac70701dcccbe1430cee04116f85a9bf0580ba90edb50230aa85e878553704ffa3610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
3d5ac50268edaafa05feaca4bdccd339

SHA1
86d0b1ee2c13b02857522310442bd1cacc1a39e4

SHA256
897c0f57d53da16e8a07e023323bc5aac737c53934dc107ead7caf55de5e942d

SHA512
219421df9b4f36d5aa48a218f1bbe94cea2b19f0f7b10dc4aaf34f76b29579ac2102841940f78200626e49d686eb13240339962c1b2362f4d251b6fce98ccfa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
a564a7644c71d83d73664fac9d3b4654

SHA1
84373102b9b150d2863e30722d01ff2f981eaa74

SHA256
3fb33f4cf6072bb8652cd6e849e8b5f44bab114f3ecacb0ba9f4ca03eec019ef

SHA512
0397a022ccccc4b59a1bb82ace2550819df073dce01472122163317ce8ec551926b04112a1353911ac4e952c65afa5245d7af19d80b33fd97556187a554136f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
4ca6484d6a7df8298b1e794ef48f38b4

SHA1
e0280d80aa95aef6aa307dde17b3bea710c27383

SHA256
924d0b0854d5623a3e8e57d63ebe09d47280d8cef385e33ff724d5e007d191e7

SHA512
a92d1204816a5e72cd9c28bc47a2799c8127b833a5ed0335777a249306caeb657f974917ed5d68b5297375989cfdb5c5a2ebcaedaa9e1b800e4a09dfa4fdf78b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
f0131ce7696fd1efd505d109e597101d

SHA1
b5ad005f71079d0d8edb8cfbd5dc62c8105af573

SHA256
cea237e08380901c0b163b351c1096b9c270386e8443e061cb22247ddbcc05b3

SHA512
266f037dd9f3d49959858bf37b1ed1d57c36d1be2009261fa7332bd46758d29a26731a757212ebc234a3291cd1e62d8c972321a2233f33e2b76a21b32fcf267e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
f746323bfdb558e1813f0e3c5b851987

SHA1
12505d6d319b09f042058695daf45344333d6ae6

SHA256
f95ccdfe8c19679c482fce39d9d20df12c8c6335458305340786a7ddd7d4fc95

SHA512
32ba335ad3b6bf04d42f3853661ceabe48ad8ac5f2b44f6bf1d4f794f72fd69f89f22ec1224d675ff7afad3e93e9815d6dad775d2f2364bf5747ec363073e17f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
3ad9841bc3d002b81378fe9bfa02105d

SHA1
1493f08b21ab05e06f47b8a0bcc6d94e46850b9d

SHA256
4a4db478ec38bd4fc65c291a22909b2bf19b320a169ac28e250f76e3ae86daf7

SHA512
2ecabde50193a6ddcd78b55054356878b75023ef202e01aedd953917cc89711cac0d98e53323681ca3cea8ab4638700348bdefe2c3cdc42ca49e98030787aac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
d8847c024587c678ced4ddbfb2e727f3

SHA1
e4a21b01aa68b8a0cdf598bfeacc9d1b2395c1b2

SHA256
460b034a7ef41f46b0c4c97c23e3fdc4191526fdaab9b8deab2da4046e350a21

SHA512
4e26265581947fee77ce308776695d5a4f367a6ee610eb272d318a03e5e41fb7e9e0409bd6b7d92ffc179d10c4128f81019c94a9125efe8c6b610799dda1f22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
d2bbf562dc1fda77223ce7cddab580fa

SHA1
3f19e92819705bfde2572dc5ad60aa2c37265cbc

SHA256
a1d1ac57b68780d6df6bb9f4fcd52267a0f857c6dbcab291dae752305a98961d

SHA512
51236639c1edcfcc4f0d21b85fcaa58bc7abd523867dcc66d1dd9272b170150d7fe438e16de77bfa14cf73326166d8c2ee38149db7778a2e27726d4123a0a5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
60db4c2280e79c31a39ba9a4687746b6

SHA1
84994794fc9dd61f7738830e31c4b27a03bc7af3

SHA256
5f1db5f25a5c2433c5d694f924c1c08d48eafca75181755e63cef7d274887dad

SHA512
d122ead8ce57713159d7af3f59ede1d1ca65a56ff7c3157dd763e945b7f27e5cc30fd7ca78da308e85df1c813f1386d82ad00a3c8520b7a42097fc74c232e3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
ef64748e21450d71e8b6674a476e9171

SHA1
fa57357bfb0c93862cd4f687affbbf72a743988f

SHA256
82f9fb2b7b192a94b07b75e8f374431838be4ad653e3cb9aaeaac8412e5117eb

SHA512
8b65e645c8ae663916ecac7b19b7afd49f9c4ce1fd17fe24fe267a2384e3cae59f8f7fd7e9f93c66fa6fff39a45b4d24df6ea9b1df90397494929b78bb5f5191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
278cd8457aec139f9131df5da702d603

SHA1
277cae0d14a550068410774975651ec874712ad0

SHA256
2b6e180024d80585bc623cd35ed0b6fa9d53972f85d2560418000df0af142aee

SHA512
a04e1d509be3b2f3ed5fc6e90106258eeae452751cc3299282f7732c725bdc10f505e18c573518740c6268797a0441a5e189a378addfefa7dfa6e6834dc5834b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
da06830beded40a85994933305cbd0dd

SHA1
2e1c3fbca2509532aeb757601fb0e58fdc8f0493

SHA256
fccb89d3baabbdac1127e7326dece6ef00f863f6ab9c299d65e3747a55230e5b

SHA512
c0c7a55fbf62fe772c0c157c6b9f42721dcf9f5b57ecc0f59c482879ca498ae3affa09cbe9af3c6c7272937cf343fe36baa25769225fa00761f11ddaa78ce5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
cd43cbd00fad6c7c00f3e4ec863896a8

SHA1
7d8b92212492ce40af07dbd38cf3f7768e2ad3ac

SHA256
5c48b0955e22dfeb3a388a004bc953404313c6ebed9d84c5e87173c2105855cc

SHA512
357c6f426efad553083448ef81bf2ce7bde7ae43a6a8ebf00b3e01a71789fa6aafd1ef6af2b17cf022d1704951dda2e8ad3233767907000ec858f3ea1f9c73ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
08d4c3fb1d52da88120cfcca236a218e

SHA1
2583191fdf8e38344fe874ad6b0faf7b735bb802

SHA256
241760b5e4221cb0a378e94c7016b5a7ed0c3515b82127757128c30624c92dcb

SHA512
1361ea9950a93c746ce9d28248ace75fe4cd3bbff695c5a185c983c8283ba8e817372f25af24b9f4f28f45540e4e621f08af42cd5800cf87ed0b0ba12ecc7fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
4f4cb2878fd9516b5bc927c709882f3f

SHA1
6da13aaeecab3e5fbe951036c763e19a63f41cb5

SHA256
3185666238ddef83954105728ea79e18888f09d24c8e2121cb55a5ec58da536d

SHA512
45f6b1daa8c38b4a86f11dd3ed48527d2cf2e20ab23f8dcf238853673c0f6fd1af095f7f8decec81784660a8c7a48edc1692073e8087f8d4021c22389d97c650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
88cb1956373da73a56a599945979dcb9

SHA1
2160f30d6f4d70a45a9b5ebdf884e815ff44f3ce

SHA256
53ba127ed26f788932ab346aab7cf28170f97c57ce31c1935eb8719bdaa1ba3c

SHA512
4f201433e66147df23037de1400c73cd026a3c9bbab0ee1e73f616cbdb14225ba6472694f7fabc13dc7882323a18c8c77d0ebb473369789f314f997a52857ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
18KB

MD5
ad2909ba1c23d18770b0a6e478b708e0

SHA1
1e2c465a1ca7f12f94d843f03a301f690ec06edf

SHA256
53a5041847aff3538da0c9565ab1e6237ad51efc63a23d065909deacbc79a464

SHA512
e93ec3d7b9d39ba9723d15974c4aabb4dce32f97dd67f93f6cdf8272a6f10f0cbe880fe65a21d5a0bf4c2ea1f5cde739678d5e9ae076b170b7fe4c43500fb5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
32f38ba856138283da621a49230cdb49

SHA1
b4c888af9e9ca3778e8dcec3593b11d931110276

SHA256
2276910eadbd91ab8a617399f304b769ad31fbb6211f601bc4401d93443d0e48

SHA512
f7f3c435b61090f4bd2e1040306b04edb2b6e94c2721cd8fdc75531ec276e57fa4af96e4746168dc1411777da13ca4272b21f37f2ed740911a92d7fd2c570ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
966afe041e9390832f3504cd0efca62d

SHA1
53fa8b9348469f021514dcadca843332e9693ebd

SHA256
3901edfc335b07d9b79f58760a10640b3a49139c2c8dccb05aac822b9045ec20

SHA512
1328dce0d416de30643d8e977b9d5ee0696be96568dbde1dca6ca0ce27c428f8804a9afee6c5df5c38e8163f3f11e286ebd0a5ef62b8e77d8638b9f8e0dfc83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
526b7a17f908ec4e14d86ee0957362ca

SHA1
3d62b8ecf620ce675a40d3eb3c349bb5d77f3b70

SHA256
aa9a7a8fa107cf65c9f175b7cbfbf2cc9238399717f3908257a6d11ca020c05b

SHA512
42ab30188db76a044921e244ead6d7a5928fd95e5a18d927e57ff41d773e978774b7cf72d0e4a15a649409b64bb1eb89be73a83978dc32ff181ef2a32f4b73b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
123b3fd55d2f54bd461f71c5fb25a9de

SHA1
2cf97f4a77bcf950218f1182e28dd0fc4a52fc8a

SHA256
f442e386b30db90149b1f5fcc816928a7c937f34491a8b6da8f8fac531177d42

SHA512
d1b86394111c14296c0bcea4e7b098f1f4d1c86a1d329df74e83239f8597373ae53a5152989a7eaf3381d03de7a2dff9697950914cb58f91a1b2395ada4c2eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
a1e40b244b289d5c7572d241d1c7e171

SHA1
2a8a1eda42a3485a510bda07fc66d451d1983964

SHA256
027f7e0fc2af64dea06ba73ecf649d35c655c2360d47e44505973b8082e523ac

SHA512
f4563c07354ca066f4c42b82d744c0e987bcb23ac07ea886019b01c1a154a30c9bb9683dd91877fe0895b5d4417aa8e1af5fa94ba89fef9e23c0185a7745dfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
c649908938a07d74f0267c2652c66ed1

SHA1
68c8a814663c058673ed2bb25b668439957e037a

SHA256
5fe9ab3e1b3e79821dd3a0d918b9fef0258f6ea8ca907f6e767ee812adf09a6a

SHA512
74bd16167223996766d719c45e200f46487fe6c4aa8f4bb57c845f916b8bc92ecc02ca8c355b78f0919d8b6015fa66a5632687c8cdf4cd4223a491e453ec49bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
fd61f5ad3d8d887d14dfd1f2261ecd01

SHA1
89eaa3416af7a60dee389b4c50f4174b5fa5e7f7

SHA256
1e9fd232afa4ddb5ea01dad20c0a843de1bd782773da4874d11466b178b5ebf6

SHA512
e9ec45ca07266bea99daa846c35a4cb83d1ab12c5314479a8f633de21472633adef800281eaf4c2117f8333b2f450d472ea1ee75efb765914dd556cc005c1cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
5f64bbe10f84cac7d3e281382f965810

SHA1
73b8fe9d51c03ec1a50e7f3bd3eb06b845f744a4

SHA256
2d1372e763b87ea0f6a061714bf721541689536552fc01fd73c18952d2259252

SHA512
54c9ef0cf5a95f88816739ff145abfd61bc9371b79cf74598687f80224cc7067743b76b561ec17028308fd031a617dcff012fa201e515bf955a24303629b6875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
18KB

MD5
834f51e4a1a54dfae07d0aa90c23cef4

SHA1
69bcae5ead449e0940bdb2fa41c2a3952c3d789b

SHA256
ce7ceba2902a12c2d7fe51e9ca280b4172b719fd37776efa156a738b3f2d6d29

SHA512
810f9e5138fb558ff6984839b23634f40734ebec2eb49a769fb83ffe2732461ca2f24fe8b424f2b45b6fc0b837d6f1d273ede8390531c95acd675f9803d54bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
3513c41a93f7c9b0a8cd648b900cbac4

SHA1
956339e6f6e7428fbf7436222410755df709e5ad

SHA256
8f9f71c77db2d4e834754cd8ed36f7774afbbdd67131aaccbd9a1b17e691d2b5

SHA512
97d23bc00a5d5caec1d632f300bcad49a8a3868374ae6f3f3a2748ed38694c3ac9f9d275308473d356fd912953c224410a37486c02feb24d1420592051ac1ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
279724e5a0e4aad3eb37178422956deb

SHA1
c411e9b73a4e7f88bc07aeedc4096ab9d899774a

SHA256
fcbe5637dcf7aa411ef04b38b776609b4d0e01f9a444528ea7c7aabaf2a64cff

SHA512
20f2970a57a33b7796c31ec7f7b2c35f5cd21161c3eb9a4492828e963938dbee6f8fa4e5fbdbc9ab923e52969770d77e2cbd910ca17438886df671cb54b86b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json
Filesize
10KB

MD5
57568101acebec0d0b6da71cae750ffe

SHA1
fef13f40e93641a18401b572d2004a0d88c4cabf

SHA256
ed8dd56e4b9f5b0a5cd21bce41b3dc5a863e7960e0880dc454124ad84bdf5660

SHA512
9a3422a013c8941d7c14ba079e7c871ed23884cefe9d5ccb498acc2503c4745c5cc8ed6588fdc3d51260f7c3bc14f1d47b9747e27def3d40b842f41b2436c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser
Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
13B

MD5
ccfdb3683885194694814921ac4cd280

SHA1
97e37b300cec836cf1d71a273d417fe15676211f

SHA256
1232cd46a3a396999ad60d837e67fcd15a48257fe1d5da5d6d60dbf24f4d32ac

SHA512
e918d6d7d26978478715a55d9ba0b7796d8d001c06d5a4d5edadbeeb57dc4a702a783830db5b38858e7d085fda2db0f2e9231371bedc0c70d8b2ab88627c6ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
83KB

MD5
7def0d32479abd1238d3332220f8be7d

SHA1
e206ce9828db336cec913e062fdb3aa165cd1cba

SHA256
8189670bee8fd2d2d086702862c47547e6e7c09818e87b02b7795b8845da4fd9

SHA512
330d321bc713f51bcb73e0f5012c31130c15202b3bd101fbb480190b7b2cdefa53bc280dd2706734a542d61244d8147e5bad5116ed2063d9d1efce0fdb8ebcaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
45KB

MD5
acc8534438a12f692c9dda3d0e10fa66

SHA1
dd7db6115d87f0ecc071c7d68cfa519b9dcc7dbe

SHA256
8f909ce9ed3cfc790636ed2c4d3f09e769b14a97c649eee7910784ab5d61c599

SHA512
e853404816717399fc9097202d76eb8abfe4b4453ac18dab48afe1dac6efc90dbbdf61950f37cddc3a3e4ab95857b666ac825f0fbb315792641e7f3fa0924a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
45KB

MD5
5bc91b24d22588b21759f9d7dc4f2250

SHA1
0957cc9a2e2adcdbe71790d51d29bed8e9d65d54

SHA256
2efef6a552520e74ed123cebc0042af98722ac7ea528e806fc776706c501539e

SHA512
adad0ef412239dd4f6eb932657d0c4ce5e5f4315813e877f6a08237f78853b6820785052c64ca6a9e40c910b8d0e007bd0bd4bfe26d12cb7428b8da6536ed896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
40KB

MD5
f4604eb821703a472761ee1f7c077956

SHA1
9fa29471dc9aff9c8b32a002382b2015b49b57b0

SHA256
e342c72728b2b4043ebbabd220d50705384762db6320b547524a249a5cc83e6d

SHA512
2bbdb6a06ffab141a2a8f0efb25e9400255939865ec11632df0e698374f2083eff90500c314c44d67acd70026b370ea3b4c03f717ddae06073c7ec60ee854239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
36KB

MD5
e32798ced9f9a82ce4564d17d2e8084e

SHA1
02ce0d81edfd32c82ae2a603a52f685d8a26c3e0

SHA256
b423c595dd4403887af1aadc4e598a5046e644731ed91482a3d2167883ba1302

SHA512
323ad3f83d0741c7eda65f9605de48fc87d302acae5553fcc6f12198bd1f0a8230ca59660a9cce4a3f9e6a1b9457fe9632e7335d5674a52764e1f74dcc5d2214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
42KB

MD5
25a9553a5d00440699ffa42c8a6bed2e

SHA1
dd9e672ee59da63706d2cde56c77a97a7698223f

SHA256
02bf7c6e3065e390e340bd8618b2f5cfd793ac981c55f708edf84a1b77500ce5

SHA512
bf23fe81333f07e6e8bebdd45d3688a3ba06b8b8e974e1c682912cfe40995fc9b0f2e2b33a996432542f2f9a835d1d49d0f3fc18f073b2219c926bcdbadedb4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
37KB

MD5
3f496093ef5978a2acf3df96580fc09b

SHA1
bb8ff21e0bb6f7a2680527c91ca09a8faf60fcdf

SHA256
4e39b59872e4117414510229207d54f91e951ca56f41d4d6573d6b1a352c9c79

SHA512
c241810cd6a3b5e9c012542c6c2eb93ecc1a41888a46af69a2d3a7876918b525449ed52d6c6a588a2f0b7da9ed62ccbe096b35ca9a61ee7f8e037ae797208ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
45KB

MD5
2636f7b8ac766a58cddb1c5df538f8a3

SHA1
874090042782345155cf89aab053feefd5364dad

SHA256
9cfceb2d461348cd2b9ced8b633a8e22ba422a4e0cefc53457e23b1c8ff1a7c8

SHA512
c029d7b6518a33318cac22d0b8927009596ff5a7e6c6829763b2213012ff7b27ff62ffec639455a4dae9baf731bf9edcbbc065524f309382d4c223e006bbaf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
36KB

MD5
25d29c842ff64da1be974de218a2d89e

SHA1
b4582d107b3eafbbdc21df90c2e625ed1d8e0501

SHA256
1a01d52da3113b9effd78af018ccce35cb776846eb88cda9b4ee084ce103fe70

SHA512
17527580fe9db1c98b779fbdde558ae4cae15d5e3bf1b7674fadf87a7d6a7006702cc669068d887fdb78e691f63eedc11e136a5f0c4cd1fa18e8ec7fca60a5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
37KB

MD5
0140122e948a21d0de158c03e35cc43f

SHA1
cdaa517182cf12416f8892fff880fa49d8cd462a

SHA256
42b2fb63cadf9ceae414178a62026cca989527d09a8d82793b1fb6871d3da5f3

SHA512
edad76e5eb6bf8225644aad8a6e284e965cef3f5348cd1d4d95b9f0706d520b6cd0b1f196710b4deaf829378b1b4e9b971daff6543feba2fc85fa9bb9c34aada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
83KB

MD5
16535c72d24cd62623eb266a552747a0

SHA1
a2dc3a3e7f11f9def034d401064802fe479d15f5

SHA256
2da65d918f650b13dc3c8734b7fdcb3decf3a02d9b3d650f1565e5e96d47ba43

SHA512
e57764c5fec56fa7fcc6a8c0af10fc84c13f4fc84378763de4b60944e407a8a7edb6b4ba3929753f251134815d4355f8594c9d8a7fb1ba70b3e707bd27a439aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
36KB

MD5
2d713c4d586e40128110a9204bb8a7bc

SHA1
7764c2282912b0f5d0038d039299a8b6da78a54e

SHA256
eb78ca355591cb479f78afd4884cd50160ef0bf5747cbcbc318f6d5e2bf40a72

SHA512
98c7ec1df842f78abcfe4e0de282bfdd76f319a06e77ea4e6e3cc47416c1476b00d6e627b3ae0071c044a69c0837a7fa6e6e8d7330680ba8a280cbca4453cade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
87KB

MD5
4d939c925d356a24292109ff96920127

SHA1
b25d6b5cfce6288300220bd4dbca0b9b98297d81

SHA256
570faf07606c4bebbe955a6784d52011ab26c5a9919f416b95ec538fd7438b2f

SHA512
53f5b6fe886da46166f17e61627392de4c90001fa4ef30ff527f24162abff199da3e5bc9af84204c2048b03f8f014a79af106f5a46539904f777e79ee4fa2028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
37KB

MD5
f2df94cb7f91938ac876478a3e995463

SHA1
2641c11e9a8cb2810c722c84c480b43ff4b137c2

SHA256
94f2585ec50c4ea10bb372689e98c7d2a725140629ab71425814e8c3cce21438

SHA512
51f73163b9a5509ed64d63cc226e266a004fe09d6d53f164499bd3a627eec989c22b9e875f00fb7ea5db468dd8d790f1ef61434f2fd5e29f2760304615d251ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
46KB

MD5
72ec1d8044cda815e5cb743e32755c33

SHA1
a893c9f0a9747be100b03b47d52ee09aa5432bfc

SHA256
711967e3f00aa60b41a22a54fb77f1b40b3a57bf67493eafc54e1c87688f59c6

SHA512
3b8c17a0914be6a0d3a963b283b4143012fc80773a58e48670152b5c94cb5b7be7245a0191e0c0b9d8bd2a2f0d90d22544797becb8922bd7d5660ac64fd450c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache
Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
Filesize
84B

MD5
64923ae8f4adf0f05f853d55a813c2f9

SHA1
da48e4e7a9342e8e4a7a95533c7fa4b8d188edcf

SHA256
62e5bfbfc1d3d5213365972f5cade60a30bc15899836b6c578402957df700743

SHA512
d8f73ce8e61414e0997eade5c917272b55dad3bf8a305129032f8f383fb1aa43b23d6754be09dfdf7f015942c643a0edc6cc98b78504eb1f9d59d7baa86824c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
Filesize
84B

MD5
c723774b3bc8ef4def0a835b7281b875

SHA1
ecfbdb6663e153f9a5c27db5d777b28477dde049

SHA256
dc577a27e485ad4ca0d997e0a66b40d06295ddb40852e4a4a2f54d1c24416b30

SHA512
d0fca878fb68bcebb4f6f0e910c26a920445699fcae14690031c59234670e907d3da4da3f62b7e7e894efc2c4c5bc3cc328b1ccb834459309c08c612efa5293f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{1F5E412C-04B6-4202-B688-E4434722EC55}.session
Filesize
4KB

MD5
def02c856d1f8b16bc93bf8b88cc4e41

SHA1
9349ed4d018628e4a60c7e6769a48fb03a62a136

SHA256
d3a95ea158f91ff0f01125c0abd6f8c440c114b7e8fc20d1fabd5f7dbb754560

SHA512
f1992f1f7d7632ca99ea2b595e42ede3a3a949ba2f7f48b177f677fe907aa4c928b87aca639050e4b8e92f2d05f5e79b7383a0a1634370210b735002d85e7c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udbumsdc.j0n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7B23.tmp\inetc.dll
Filesize
38KB

MD5
a35cdc9cf1d17216c0ab8c5282488ead

SHA1
ed8e8091a924343ad8791d85e2733c14839f0d36

SHA256
a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

SHA512
0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Desktop\ClearExit.mov
Filesize
514KB

MD5
aa5cd10d014c1eef08dac53b5e2cd045

SHA1
d0fe938c0f737822c474e6962c9a6f6f8c61ff92

SHA256
9284b028ba8113f483aa383a5569299abaf86b996c1e3676be92b83fbfaa434b

SHA512
dd2eb72bf0da2e39b94a3cf4e25ed1f4173da698ac7affb053855ada1ed09303f61a3a8f5222f566909d30f19504eb18e07122954ea56965bd0c7081e10b7004

Download Submit
C:\Users\Admin\Desktop\CloseRestart.otf
Filesize
533KB

MD5
a1994d8152463fde7f7cb31ed137f6ad

SHA1
dd452a003cec087357922451f60c56d0f11cc384

SHA256
6fa78d75a80d18acc2bbc0f31db4fc26c6cc99ff3e10c1241b2e047a023f1f0a

SHA512
fba2089aaf6f3e76a74b829d07428290675ec7336fa198cb179382f217766951c2709ccf36738dbd0ecc3b957c9c71c799fd4f089dcbcb070a6598285243b623

Download Submit
C:\Users\Admin\Desktop\CompressReceive.mpg
Filesize
552KB

MD5
216d463e56c80a49600be5d8ef40106a

SHA1
a5689c84ca0a9f705db5f88c457fd25b0aab47ac

SHA256
7ff0b3769a87d639460193669169de7b70e64e5d6b7db1b6389da5065afe472d

SHA512
26f044bb68a0299a6bab6ca4304640470707f496f1da167f874d9558566b72a8f0a74a3b524ded6e16f6224a28dac82723d1a612a7f9001e586fee1ef7ec3be5

Download Submit
C:\Users\Admin\Desktop\CompressSync.wma
Filesize
209KB

MD5
06543e7cf0e829be17f2bf629c092afe

SHA1
acf16d63d2174c5f2b8631ae5b3d640bd4c3b9d0

SHA256
26905a7520905d5983d02ac110507f70b642947bf6c51a1ace1c738fd5213e0d

SHA512
1b3ae16e44d741f0661425d04a64beabfee3639bc92e202000d64fb175fa0a7fe3c28c95ee88a5fae3f10493467df9c9953522901e50e515271d30a578152f7e

Download Submit
C:\Users\Admin\Desktop\ConvertFromOpen.svg
Filesize
247KB

MD5
665c9619c040ef61ed47e5e94448b1b7

SHA1
09d66791bf04c2a70a952692876f89259370ed20

SHA256
108dd6461ec8275352e084e7f3fae29c9e7630012dd70d045021602a2733525f

SHA512
4893a11aa31b937c81b09c9b847cfdf9d76f2a33c3f2859fc8b39811b30baf464bbaa468a01078e37c663590d042adae290f7df89ae65bb308338c22158c19d3

Download Submit
C:\Users\Admin\Desktop\DebugResume.mht
Filesize
476KB

MD5
626061607daa17ff16b75fa30a474849

SHA1
78ba9c9174850b1c69df07b96c2ad7b4c822cd09

SHA256
0aaabd6c1e7db16c047e5112a9270f9ee171db13ad8ce6e5abfc99bf57cc68b3

SHA512
74d27e7521fc16f743b885627108c64f8085b67490139ab15b37122b5e9694974a1de79f8ef1f240288b1c4653e7d0ac1b609e1dea1916276d416b12033ee38b

Download Submit
C:\Users\Admin\Desktop\GetCompress.mp2v
Filesize
418KB

MD5
c5034b2457433c0c2838021d9ef76cae

SHA1
a23bc8964b61f8a5e657b640b5621c691e8ddf6c

SHA256
83549f1472d1ebb2d5598036bd3c89aa4f1758b43858c4211c1fc766dc3ffca5

SHA512
2f34e814eac4cb5a747d6f41eb79504f1f90091475a310b4b8da45b22125973b75acebdca75d352f82a4f2b9844c9d64c5c069e42e51e51a55c915c8b27c8301

Download Submit
C:\Users\Admin\Desktop\GroupOptimize.wav
Filesize
228KB

MD5
c43ea3ae8cac7977ad31ec5c7dd949cc

SHA1
d60b72459c2fe877de02f008037bdf6795924c73

SHA256
ba4a16bfd73f9633edfa7e3ba72aced65b4931db61213c3e845bd5b21e92dd4c

SHA512
e59d86f976c1ab57d4d8a021ed1e664622da3f03e0f3136056683d19614a079e921acf7b319eb97687959e3c656c6c54d051cac2a889da38bf69e85b8cf6183d

Download Submit
C:\Users\Admin\Desktop\HideUndo.ram
Filesize
323KB

MD5
a95b2d115152eaac0c26130586c6bc15

SHA1
e8189e54391dfa2fed8d0daa4f4e415f2cf0fc33

SHA256
e537ebc4af0fa5897191836ba34db1e0a029dc770e6fb391361ad85a2b39062a

SHA512
3aeaa4f78689d50ff987816c36de37eabae5ad4f59f240d61fba388f0b2f9e5487b7997a434f33eb63022577389eb95fc235ad1556ed75785acb6621f0b57faa

Download Submit
C:\Users\Admin\Desktop\ImportUnpublish.mp4
Filesize
456KB

MD5
2cfb72e258d5ef0bb73828106136b6d5

SHA1
7fafee1d8f024602dc6f83c4545baca3e0efac67

SHA256
7fdfa189d410c7e14f915df50cb653e661a5b761116848831e48c3fc4c254ed1

SHA512
cbfb05c60a9e23243aa7c4591e4cebfa63e952a11aa221f9274b75d920d53f47108785140728c45b159c23c5597bc638dcf20499b5ab79394e5c884f7e97e97d

Download Submit
C:\Users\Admin\Desktop\InvokeConnect.jtx
Filesize
399KB

MD5
82053d372b5a032193aee0830cf5e012

SHA1
5959e82e4a9386f828ac27f310ba6d2a42a58bef

SHA256
83ed21af570174b4b308dfb9fca64e219a2d6f082e9174c630598295f336e906

SHA512
e14418eb00e8fe543412f31459641748b1552ba0f147a4469e40f14eddac70aa105ea4a5bd26937a437b16b6d3ef393cc08b8b01166e9220db22f14b6ebbbdfa

Download Submit
C:\Users\Admin\Desktop\InvokeGrant.TS
Filesize
495KB

MD5
b9c42ca10dcd2ebce72404eea9af9747

SHA1
3dcaa644e431e8c784eb2dde70f73e1f0908ac5c

SHA256
c1c46744cb9ca1db903ef498a38e86d40a2a0551aa4472ec68bff664eb1a0b25

SHA512
06f698a23991f8f83ca15dcd80a4f19212c88550a6f8f42005f634100fc9f083ff03d805257e4e17f9fec45f579476656f9cfa3ac648eea9545446e8eb6fc49c

Download Submit
C:\Users\Admin\Desktop\LimitUnblock.ogg
Filesize
285KB

MD5
e2fe3d95c84f05ddd9c24a72832ee7de

SHA1
9b8707a95abbdbe1ef7d37129a150c801c72914a

SHA256
f595e5260b214a4d881cc1dd78a07e258596a171e064a612b26d78d925bffaf3

SHA512
c84238146d0945082b251fc7cbe8936d3757d082288dac3192f80864b88d67ec8c3808f772a1f9f279c345b0aaca2f3d9edb82d93e4bb5f7076eea7ab5bd2dc9

Download Submit
C:\Users\Admin\Desktop\OpenSwitch.svgz
Filesize
437KB

MD5
891957aef663ff545a4420b2ac796d82

SHA1
0d11548133dc3d094f37ba116a7af3a4ce160b0d

SHA256
ef1a43de26852895685bb5e189701db14a0647d0ce9803a13cc4c3b174c49f20

SHA512
25f5f381e383b2bb3361c073ae7b9f9637921794713b9a53f83b932ef5b73b07e3f0026cdd3633880d90a14050aeac490379b36d054a04a42238b7a7cf5d3dd2

Download Submit
C:\Users\Admin\Desktop\PublishRestore.rmi
Filesize
571KB

MD5
e6a92068c4b2136681f93a4116e6fb1e

SHA1
e1922b81e2f13fea0059388b7d81d8eed9e2abad

SHA256
04b5fb1682ba025120fb0ac6eeaf9b52873c281dbef739caf527d5b020be316b

SHA512
94736b97425fe1ce164dd78d6172f896826cadc4eba8caaac6fd75f95e4b593c33a78d07adfe90c126610ffe0c170a9095e3e826677fa747371f4b1da9034569

Download Submit
C:\Users\Admin\Desktop\RedoClear.wax
Filesize
361KB

MD5
316c11823dfa011c47e3d14ede627370

SHA1
5292089121cfcff6b736d14dbba4364ca6165a29

SHA256
69eb3086d59ac7ef85467c41de858b7d2d4659494e7b4ab4c15de63495fdc870

SHA512
1e1d183cb22d15a4589f06d2a56d0ee8cfd32696666e99b972d2ef314fdbeabbc837bc433a5f042b43ab8b5c9ccd149d410a118ec5baef1f502786574ca8c128

Download Submit
C:\Users\Admin\Desktop\SetRemove.ps1
Filesize
380KB

MD5
733074b603d1eed33b3c224e13867180

SHA1
eff7e94d214af506f23d5b6c355ae8b15ee9d923

SHA256
290d161ebee711872461a37e69fcabd6fe56c1656cf6f07480647da808ec54fd

SHA512
c6671079b51cc4342c7a45e60e5de014b8d906a8311263ccb891587a0f9ac2a7ee1df72d9a87ccb60a498e755cfe3955288b1e9d3b4e768dcc60f8c0bc0f8255

Download Submit
C:\Users\Admin\Desktop\SplitHide.au
Filesize
818KB

MD5
659f9f08c9147e3e230aa93974356537

SHA1
da6a00cea06464c4d30ce0f452b54fcd3da4dde3

SHA256
4dbcff6ffab59ec5cd06a04c173b65033bfa2c033c3fd77e5dfda5c39abac35b

SHA512
d5e91cc5e55c46494afa346318da69f3e83fb996b61d26153e06018ad81fc8bb890929fee53d8060048c00daddb630e476854443915a59612f5f5dea737c11b6

Download Submit
C:\Users\Admin\Desktop\SubmitSync.cab
Filesize
342KB

MD5
8d6a24f1b19083f8ac1bb85da0d6473c

SHA1
61aee7cc189b192fb6a411701d3c283f88d9a957

SHA256
e8000cc65447c42d5809b00ed13c407c0b1f70d6ed878094f3a6ae89e5e38261

SHA512
cd21ead615eb3033cb2ff6e7535c7d8554c9a54fc03ccbe8e6fc23f3a4434ad92b060d3059b40932a608566470e1649a97bb8ad349b1878255e910e011e0b6c6

Download Submit
C:\Users\Admin\Desktop\TraceRemove.vb
Filesize
266KB

MD5
5c2c255789915b09751847d398da86d7

SHA1
a871e142d3fc8ea309d77c005e08fc115d1a6bc2

SHA256
f9061a1da2bdee810596f97fb2718060f29ab4a51820e8cc926828860d2001e2

SHA512
d03ad440ddb25186dbbd3467e16370a1db2f6108b8e48a341ad7742d8b83e20412eeed8be9996c13795b14a2a439274ffcf2822b396ca7e7b9d98fdc435e36b3

Download Submit
C:\Users\Admin\Desktop\UpdateCompare.mov
Filesize
590KB

MD5
b80a7ed97b7faa19b9f1d73d246eec4e

SHA1
28e162e7c1e31d12f78b922aa0ce061d45dd9b1a

SHA256
cdb35041235fe99aaa318fe6f816179b728ad9ed5ee082d6955b86193ff81849

SHA512
46022cefdefccd108eee93eef452de42e269ac19e244a34082351808805569119fdcaf771520c2f050835fd90f3d9dd0b70fece8ed9da953fcbf32d67776d7b3

Download Submit
C:\Users\Admin\Desktop\WaitMerge.wmf
Filesize
304KB

MD5
6a733d00731b20b14d336dfda65e357f

SHA1
ccd705d9f264382f6d001f470af0eedbd24c4162

SHA256
aa841746a5cb84b69d13f8580917a4c0c3060d43f9eb19f423d9846ceb42f2a2

SHA512
51d1f3aa95720537cc9d7dec1454ca78fd8b82ca060b376cc38f14b20c6d60de1503ef5d9781082a91a6b09a1af0c52ef8ecc527324e84d3e231cfa173767e76

Download Submit
C:\Users\Admin\Downloads\GandCrab.exe
Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 182115.crdownload
Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 531782.crdownload
Filesize
666KB

MD5
97512f4617019c907cd0f88193039e7c

SHA1
24cfa261ee30f697e7d1e2215eee1c21eebf4579

SHA256
438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

SHA512
cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859917.crdownload
Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.HTML
Filesize
1KB

MD5
c784d96ca311302c6f2f8f0bee8c725b

SHA1
dc68b518ce0eef4f519f9127769e3e3fa8edce46

SHA256
a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

SHA512
f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.TXT
Filesize
330B

MD5
04b892b779d04f3a906fde1a904d98bb

SHA1
1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

SHA256
eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

SHA512
e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
957fd54d6e346183794cce1b8ade97eb

SHA1
844b56fd0be676b8c5af4fb27cfbee94a458fbec

SHA256
3acc68d81fbbd7ea39262e9c3fd2bb31041da2fa2296a1e6629d93a5cea77b19

SHA512
11fee87ad1f3ca11ae176b43ea445101261edaaf33ebeca56c1ea54a9f26ccaf68cae41905ca0552d18625c2c2529d4c629992a9551c9564abdb6011d27bc73d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
eac7ae582167fd2a084e066f64739484

SHA1
849bdc01c35240be937dad7ba0e52cf24802f92a

SHA256
4c770b8a07d4c8df960286380c38a6b0b4b9b6495bb3b67020e53c9f80414fd5

SHA512
7cd90531d1729a0e3a5bccd9ddbbbef5f58ddfb909b5fd2f2147e23aedae14940ef6daac699896c55db9efac7348f54ea94af5359469d0c2c3a4830250b406ef

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
c91eeab219802f45edecb0394e035985

SHA1
0f6928ca5eb0185f59d96d9e7a093c2a677449d5

SHA256
e7584f4626a5c20eedd84791ad2945bbf99ab4e640daaae5476f90b9f4e559f3

SHA512
66e4be329ebbccfbfaf5a4153fda9e50aaa6ff23bba4d75b4a95ff9ce989590126b730597adf78f79b8f925665660956a653ad19325beb1f38ed3e68c947b970

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
ccedd5883de8d471133b4fafe72156e1

SHA1
2b7a45fff2e0bb62a5c15dcfccac5210ecc6c343

SHA256
6a02c7d54a777f75119541de0d9619420363095edabe164455f061b0976335f0

SHA512
f645cdf743d71bcb6525763dc11047c3219c0dc3b9831b655c4b1dfd58f0c07c1a926449d937fc74a5e6d470f84506a9941761b80f6fd1d92af1b669da34748c

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
084098ff5104aba0968cf44585d7bdf0

SHA1
55f7b54e0121136f1a5639f61c8399b258af7742

SHA256
9ad75bad44901da21e2fc310ed90724b90913e10488c286b4d4f3fc10b998ab8

SHA512
22ae72391dadb1a07501f034235877201059e2fcc663475a4eef7fbf462b8512b938920b67ed608a99c551982d25d00e9a56b99c441d41e005137d45c1a61ecf

Download Submit
C:\Windows\Installer\MSI8FFC.tmp
Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSI900C.tmp
Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
Filesize
19KB

MD5
70f0dd657f5a09249fd4d4ea83698dc3

SHA1
463a09e15dec929684e301b60b8f00434d2dd8a0

SHA256
eaf960cfd7334b6e2cb520387bfd5c2288a076d62e6bcce6ac30891b1b5a5693

SHA512
5f06ad5a09165bcfc7c9413f733a233e45f1ce9005edabeef69c828ad6d8b2018e5b2afd51bf4abdd8d12d0d590a518f62a6b14b4914e276e7844d0f073d560b

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
19KB

MD5
5ab559e960dcb7c2ddb1887892e680c8

SHA1
b8b76539ed2c6a72432431f2f921f99ef738a4b8

SHA256
410a2559786eba4cc2fadbc698c5cd39f9ea6aea8cc2e42a105e3d6ca33c67eb

SHA512
fa346eb14fadeb1b977f9fd92237b613759f3dd7596b13cbd88eee4348a8bb9f7cc21a8e107a047c28a6b1928ce46a112f57329665715bc7ce108c7b636635e6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\mbam.sys
Filesize
76KB

MD5
113e213914c40631aedef185984c5629

SHA1
57bf886bfe1e4d765ea43e4c91709a5c4a9a024a

SHA256
d314cea3ba19c49342763fca6b64a33f12d730a8fa531ed9f7e75675035ba004

SHA512
76d7286963f28430d8a9bc3b59adf209b5fceb6a5248b7be54c60fff0b931ba2cf46a779f7e66008baa0853ad6ce55a4b9dd56e33574230d1e2588f7679630b8

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys
Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\7z.dll
Filesize
2.5MB

MD5
a144e24209683e3cba6e29dab5764162

SHA1
ab2112cce717bec8f5667721a072d790484095ec

SHA256
b2ff9dbf90cbd0c45cd7d95ce4892377ec7e92970e05f2e56b0ce93861190348

SHA512
2c823981b53b7eb7c1b726468d3b28c234c7e555aab35e759e88d38658566d267a20867f1cb18d96c830e7d53643629a9fa313eecee8b553703086fbb64cc984

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json
Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\ctlrpkg\mbae64.sys
Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\dbclspkg\MBAMCoreV5.dll
Filesize
6.7MB

MD5
65dae541c8dbc3e18f1bc9150ffad616

SHA1
f9c98b9eee98e94240c425a4548aae1b5d943ea6

SHA256
75249cc6d5ddbb92a76f6750165380eb3b6182cdd4733d8a18003b7dfc88b558

SHA512
4f2755add2fa384d617e7bd6d5d2c793503b54a284eb04be78682a0b6cfa7e6369995ae6625bd085ba2887b5034760323dfc61c2b28ea6db91b9d17a8394e988

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.28\mscordaccore.dll
Filesize
1.3MB

MD5
3143ffcfcc9818e0cd47cb9a980d2169

SHA1
72f1932fda377d3d71cb10f314fd946fab2ea77a

SHA256
b7fb9547e4359f6c116bd0dbe36a8ed05b7a490720f5a0d9013284be36b590b7

SHA512
904800d157eb010e7d17210f5797409fea005eed46fbf209bca454768b28f74ff3ff468eaad2cfd3642155d4978326274331a0a4e2c701dd7017e56ddfe5424b

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\servicepkg\MBAMService.exe
Filesize
8.5MB

MD5
8c89563b4351b2c39d94c81ec37ace7b

SHA1
4c238dcd62b99226b3ac1a67c7b7c2cc2ad1edf4

SHA256
d17e0a77d02d5875318c14af09ee900bc4bafb87a96b2f84dfc9ef7656884228

SHA512
8f1421c8a553acc7d4541cf6d319ab97abf2803a2c0c83ac7ac8d1dc9335eeb0bd911e79a0bedc14e65f1eb523efb76f9cfea0dd71a79e43c9501c954546ef2a

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\servicepkg\mbamelam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\servicepkg\mbamelam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp9bfe4077144f11efa5cffe55e2f65ccf\servicepkg\mbamelam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
C:\Windows\Temp\SDIAG_0d84e09c-d9ef-4316-9118-a93a9f40660b\DiagPackage.dll
Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_0d84e09c-d9ef-4316-9118-a93a9f40660b\en-US\DiagPackage.dll.mui
Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
C:\Windows\Temp\tmp5248eaaaaa
Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
F:\$RECYCLE.BIN\LNEOEX-MANUAL.txt
Filesize
8KB

MD5
aa887f60f00eb37b73d6140ca5f43341

SHA1
e8bfd59687a81287e1b2b46fd6d585e7c2801f12

SHA256
7ccf3b5cae9c4423347dc0133265966e645b53eaf18a714c4e117d60b7fc9c85

SHA512
7e7173835cae1475f0bbd25df2049ad249f8d7cc2a2d50a41e091e0c2c7f4def73b4170ddd4feb8589ddf201217887a07455a82ee760fcc4253454546da4418b

Download Submit
memory/1404-5574-0x00000180F22C0000-0x00000180F22C8000-memory.dmp

Filesize
32KB

Download
memory/1404-5556-0x00000180F2270000-0x00000180F2292000-memory.dmp

Filesize
136KB

Download
memory/1404-5565-0x00000180F22B0000-0x00000180F22B8000-memory.dmp

Filesize
32KB

Download
memory/2104-7017-0x0000000004C30000-0x0000000004C3A000-memory.dmp

Filesize
40KB

Download
memory/2104-7016-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/2104-7015-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/2104-7014-0x0000000000120000-0x000000000018E000-memory.dmp

Filesize
440KB

Download
memory/2632-5886-0x000000001BF80000-0x000000001BFCC000-memory.dmp

Filesize
304KB

Download
memory/2632-5883-0x000000001B6E0000-0x000000001BBAE000-memory.dmp

Filesize
4.8MB

Download
memory/2632-5882-0x000000001B100000-0x000000001B1A6000-memory.dmp

Filesize
664KB

Download
memory/2632-5884-0x000000001BCD0000-0x000000001BD6C000-memory.dmp

Filesize
624KB

Download
memory/2632-5885-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/3924-11169-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/4580-4752-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4754-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4745-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4744-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4746-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4750-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4751-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4756-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4755-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/4580-4753-0x000002B366230000-0x000002B366231000-memory.dmp

Filesize
4KB

Download
memory/5248-5912-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-4683-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-5843-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-4955-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-5959-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-6403-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-6905-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-4852-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-5013-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-3905-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-4501-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-7207-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-3929-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-7483-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/5248-7534-0x000001D85BDE0000-0x000001D85C22F000-memory.dmp

Filesize
4.3MB

Download
memory/7608-7976-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/7608-8190-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download

pid	process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

pid	process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

pid	process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668