5c129ece1b7ff897ea7da20d78b3d20c93f2928d722d7f762512aef822a9908d

Modify Registry

Processes:

mbamservice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

mbamservice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbamservice.exe

Executes dropped EXE 13 IoCs

Processes:

7z2201.exe7z.exe7z.exers.exers.tmpmbamservice.exembamservice.exembamtray.exeunins000.exe_iu14D2N.tmpMBAMWsc.exembamservice.exembamwsc.exe

pid	process
4800	7z2201.exe
1392	7z.exe
2784	7z.exe
4636	rs.exe
724	rs.tmp
420	mbamservice.exe
1644	mbamservice.exe
560	mbamtray.exe
1992	unins000.exe
2476	_iu14D2N.tmp
1948	MBAMWsc.exe
3556	mbamservice.exe
1708	mbamwsc.exe

Loads dropped DLL 62 IoCs

Processes:

7z.exe7z.exers.tmpmbamservice.exembamtray.exe_iu14D2N.tmpregsvr32.exe

pid	process
1392	7z.exe
2784	7z.exe
724	rs.tmp
724	rs.tmp
724	rs.tmp
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
2476	_iu14D2N.tmp
4484	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

mbamservice.exembamservice.exembamservice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

mbamservice.exe

description	ioc	process
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\U:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\X:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4432 powershell.exe
836 powershell.exe
3060 powershell.exe

Drops file in System32 directory 7 IoCs

Processes:

mbamservice.exembamservice.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2201.exers.tmpmbamservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-JLB3R.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sv.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-BD653.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-9DE3A.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-L8351.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\el.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-FO128.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-GH54Q.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-VE711.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ko.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Flat\is-L39C2.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-Q13NN.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\fur.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mr.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zFM.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-EFT3H.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tg.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-CUVV2.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ast.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-B25JS.tmp	rs.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.tmf	mbamservice.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-CKOL2.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-DMJ4L.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\7zG.exe	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys	mbamservice.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ext.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-35CBQ.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-DCG9Q.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-O7PIF.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.tmf	mbamservice.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\qml\is-LDDNP.tmp	rs.tmp
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	mbamservice.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-6RBB7.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-RF27P.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-F2N5V.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-2N0I9.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zG.exe	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-AR89Q.tmp	rs.tmp

Drops file in Windows directory 2 IoCs

Processes:

mbamservice.exembamservice.exe

description ioc process

File created C:\Windows\ELAMBKUP mbamservice.exe
File opened for modification C:\Windows\security\logs\scecomp.log mbamservice.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ELAMBKUP	mbamservice.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

mbamservice.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mbamservice.exe

Delays execution with timeout.exe 19 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1816	timeout.exe
2388	timeout.exe
4932	timeout.exe
2020	timeout.exe
3628	timeout.exe
2120	timeout.exe
1568	timeout.exe
916	timeout.exe
2932	timeout.exe
4664	timeout.exe
2220	timeout.exe
4412	timeout.exe
3848	timeout.exe
4236	timeout.exe
4764	timeout.exe
3240	timeout.exe
3420	timeout.exe
3216	timeout.exe
4188	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1704	tasklist.exe
2952	tasklist.exe
3956	tasklist.exe
128	tasklist.exe
4232	tasklist.exe
428	tasklist.exe
4192	tasklist.exe
1260	tasklist.exe
2592	tasklist.exe
4160	tasklist.exe
2424	tasklist.exe
4496	tasklist.exe
2936	tasklist.exe
3472	tasklist.exe
2028	tasklist.exe
1008	tasklist.exe
4076	tasklist.exe
4672	tasklist.exe
3596	tasklist.exe
4192	tasklist.exe
1472	tasklist.exe
924	tasklist.exe
3912	tasklist.exe
1092	tasklist.exe
364	tasklist.exe
4620	tasklist.exe
2908	tasklist.exe
1400	tasklist.exe
2932	tasklist.exe
2424	tasklist.exe
1284	tasklist.exe
3848	tasklist.exe
1708	tasklist.exe
4840	tasklist.exe
904	tasklist.exe
1104	tasklist.exe
4296	tasklist.exe
3316	tasklist.exe
3316	tasklist.exe
2560	tasklist.exe
664	tasklist.exe
1744	tasklist.exe
868	tasklist.exe
656	tasklist.exe
2068	tasklist.exe
4832	tasklist.exe
4484	tasklist.exe
3008	tasklist.exe
2708	tasklist.exe
3916	tasklist.exe
1912	tasklist.exe
2592	tasklist.exe
4808	tasklist.exe
5096	tasklist.exe
3880	tasklist.exe
4092	tasklist.exe
3860	tasklist.exe
4364	tasklist.exe
3764	tasklist.exe
3448	tasklist.exe
248	tasklist.exe
4796	tasklist.exe
240	tasklist.exe
2740	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

rs.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	rs.tmp

Modifies data under HKEY_USERS 44 IoCs

Processes:

mbamservice.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe

Modifies registry class 64 IoCs

Processes:

mbamservice.exembamservice.exembamservice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB30855D-36DF-41BD-9EEE-03BA7E8E70B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5201562-332D-4385-87E7-2BB41B1694AA}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\HELPDIR\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{834906DC-FA0F-4F61-BC62-24B0BEB3769C}\ = "_IRTPControllerEvents"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08932AD2-C415-4DE8-821D-5AF7A5658483}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\ = "NormalScanParameters Class"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{115D004C-CC20-4945-BCC8-FE5043DD42D0}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63A6AB57-4679-4529-B78D-143547B22799}\ = "_ICleanControllerEventsV2"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90F4450A-B7B2-417C-8ABB-BBD1BDFBFC27}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4BDE5F8-F8D4-4E50-937F-85E8382A9FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77AD284A-4686-413D-AA76-BDFC1DF52A19}\ = "ISPControllerV3"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BA2811A-EE5B-44DF-81CD-C75BB11A82D4}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7196E77C-8EA5-4824-92C9-BAE8671149FA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.TelemetryController.1\CLSID	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4EA13DC-F9D2-4DB9-A19F-2B462FFC81F3}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77AD284A-4686-413D-AA76-BDFC1DF52A19}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\FLAGS\ = "0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}\1.0\0	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A153977-1A37-4EF7-9226-9E128FA51AE1}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A153977-1A37-4EF7-9226-9E128FA51AE1}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49F6AC60-2104-42C6-8F71-B3916D5AA732}\1.0\HELPDIR	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\Version	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}\ = "IScanControllerEventsV6"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566DC5CA-A3C4-4959-AB92-37606E12AAFF}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\ = "IAEControllerEventsV2"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\ = "IMWACControllerEventsV4"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4BDE5F8-F8D4-4E50-937F-85E8382A9FEE}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C871BA6-4662-4E17-ABF4-3B2276FC0FF4}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81541635-736E-4460-81AA-86118F313CD5}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA484BC6-E101-4A87-AAF3-B468B3F2C6BB}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0987E3-3699-4C92-8E76-CAEDA00FA44C}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{090D2E82-C71B-414E-AF6A-6681A92FF2B3}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2870643-0645-41F9-BCCB-F5969386162C}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BD2053F-99D1-4C2B-8B45-635183A8F0BF}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D482C3-B037-469B-9C35-2EF7F81C5BED}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\0	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECDAC35E-72BB-4856-97E1-226BA47C62C5}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB82CDC6-F12A-4156-8DBF-EC7465B9C0B9}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt	mbamservice.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

mbamtray.exembamservice.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc250f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df0030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4740f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc32000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mbamtray.exe

pid process

560 mbamtray.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

powershell.exepowershell.exembamservice.exembamtray.exepowershell.exe

pid	process
4432	powershell.exe
4432	powershell.exe
836	powershell.exe
836	powershell.exe
836	powershell.exe
836	powershell.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
560	mbamtray.exe
560	mbamtray.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
1644	mbamservice.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe

Suspicious behavior: LoadsDriver 9 IoCs

Processes:

pid process

684
684
684
684
684
684
684
684
684

pid	process
684
684
684
684
684
684
684
684
684

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7z.exe7z.exepowershell.exepowershell.exembamservice.exembamservice.exepowershell.exembamservice.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	1392	7z.exe
Token: 35	1392	7z.exe
Token: SeSecurityPrivilege	1392	7z.exe
Token: SeSecurityPrivilege	1392	7z.exe
Token: SeRestorePrivilege	2784	7z.exe
Token: 35	2784	7z.exe
Token: SeSecurityPrivilege	2784	7z.exe
Token: SeSecurityPrivilege	2784	7z.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: 33	420	mbamservice.exe
Token: SeIncBasePriorityPrivilege	420	mbamservice.exe
Token: 33	1644	mbamservice.exe
Token: SeIncBasePriorityPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeBackupPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeBackupPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeBackupPrivilege	1644	mbamservice.exe
Token: SeAssignPrimaryTokenPrivilege	1644	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	1644	mbamservice.exe
Token: SeSecurityPrivilege	1644	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1644	mbamservice.exe
Token: SeLoadDriverPrivilege	1644	mbamservice.exe
Token: SeSystemtimePrivilege	1644	mbamservice.exe
Token: SeBackupPrivilege	1644	mbamservice.exe
Token: SeRestorePrivilege	1644	mbamservice.exe
Token: SeShutdownPrivilege	1644	mbamservice.exe
Token: SeSystemEnvironmentPrivilege	1644	mbamservice.exe
Token: SeUndockPrivilege	1644	mbamservice.exe
Token: SeManageVolumePrivilege	1644	mbamservice.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeSecurityPrivilege	1644	mbamservice.exe
Token: SeSecurityPrivilege	1644	mbamservice.exe
Token: 33	3556	mbamservice.exe
Token: SeIncBasePriorityPrivilege	3556	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

rs.tmpmbamtray.exe_iu14D2N.tmp

pid	process
724	rs.tmp
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
2476	_iu14D2N.tmp

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

mbamtray.exe

pid	process
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe
560	mbamtray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mbamtray.exe

pid process

560 mbamtray.exe
560 mbamtray.exe
560 mbamtray.exe
560 mbamtray.exe
560 mbamtray.exe
560 mbamtray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Patch_MB_5.x.execmd.execmd.execmd.execmd.execmd.exepowershell.exers.exers.tmpmbamservice.exe

description	pid	process	target process
PID 2296 wrote to memory of 2664	2296	Patch_MB_5.x.exe	cmd.exe
PID 2296 wrote to memory of 2664	2296	Patch_MB_5.x.exe	cmd.exe
PID 2664 wrote to memory of 4800	2664	cmd.exe	7z2201.exe
PID 2664 wrote to memory of 4800	2664	cmd.exe	7z2201.exe
PID 2664 wrote to memory of 4800	2664	cmd.exe	7z2201.exe
PID 2664 wrote to memory of 2948	2664	cmd.exe	attrib.exe
PID 2664 wrote to memory of 2948	2664	cmd.exe	attrib.exe
PID 2664 wrote to memory of 3848	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 3848	2664	cmd.exe	cmd.exe
PID 3848 wrote to memory of 572	3848	cmd.exe	findstr.exe
PID 3848 wrote to memory of 572	3848	cmd.exe	findstr.exe
PID 2664 wrote to memory of 1524	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 1524	2664	cmd.exe	cmd.exe
PID 1524 wrote to memory of 3252	1524	cmd.exe	findstr.exe
PID 1524 wrote to memory of 3252	1524	cmd.exe	findstr.exe
PID 2664 wrote to memory of 1088	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 1088	2664	cmd.exe	cmd.exe
PID 2664 wrote to memory of 1392	2664	cmd.exe	7z.exe
PID 2664 wrote to memory of 1392	2664	cmd.exe	7z.exe
PID 2664 wrote to memory of 1392	2664	cmd.exe	7z.exe
PID 1088 wrote to memory of 2956	1088	cmd.exe	mode.com
PID 1088 wrote to memory of 2956	1088	cmd.exe	mode.com
PID 1088 wrote to memory of 2612	1088	cmd.exe	chcp.com
PID 1088 wrote to memory of 2612	1088	cmd.exe	chcp.com
PID 2664 wrote to memory of 2784	2664	cmd.exe	7z.exe
PID 2664 wrote to memory of 2784	2664	cmd.exe	7z.exe
PID 2664 wrote to memory of 2784	2664	cmd.exe	7z.exe
PID 1088 wrote to memory of 2592	1088	cmd.exe	mode.com
PID 1088 wrote to memory of 2592	1088	cmd.exe	mode.com
PID 1088 wrote to memory of 3316	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 3316	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1552	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 1552	1088	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1688	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1688	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1652	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1652	1552	cmd.exe	cmd.exe
PID 1088 wrote to memory of 3240	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 3240	1088	cmd.exe	timeout.exe
PID 2664 wrote to memory of 4432	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 4432	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 836	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 836	2664	cmd.exe	powershell.exe
PID 836 wrote to memory of 4636	836	powershell.exe	rs.exe
PID 836 wrote to memory of 4636	836	powershell.exe	rs.exe
PID 836 wrote to memory of 4636	836	powershell.exe	rs.exe
PID 4636 wrote to memory of 724	4636	rs.exe	rs.tmp
PID 4636 wrote to memory of 724	4636	rs.exe	rs.tmp
PID 4636 wrote to memory of 724	4636	rs.exe	rs.tmp
PID 1088 wrote to memory of 2120	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 2120	1088	cmd.exe	timeout.exe
PID 724 wrote to memory of 1604	724	rs.tmp	certutil.exe
PID 724 wrote to memory of 1604	724	rs.tmp	certutil.exe
PID 724 wrote to memory of 4092	724	rs.tmp	certutil.exe
PID 724 wrote to memory of 4092	724	rs.tmp	certutil.exe
PID 724 wrote to memory of 420	724	rs.tmp	mbamservice.exe
PID 724 wrote to memory of 420	724	rs.tmp	mbamservice.exe
PID 1088 wrote to memory of 2220	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 2220	1088	cmd.exe	timeout.exe
PID 1644 wrote to memory of 560	1644	mbamservice.exe	mbamtray.exe
PID 1644 wrote to memory of 560	1644	mbamservice.exe	mbamtray.exe
PID 1644 wrote to memory of 560	1644	mbamservice.exe	mbamtray.exe
PID 1088 wrote to memory of 4412	1088	cmd.exe	timeout.exe
PID 1088 wrote to memory of 4412	1088	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2948 attrib.exe
1104 attrib.exe

pid	process
2948	attrib.exe
1104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Patch_MB_5.x.exe
"C:\Users\Admin\AppData\Local\Temp\Patch_MB_5.x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8A5M7UHY.bat" "C:\Users\Admin\AppData\Local\Temp\Patch_MB_5.x.exe""
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\qbE577918.EE\7z2201.exe
"C:\Users\Admin\AppData\Local\Temp\qbE577918.EE\7z2201.exe" /S
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4800

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
3⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\findstr.exe
findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\findstr.exe
findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\pb.cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\mode.com
mode con:cols=86 lines=36
4⤵
PID:2956

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2612

C:\Windows\system32\mode.com
mode 70,4
4⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy/Z "C:\Users\Admin\AppData\Local\Temp\pb.cmd" nul
4⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $H|cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $H"
5⤵
PID:1688

C:\Windows\system32\cmd.exe
cmd
5⤵
PID:1652

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3240

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2120

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2220

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4412

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3420

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:916

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2932

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4664

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3216

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2388

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3848

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4236

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4764

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:2020

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:4188

C:\Windows\system32\timeout.exe
timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1316

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4412

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2836

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:396

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4240

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4896

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2220

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3908

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4352

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4928

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1664

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1988

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4804

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4960

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4060

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3664

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:872

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3748

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2000

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4628

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:5008

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2400

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3436

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3208

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4860

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1464

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4776

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2284

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2388

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1876

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1240

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2996

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3988

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2152

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2316

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2256

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:548

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3840

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1172

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:5028

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4568

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4660

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2884

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2432

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4672

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2652

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4808

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2952

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2080

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3740

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1084

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3204

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1652

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:340

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1096

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2288

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3116

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1680

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2980

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1076

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1992

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2120

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2492

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4828

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2800

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4168

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3320

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2304

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2296

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3904

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2216

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2284

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4264

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1604

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:428

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3548

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4764

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2540

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1508

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2328

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1712

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:780

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3232

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3912

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3252

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3488

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3628

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3244

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4672

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2652

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4808

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2952

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2080

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3740

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1084

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3204

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1652

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:340

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1096

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2288

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3116

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2960

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3772

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1248

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3340

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:916

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1104

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3380

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4440

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4472

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3320

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2304

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1400

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2692

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2216

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1344

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:436

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4396

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4164

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1852

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:740

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1944

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2948

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1972

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1092

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3024

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4180

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2728

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2016

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3920

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4460

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1996

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4412

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4204

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:396

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1636

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4896

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2784

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1764

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2612

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3248

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1664

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2552

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2336

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:712

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2980

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4080

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1992

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2120

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2492

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4828

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1596

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4168

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4680

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4840

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2636

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2936

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:224

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3084

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3660

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:5000

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4996

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2368

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2152

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3916

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2540

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:548

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3840

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4504

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4296

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4568

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3624

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2148

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2432

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3576

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:240

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:580

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1924

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2940

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1072

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1472

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4756

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1552

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:564

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1544

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3188

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1848

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2932

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2236

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1076

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2840

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3640

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4384

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2596

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4768

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4160

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3700

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1528

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4424

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4664

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3096

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:224

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3084

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:572

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3616

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2192

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4600

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3548

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4468

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3448

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1508

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2328

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1712

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1860

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4068

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1936

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:5104

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2024

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3408

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:560

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4224

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4084

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4380

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4464

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1840

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2944

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:768

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1688

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1496

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4208

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1096

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4092

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4624

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:328

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4848

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:872

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3748

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4632

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4900

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3476

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2556

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4488

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4604

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3392

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2388

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4696

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3512

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:436

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3944

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4112

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1324

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2780

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3560

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4948

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2648

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:5028

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2908

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2384

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1176

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2620

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3928

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4460

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1196

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4412

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4580

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4596

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2300

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4896

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:4620

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3316

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2612

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:3644

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1664

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2552

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:2600

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1292

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
4⤵
PID:1008

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
5⤵
- Enumerates processes with tasklist
PID:4092

C:\Program Files (x86)\7-Zip\7z.exe
"C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE577918.EE\ck.7z" -o"C:\ProgramData" -pkjhijdfghjDFGfkgjfi7jgdfjgihr7g -y
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Program Files (x86)\7-Zip\7z.exe
"C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE577918.EE\rs.7z" -o"C:\Users\Admin\AppData\Local\Temp" -pfgfhjoiHgfhhkjnfghfg7798jhgfhr -y
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -FilePath 'C:\Users\Admin\AppData\Local\Temp\rs.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\rs.exe
"C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\is-RF07K.tmp\rs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RF07K.tmp\rs.tmp" /SL5="$E0026,63820596,239616,C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\system32\certutil.exe
"certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-ALLK7.tmp\BaltimoreCyberTrustRoot.crt"
6⤵
PID:1604

C:\Windows\system32\certutil.exe
"certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-ALLK7.tmp\DigiCertEVRoot.crt"
6⤵
PID:4092

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service /Protected
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\system32\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1816

C:\Windows\system32\attrib.exe
attrib +h +s "C:\ProgramData\tl"
3⤵
- Views/modifies file attributes
PID:1104

C:\Windows\system32\xcopy.exe
xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json" "C:\ProgramData\tl"
3⤵
PID:1528

C:\Windows\system32\xcopy.exe
xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json" "C:\ProgramData\tl"
3⤵
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe
"C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
4⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /FIRSTPHASEWND=$50238 /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2476

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /unregserver
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe" /uninstall
6⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll"
6⤵
- Loads dropped DLL
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
3⤵
PID:1548

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_LocalTime Get Day,Month,Year /value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
3⤵
PID:4280

C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
4⤵
PID:1440

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
3⤵
PID:2936

C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
3⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
3⤵
PID:4608

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
4⤵
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
3⤵
PID:388

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
4⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemManufacturer"
3⤵
PID:2304

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemManufacturer"
4⤵
PID:1528

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:560

C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off true /updatesubstatus none /scansubstatus recommended /settingssubstatus none
2⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery