Analysis
-
max time kernel
638s -
max time network
649s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 03:15
Behavioral task
behavioral1
Sample
MBSetup (1).exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
MBSetup (1).exe
Resource
win10v2004-20240226-en
General
-
Target
MBSetup (1).exe
-
Size
2.5MB
-
MD5
4e19e70399076ab58d1160d0fa2664ec
-
SHA1
e7ca7e0f1895c6bf60a14d6fbb0ccd4fb10a3134
-
SHA256
b9ee60f31be0b7dc3f814c8abbc7caacb6a3e1dc7eb1504b8e831dd42277f8d8
-
SHA512
f6338b52cb5a80d960e6b1ec72a28538614782a75d0270cb89e911160c0a0e8e3a4d0f93fb902c70c37cc5f4da0529043776e2c0b59287096f976addb7e584d8
-
SSDEEP
49152:6VCZ7CYG91YEzNIbd18dStQyfvE0Z3R0nxiIq2dd0ZyWmX4:eCZ7CXQEzNwABKtQRq2RX4
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
MBSetup (1).exedescription pid process target process PID 2548 created 3336 2548 MBSetup (1).exe Explorer.EXE -
Drops file in Drivers directory 6 IoCs
Processes:
MBAMService.exeMBAMService.exeMBSetup (1).exeMBAMInstallerService.exedescription ioc process File created C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File opened for modification C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\mbamswissarmy.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\MbamChameleon.sys MBAMService.exe File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup (1).exe File created C:\Windows\system32\drivers\mbae64.sys MBAMInstallerService.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
MBAMService.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys" MBAMService.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mbupdatrV5.exeMBSetup (1).exeMBAMService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mbupdatrV5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mbupdatrV5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBSetup (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBSetup (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBAMService.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MBAMService.exeMBAMInstallerService.exedescription ioc process File opened (read-only) \??\S: MBAMService.exe File opened (read-only) \??\U: MBAMService.exe File opened (read-only) \??\K: MBAMInstallerService.exe File opened (read-only) \??\N: MBAMInstallerService.exe File opened (read-only) \??\Q: MBAMInstallerService.exe File opened (read-only) \??\R: MBAMService.exe File opened (read-only) \??\P: MBAMInstallerService.exe File opened (read-only) \??\O: MBAMService.exe File opened (read-only) \??\G: MBAMInstallerService.exe File opened (read-only) \??\H: MBAMInstallerService.exe File opened (read-only) \??\I: MBAMInstallerService.exe File opened (read-only) \??\M: MBAMInstallerService.exe File opened (read-only) \??\V: MBAMInstallerService.exe File opened (read-only) \??\Z: MBAMInstallerService.exe File opened (read-only) \??\E: MBAMService.exe File opened (read-only) \??\K: MBAMService.exe File opened (read-only) \??\N: MBAMService.exe File opened (read-only) \??\T: MBAMService.exe File opened (read-only) \??\V: MBAMService.exe File opened (read-only) \??\A: MBAMService.exe File opened (read-only) \??\M: MBAMService.exe File opened (read-only) \??\Z: MBAMService.exe File opened (read-only) \??\B: MBAMInstallerService.exe File opened (read-only) \??\J: MBAMInstallerService.exe File opened (read-only) \??\L: MBAMInstallerService.exe File opened (read-only) \??\T: MBAMInstallerService.exe File opened (read-only) \??\W: MBAMInstallerService.exe File opened (read-only) \??\X: MBAMInstallerService.exe File opened (read-only) \??\H: MBAMService.exe File opened (read-only) \??\I: MBAMService.exe File opened (read-only) \??\P: MBAMService.exe File opened (read-only) \??\W: MBAMService.exe File opened (read-only) \??\X: MBAMService.exe File opened (read-only) \??\Y: MBAMService.exe File opened (read-only) \??\U: MBAMInstallerService.exe File opened (read-only) \??\B: MBAMService.exe File opened (read-only) \??\J: MBAMService.exe File opened (read-only) \??\L: MBAMService.exe File opened (read-only) \??\Q: MBAMService.exe File opened (read-only) \??\A: MBAMInstallerService.exe File opened (read-only) \??\R: MBAMInstallerService.exe File opened (read-only) \??\S: MBAMInstallerService.exe File opened (read-only) \??\Y: MBAMInstallerService.exe File opened (read-only) \??\G: MBAMService.exe File opened (read-only) \??\E: MBAMInstallerService.exe File opened (read-only) \??\O: MBAMInstallerService.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Malwarebytes.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Malwarebytes.exe -
Drops file in System32 directory 64 IoCs
Processes:
MBVpnTunnelService.exeDrvInst.exeMBAMService.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\mbtun.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\rpcrt4.pdb MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90 MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\SET5C5A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\SET5C6B.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\kernel32.pdb MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\SET5C6A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90 MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\SET5C6B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_d823e3edc27ae17c\netk57a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\SET5C6A.tmp DrvInst.exe File opened for modification C:\Windows\System32\Amsi.pdb MBAMService.exe File opened for modification C:\Windows\System32\wbemprox.pdb MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\mbtun.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\ntdll.pdb MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Malwarebytes\Logs\MBAMSI.alt2.log MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MBAMService.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
MBAMInstallerService.exeMBVpnTunnelService.exeMBSetup (1).exedescription ioc process File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\hostpolicy.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Data.DataSetExtensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.Compression.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\System.Windows.Forms.Design.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\UIAutomationProvider.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyInjection.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\SPControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.EntityFrameworkCore.Sqlite.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.Pipes.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Threading.Channels.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Xml.XmlDocument.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework-SystemCore.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Xaml.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.SecureString.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\WindowsBase.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\RTPControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\SelfProtectionShim.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.CompilerServices.Unsafe.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pl\UIAutomationTypes.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\System.Windows.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MbamUI.Services.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Data.Common.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\System.Windows.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnel_mbtun.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\SQLitePCLRaw.provider.e_sqlite3.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-datetime-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-environment-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnel_wireguard.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\System.DirectoryServices.AccountManagement.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\DirectWriteForwarder.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\VPNControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.cat MBVpnTunnelService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MbamUI.UICommon.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Globalization.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.HttpListener.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.Quic.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\WindowsBase.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\Microsoft.VisualBasic.Forms.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MBAMCrashHandler.exe MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-localization-l1-2-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-string-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Reflection.Emit.Lightweight.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Transactions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\es\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-namedpipe-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\8d5b3c19-582f-448f-8246-9f0e4e21e3d3 MBSetup (1).exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-memory-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-conio-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\System.Windows.Input.Manipulations.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\e_sqlcipher.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\Microsoft.Win32.SystemEvents.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\UIAutomationClient.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Collections.Concurrent.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.Security.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Text.Encodings.Web.dll MBAMInstallerService.exe -
Drops file in Windows directory 5 IoCs
Processes:
MBVpnTunnelService.exesvchost.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log MBVpnTunnelService.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
Executes dropped EXE 9 IoCs
Processes:
MBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMBAMService.exeMalwarebytes.exeMalwarebytes.exeMalwarebytes.exembupdatrV5.exeig.exepid process 3956 MBAMInstallerService.exe 3480 MBVpnTunnelService.exe 968 MBAMService.exe 2432 MBAMService.exe 4508 Malwarebytes.exe 5608 Malwarebytes.exe 3372 Malwarebytes.exe 3104 mbupdatrV5.exe 4912 ig.exe -
Loads dropped DLL 64 IoCs
Processes:
MBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMalwarebytes.exepid process 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3480 MBVpnTunnelService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 3956 MBAMInstallerService.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
MBAMService.exeMBAMService.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05098CD5-9914-48C2-A453-DB782F55A65F}\InProcServer32\ = "C:\\PROGRAM FILES\\MALWAREBYTES\\ANTI-MALWARE\\mbamsi64.dll" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{05098CD5-9914-48C2-A453-DB782F55A65F}\InProcServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\"" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05098CD5-9914-48C2-A453-DB782F55A65F}\InProcServer32\ThreadingModel = "Both" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32 MBAMService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDrvInst.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeMBAMService.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MBAMService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1436 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
MBAMService.exeMBAMInstallerService.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMInstallerService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000" MBAMService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mbupdatrV5.exeMBAMInstallerService.exeDrvInst.exeMBAMService.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mbupdatrV5.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes MBAMInstallerService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT MBAMInstallerService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mbupdatrV5.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MBAMService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MBAMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MBAMService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mbupdatrV5.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mbupdatrV5.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft MBAMInstallerService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT mbupdatrV5.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MBAMInstallerService.exe -
Modifies registry class 64 IoCs
Processes:
MBAMService.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8258E71-3A7A-4D9D-85BB-C7999F95B7E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\ProgID\ = "MB.TelemetryController.1" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44AC1571-055F-4CC8-B7D8-EA022C4CC112}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}\ = "IRTPControllerV5" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3F70EF-D9BE-485F-A6F5-816DD0EDC757}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}\1.0\0\win64 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B42C0E8E-5C9D-46B7-AAED-2294C6566DC0}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\Programmable MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\ = "ILogControllerEvents" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D51C573D-B305-4980-8DFF-076C1878CCFB}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44ACF635-5275-4730-95E5-03E4D192D8C8}\ = "ILicenseControllerV8" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\ = "CustomScanParameters Class" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA248A19-F84E-4407-ADD3-8563AFD81269}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F14F58B-B908-4644-830F-5ACF8542D27F}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED06E075-D1FD-4635-BA17-2F6D6BB0DFD6}\TypeLib\ = "{EEC295FA-EC51-4055-BC47-022FC0FC122F}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\HELPDIR MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226C1698-A075-4315-BB5D-9C164A96ACE7}\1.0\FLAGS\ = "0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23416CFE-018D-418E-8CE9-5729D070CCED}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA226B90-F6FF-4618-8AE6-1114E82CB162}\ = "_IScanControllerEventsV14" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1BDE8B0-F598-4334-9991-ECC7442EEAA6}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9AE95CF-6463-415A-94AC-F895D0962D30}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CE94D34-A1E4-4FA8-BEDC-6A32683B85F5}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615}\ = "IMBAMServiceControllerV7" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F656FD9-2597-4587-8F05-781C11710867}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F656FD9-2597-4587-8F05-781C11710867}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6724C143-DE69-4A93-80ED-19B75DD2AA99}\ = "IMWACControllerEventsV9" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDCB7916-7DE8-44C8-BAF6-F1BBB3268456}\ = "IPoliciesControllerV8" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5250E5C8-A09C-4F87-A0DA-A46A62A0EACF}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32DF4C97-FE35-41AA-B18F-583AA53723A3}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3249828-A4B2-4146-A323-EA5FD2F2FC75}\ = "IUpdateControllerV13" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\VersionIndependentProgID\ = "MB.VPNController" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68E3012A-E3EC-4D66-9132-4E412F487165}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF39921A-6060-472F-A358-1CE8D2F8779C}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55D0C28B-2BF3-4230-B48D-DB2C2D7BF6F8}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC60FEE4-E373-4962-B548-BA2E06119D54}\ = "IScanControllerEventsV9" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD67766C-A28D-44F3-A5D0-962965510B2D}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1047E9-9ADC-4F8A-8594-036375F53103}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD9CB7A5-5C46-4799-A3A4-20FB128E58F1} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97DA9E74-558F-4085-AE41-6A82ED12D02C}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{778103CC-4FA4-42AC-8981-D6F11ACC6B7F} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E423AF9-25D2-451E-8D81-08D44F63D83F}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0EB1521-C843-47D5-88D2-5449A2F5F40B}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D10B0F61-43AA-40F4-9C6C-57D29CA8544E}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.MBAMServiceController.1\ = "MBAMServiceController Class" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB30855D-36DF-41BD-9EEE-03BA7E8E70B7}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A0A45F1-CFB6-49A7-BBC4-8776F94857A8} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{834906DC-FA0F-4F61-BC62-24B0BEB3769C}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C4652FC-FA35-4394-A133-F68409776465}\TypeLib\ = "{6C5B978B-68C9-45C7-9D6E-0BA57A3C7EB2}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAB53395-8218-47FF-91B7-144994C0AD83}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50538523-AA2F-40D3-9B58-DB51D5BD3D4A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32065E5-189E-4C5F-AA59-32A158BAF5B7}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe -
Processes:
MBAMInstallerService.exeMBAMService.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E MBAMService.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc stream HTTP User-Agent header 73 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
MBSetup (1).exeMBAMInstallerService.exeMBAMService.exeMalwarebytes.exepid process 2548 MBSetup (1).exe 2548 MBSetup (1).exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 3956 MBAMInstallerService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe 2432 MBAMService.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeMBAMService.exeMBAMService.exedescription pid process Token: SeAuditPrivilege 2100 svchost.exe Token: SeSecurityPrivilege 2100 svchost.exe Token: 33 968 MBAMService.exe Token: SeIncBasePriorityPrivilege 968 MBAMService.exe Token: 33 2432 MBAMService.exe Token: SeIncBasePriorityPrivilege 2432 MBAMService.exe Token: SeBackupPrivilege 2432 MBAMService.exe Token: SeRestorePrivilege 2432 MBAMService.exe Token: SeTakeOwnershipPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeBackupPrivilege 2432 MBAMService.exe Token: SeRestorePrivilege 2432 MBAMService.exe Token: SeTakeOwnershipPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeSecurityPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe Token: SeDebugPrivilege 2432 MBAMService.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
MBSetup (1).exefirefox.exeMalwarebytes.exepid process 2548 MBSetup (1).exe 4276 firefox.exe 4276 firefox.exe 4276 firefox.exe 4276 firefox.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe -
Suspicious use of SendNotifyMessage 28 IoCs
Processes:
firefox.exeMalwarebytes.exepid process 4276 firefox.exe 4276 firefox.exe 4276 firefox.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe 4508 Malwarebytes.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4276 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MBAMInstallerService.exesvchost.exeMBAMService.exeMBSetup (1).execmd.exefirefox.exefirefox.exedescription pid process target process PID 3956 wrote to memory of 3480 3956 MBAMInstallerService.exe MBVpnTunnelService.exe PID 3956 wrote to memory of 3480 3956 MBAMInstallerService.exe MBVpnTunnelService.exe PID 2100 wrote to memory of 1140 2100 svchost.exe DrvInst.exe PID 2100 wrote to memory of 1140 2100 svchost.exe DrvInst.exe PID 3956 wrote to memory of 968 3956 MBAMInstallerService.exe MBAMService.exe PID 3956 wrote to memory of 968 3956 MBAMInstallerService.exe MBAMService.exe PID 2432 wrote to memory of 4508 2432 MBAMService.exe Malwarebytes.exe PID 2432 wrote to memory of 4508 2432 MBAMService.exe Malwarebytes.exe PID 2548 wrote to memory of 3244 2548 MBSetup (1).exe cmd.exe PID 2548 wrote to memory of 3244 2548 MBSetup (1).exe cmd.exe PID 2548 wrote to memory of 3244 2548 MBSetup (1).exe cmd.exe PID 3244 wrote to memory of 1436 3244 cmd.exe timeout.exe PID 3244 wrote to memory of 1436 3244 cmd.exe timeout.exe PID 3244 wrote to memory of 1436 3244 cmd.exe timeout.exe PID 3244 wrote to memory of 3652 3244 cmd.exe firefox.exe PID 3244 wrote to memory of 3652 3244 cmd.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 3652 wrote to memory of 4276 3652 firefox.exe firefox.exe PID 4276 wrote to memory of 4656 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 4656 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe PID 4276 wrote to memory of 1696 4276 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe"C:\Users\Admin\AppData\Local\Temp\MBSetup (1).exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /t 1 & "C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"3⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1436 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"4⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi5⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.0.1332608539\1602719050" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93c106a8-76eb-4684-ba49-cb7c3cde2ab4} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 1828 1178dcb9158 gpu6⤵PID:4656
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.1.488700337\866435603" -parentBuildID 20221007134813 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c530ed-ca79-4f06-8557-cd296935fc48} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 2312 1178dbe6558 socket6⤵
- Checks processor information in registry
PID:1696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.2.814612517\935001379" -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c54609-cd1c-45f1-84bb-7dc4e07a5cd3} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 3140 1178dc61958 tab6⤵PID:3264
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.3.754192362\185166836" -childID 2 -isForBrowser -prefsHandle 3068 -prefMapHandle 3148 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e36846d5-16f2-4cef-a196-cf15c645118d} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 3548 11795483258 tab6⤵PID:5136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.4.1476768413\2095204527" -childID 3 -isForBrowser -prefsHandle 4864 -prefMapHandle 4908 -prefsLen 26286 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23cadbe2-ed65-48d6-a217-04b2ee0eb7c7} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 4904 11782265358 tab6⤵PID:5756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.5.1159033193\528635596" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 5040 -prefsLen 26286 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b781da2e-2478-4e6a-adc7-7acea1c237da} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 4912 11792ff2558 tab6⤵PID:5784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4276.6.354831664\1447480863" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26286 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc6b2f6-8b56-45b1-a587-e377b35bed18} 4276 "\\.\pipe\gecko-crash-server-pipe.4276" 5304 11793550558 tab6⤵PID:5808
-
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"2⤵
- Executes dropped EXE
PID:5608 -
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"3⤵
- Executes dropped EXE
PID:3372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:4184
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:3480 -
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000154" "Service-0x0-3e7$\Default" "0000000000000148" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1140
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://links.malwarebytes.com/link/pricing-inapp?version=5.1.5.116&x-prodcode=MBAM-C&x-token_secret=0RJqCl-jr1uEbqGi4UPgLl05A4q6PxvRZV3o-90KR4iZkcYWbcpkMOcR2QQ9iH7JJBFOqNGNGidkJ6tJlK9L00sJlOu_H6h_ZIEIhPTPoEr5m8eOrLGRXCZpED5QoUGv&ADDITIONAL_machineid=18e531be88f745adecc4af1492e653d803938bc1&days_since_install=0&varID=mb5-onboarding3⤵PID:3972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://my.malwarebytes.com/registration3⤵PID:2808
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3104 -
C:\Users\Admin\AppData\LocalLow\IGDump\sec\ig.exeig.exe secure2⤵
- Executes dropped EXE
PID:4912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5020 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4308 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1020 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:1808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5400 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3440 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5804 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=3468 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:11⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=4292 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:11⤵PID:1780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1600 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5500 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:11⤵PID:3912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5844 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4308 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:5328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
PID:5396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb02⤵PID:5292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2096 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:22⤵PID:5896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:32⤵PID:3068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:5988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:3972
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4716 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:12⤵PID:3724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4784 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:12⤵PID:2228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5216 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:3556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5284 --field-trial-handle=2100,i,13717100392841679177,6881025597311502987,262144 --variations-seed-version /prefetch:82⤵PID:4432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\7z.dllFilesize
128KB
MD5c9f986485c18fefcf80c5af9a7b9bbd3
SHA128c7c3ad73b9d5ed66b3c07a4e4e869c5aaba35e
SHA256ae3dba5be2864bade0f63f022b75aaabe05bf9c8bf24fcbb54b99843edbd6f26
SHA5120be54b3f4a88eb0a6827b694ed95929c1b3c3cb46a29597bf744cf9fa886f659064b9d65cca9bf8d143f9a264d78b5c83e7de88145790966a6ca91b86c286151
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dllFilesize
2.1MB
MD50e6c18ce76944d78a4949b3ae1cdfb9a
SHA123e173b4519e5cd2e32a1df6ecac282dc47e1fcf
SHA25623e87a9a2d3fd140fbda133afde9e4c9408f610af83363aa0e49d25a4c98b497
SHA5122143778b2ad407ab2eab70d4aee35c70bc07b51ffc48cf1cde5274b3a6d44df976c02f890bf8fde33959b4fdd61ac23a60011de4952ee324ece14285048540eb
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dllFilesize
2.0MB
MD50954a50e6cc69b8760f78246e123c2f4
SHA1317da650742c11ab9bc863ecdd8bcd17fccbca9a
SHA256f46c5c8e3874e9e1eddf20ac67cbdb0f53173c5e4d7f81e9c6975d515d30cf39
SHA512fdb5ae918307cf339c652a041522ca67d896907069beb97bbdbe0b551fc11624a206bc8f7adb5fa427e147b6e3aa5d8febeef8ebd56d3d831f6edd1bd35c14bd
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dllFilesize
576KB
MD5a4cc0f93568aedf4892c6540c5ee43e5
SHA1824c112a8caea4109466cb4c5ca609290554a1b5
SHA2563abf2098b9f5abe6e14fb225b9ef79275d9b8fb5c0a03de545c8f8957f0d6e61
SHA512f3185bed52ffeddcc7ff52e1af00dd7e663391d41d17459f7ed1e25f2209784f46c1d1a252a0572c4667af909751017bbcbe550a50c7ffa18e24fb6cac1b5738
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dllFilesize
1.2MB
MD5002489ae38fcd08e362e51d32f5a544f
SHA17ca95bd787fc0bcecd400742caae680746f5ba8b
SHA256f12f766678c45f51eb856465d06ac895895b917ef1e78a7ce5673d46ee277aff
SHA512d5874a6f4aaf9a424163a9a7e78a67e172fcf886d8518756cd4939a100ca227d27ba2a18225338f848f375919396b4346b7f715c02e2912c3885bd95e64f98e6
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dllFilesize
576KB
MD5eecdb9672ebc864945287e50c3867939
SHA1715d22f044d35b0f86da68fa1aab7ff785a1e551
SHA2567cc2c24875a0c85098380011ceebde1a65b4199a01e4e986904d089deec28d65
SHA51229c8f8a94a4c25e64a043c3bdeecb58fbd5e61017185d6c76052656edd3373687decac6174e2ea139b0501d79b5cd8be5765c8cd8bb6971d25327838e8a785af
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dllFilesize
3.6MB
MD5702b2ffbfc901954c4ad2e8ddad90551
SHA1eea50836372e244519939f97eed058497ebee639
SHA2564cfa41ca45f26028bce2b29edefdb6e946d56011ab62742c64b4665d664b253e
SHA51299e694a98a5839d555e1ee6efdcab7ccb6865ff17d5b8c2bb4f28f843c26d98ddd8d12a9778cb7a808e66dea2376d691cd27e41d98ebbc15eb7a445f668178c9
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dllFilesize
512KB
MD541304f2f0fea8eb92babdadb6925adb0
SHA1305292bba98c5bf79679aab4718699257a978d0b
SHA256333410f73415a161c720feb98d6fc2262c257af5c392ccf53cd34e55755fac10
SHA5124c66d4d2b84da74a675726f48b9c5481401f6ca0b95b7ecb855da4e0f01888ea998dc1beaf8d2b580954af74593a931fc1722170e9c23a0a5bae295fbaa20d93
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMShim.dllFilesize
512KB
MD5fd141224920839d8c2e124eb419aeb22
SHA1ac5c20cb3f141539432ee38a0d576a2f7387b3a8
SHA256f9a8857f7d04c83ebbbe33adf1b52905fd434a791a1bd6eb2b9e090353545fc0
SHA512552ca1a3115bd3f579eceaed2ae501e460bce290d7b156d09ebc07379dc88b6025eba4a450d221c69695dfe7436d0de31bae87e6bc6420d14258eaa77b203762
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dllFilesize
1.8MB
MD51fef61c41de230ad3977ce0f5e5021f1
SHA12b956887940c52930d25e1235092f06ad46bc942
SHA2565b97f3c8e79319f7b9fcf740ad1cfab68a9765d7d463fcdc38d4bd1a0c95dd0b
SHA512072daafc3410a349053075231c1dcafcd8084fee648385fa86f225bb642407bad4b45096b5a73a8f937f2ae975b3f7af842c4b4aad95c799d14a60c4bd6f2b91
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dllFilesize
448KB
MD5162164867fa4ad7e873d24831e7cdbbd
SHA17bec4ca93f9bd27f48f2c9de6bb75f5d9b910738
SHA25666c164b536441fea7c64c45ef39b80412b6ee2b01ade4518076f490e74caf422
SHA51296954906a6d6cd0d1952434ac9477e7cc09cb4bb16b6404d567d010ac2d321eacebd477647f5bb6014455a00580b4007ee26ec310bc290df6300bf99450066fb
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dllFilesize
1.9MB
MD5becafcb40dcaf83a39128705dbd36082
SHA12460acbd76261c98209eacfbce6008a717a7e6aa
SHA25695e046cd9d013c2b772b049728ffe7e9a4ad1684b1353bb9d48d74e3c2b35074
SHA5121f7ce29d1b35092b6c93fd890dfaa09dd225f5c58a3f963bbc1019060dca603f640a877ebe939995e2beb2a3ee5ae492324fe82d29983f40a37786b00155c5ae
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dllFilesize
3.8MB
MD57357e806738fc72fc7e396c0fc7363e0
SHA1659dc4129e770040bb7d22a742d0c49cc1d5d175
SHA2561da44d9da26113e49ffedd8c44c9d22d87adfdb517425b3b63dd9bfa60484905
SHA51277ede08e472106acf43a40ab7a70354f95cf9d08ae416b86b3c3baead98c7a86f60d7f57bdb155b6d001f29a83667702854634ba656a9f83950518f00ec98852
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeFilesize
512KB
MD5af38c5777956fd1a958201270fd5ef44
SHA1f86c6b8c922e3b4a01f55bb85891be17144d3aca
SHA256af8b4c46545ce7655c439ea2776992f975f2ebadcea860ab0d0d8b3f4c580870
SHA512fd117ae0d7a727e19b6619bebfaa53b441e61e4b7ba5d35d7c5591004a7622dc19c490609686ddf8dcffc14a45c89dcd4a893d629fea605b002c99a8b1dc8bd5
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sample.dllFilesize
448KB
MD52032f9692898fa331874ad9eed31f816
SHA10d7c6405f8329696913ae4e196f14d21fdf239d9
SHA2566e5d158663cc707e98381083e93292da2c05fd18bf5abbaa6e66a2588cee4ca9
SHA512c38287e4740bca6e3d5a2779c11d59eb6090bae1141ef4c662cff244a1ddc61a442f4d1388e6fd4f033d7b257dfe6e0cdad65938b251b358925850f7595b50b8
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.srFilesize
448KB
MD5e87eb48299e8fbd049fb699bca9566fe
SHA150721418fca9dbc7d21b6e6354645523ef07b9ce
SHA256d45bcf46891ec62e97e144d1b722a02fa01a8219c077f0e84c4d97367c3e73b1
SHA512821e094881c9101ca1e34fa802777c86a3a5cf919cf9b74568bfcff719371f5e671ab14884111e3234267e9f377034fecac1a4c673c0454ad890d14f8730485d
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdbFilesize
13KB
MD500945996048ff756b87a69413ba9ac20
SHA178e8211c2d65063a33597a97a6d176643e9b2631
SHA256cb420edf38866fb3efa0999f7cc8b277028eb61190fe0d2a3a40324bd852d0a3
SHA51269b166dee924fa6768ecb77284700254b9899a4a355358af868415ef28cc2ff6e5e7fab8fd259f376320cf907aea1f369f5f3e5f633e8ffed8904a3b66efc89b
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.datFilesize
924B
MD5de6af8e7cb358a9ae31c37eac064fa3b
SHA14b7dca3efc886d404ed7e9b6985ab7f49de4cefe
SHA256f751fe98372307081ac8be0bd2095c4e01bd1c7ff2f59d8616211c1a73048823
SHA512c02410678af925e408157643e9640c8a75678fa84d74cd31cd5f7b56b99fde8961537c34c3c170ea64b2a9d109c6ccb5a8642494c434cf6df9b007502f23d055
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.datFilesize
39KB
MD510f23e7c8c791b91c86cd966d67b7bc7
SHA13f596093b2bc33f7a2554818f8e41adbbd101961
SHA256008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc
SHA5122d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txtFilesize
23KB
MD5aef4eca7ee01bb1a146751c4d0510d2d
SHA15cf2273da41147126e5e1eabd3182f19304eea25
SHA2569e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f
SHA512d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.datFilesize
514B
MD590ae986da076b33809956a63292f8ece
SHA1f59a271ef9d30beeca4d96746b1960ff1e35379e
SHA256184dd97b61c0f6cb22d600925bf9170ed9ccad99c57af78dc42c149fc34c7b54
SHA5127be9fd019a72f2a6072aa1438a5a27fd392b8e93365492861a9de77d68e4730e2b96ca98e8727aa0c6ab7e6b505c33f9061f8e4a83c6522c5c3eb348e0e35e3c
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdbFilesize
24B
MD5546d9e30eadad8b22f5b3ffa875144bf
SHA13b323ffef009bfe0662c2bd30bb06af6dfc68e4d
SHA2566089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f
SHA5123478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdbFilesize
24B
MD52f7423ca7c6a0f1339980f3c8c7de9f8
SHA1102c77faa28885354cfe6725d987bc23bc7108ba
SHA256850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55
SHA512e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdbFilesize
3.1MB
MD5827f373fae73fb1f11ccefdf38f57dd3
SHA1397f4ea58faa62f85221ffc699c578dd7332fb17
SHA2566ebffca1215249485488bd337f461588de23337f5b3bcc759a8b9d3f1e82394a
SHA51257b08ec234964144966b4eb49fbfd77b3ef1c1977d4d08fd80800a319645c484238c4569f9eacd74aefc96e870265fa5f35223b6321added0f7821149d593902
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdbFilesize
128KB
MD5782a4babe3099d778d7c03487acdecc0
SHA135ca7a7f5d83145e58fa9da68749e263a1af7f0a
SHA256000c9ecacb10b0fe54af660b483de2d71a231026944c4ce6a29cf2a63117658e
SHA512eeae3b2753fccdb5cdb05ef7cdb16a14d0f0e7d277adf39712e7466791501cdb857518ce156c53834203842bc722c5b66ef53bf6098f2dc65bf3236c117c006f
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdbFilesize
169KB
MD50924fc85d03912f161b581ceade05232
SHA105071c9f501b21b9f2f5ac43a9bf1b72cacf1a31
SHA256814047df1cac7072bb3549162147e799fc84aee53e4ccfeaa5b912a0caf63bbb
SHA51250430b3b5814a035cdb3dad25bddfebf6d0634e0dfb1d94b5c6ac3450457484eae14afcda7a29aea8daa9e5a73df0a01326f3ba727517ba7fd2a30a098ad9cb4
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdbFilesize
1.2MB
MD5a01658bcee0ffadd042a76ace6e7c8a9
SHA13f0ecae2bc830fb4fb825e4169b35bf52275363d
SHA256713375325c86c00122123fc0f46d342d6794ee054b6da72d5a385c7de770681f
SHA5129320509dde539693828e8cba5fcf79a431a80d4e81b4acdd90a7cb6af0ba2b4bc4305e5770de0ec1dab0000cdafee59ea280fdf7778e2361223037eb97587e95
-
C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.sysFilesize
107KB
MD583d4fba999eb8b34047c38fabef60243
SHA125731b57e9968282610f337bc6d769aa26af4938
SHA2566903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c
SHA51247faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e
-
C:\Program Files\Malwarebytes\Anti-Malware\7z.dllFilesize
192KB
MD5a802e11a15727e3534cdf11c61b47955
SHA1e0c96b1d33c1e67e1031ffe21bf70e7750c159b7
SHA256bf864c3641662c8eb966796912e1194bc6e3860bf35332dbc5ab0e90ae885f4c
SHA512320da23b27dc3b7b097ed5341123085022bb735eccf05a3d1eddb90f94550215e314f9a8e7f36ba7e900ccf7921a763b32ede2b2efed386ed5d392261a16d06e
-
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dllFilesize
576KB
MD54a345ac3f848c4f2be3df54945d8cd64
SHA1c9bc4d24b64aabacd0dc2e421eca02f795dd42d6
SHA256aff8dd46f399f749cc78bacf761f1988fca140b0408b3a8d2708695f84505bb8
SHA5121bdb0815fca7bd8dcfaa2ba4889132c4f574d3b956d2554553ef54248b4fee078c1535e99ea8fb0db3924950f69e699ddd885c46a3d428030f34ada80fb7fb06
-
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dllFilesize
2.0MB
MD5f1864dcf36748eae7cc7fbf2ff6f1be6
SHA1ca794a40603acdd06d0e02651a0b61f54f035a6a
SHA25662e7cd2036a608fdd0ba5b924aabb99fb4bf78c6b02e6345516e00b87f303496
SHA512df8e4b0aa2558ec915aedfd3ce5dd0e9a85a5aa8b2595a041c80c3dcccb9fd963c140567200c5bd5d79092778f7f137bbf3adbc4501ec53173a0de692ad94bb4
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exeFilesize
9.6MB
MD5a545b29abb9db951e9e2508a1bbc8d2a
SHA1061494912b29c965638263b7321a54b9e0399417
SHA2567607ca2abc8f5dfe7a100ccf73d885375ec599b0648ebd964ffb8bff39c821df
SHA512e7e33f5e49570ea74d427e12c049a7f0f89f7e4d3c7c511f59170cfb166bb5dd49ebfaa5a968dfdc15758f3177d7d39beebce26e593629aa0eac630748b403f1
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exeFilesize
2.1MB
MD5b259331297947e69ca89098c8a51c1f1
SHA131b166af9c5246e377afdcd6201fccc9c5742b35
SHA2567e0f4c8b8f675c319f5633f36f46fb8d146d82779f6d342f09037b02e3b7b8eb
SHA5126e93a1cad80f091115683927b02ddeb01195c7458176be8862306828fad309b588d5279b8c5fc2394fbfde0f91563611fc8ce99b7b43890ef3e32af897d1449e
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exeFilesize
3.6MB
MD549eb28031bb0d40d0f62206fa54db5de
SHA11cc505b8b991fbb205c5f1be1f3b7a6ef1dd1d89
SHA2561a84789aa12cc4920d4cb49467be451a4844b9032a9b21c9555627e9bd16ecfd
SHA512e0d5da21cc1c0e643c9bc181dc16202a2dd8a9934ddd058f46dca8285adf2528b90e1b31f686a8bee4f99186ba7dd1b26a2acbbba171c0d4eaacaa38d3d645bc
-
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exeFilesize
2.9MB
MD546f875f1fe3d6063b390e3a170c90e50
SHA162b901749a6e3964040f9af5ddb9a684936f6c30
SHA2561cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec
SHA512fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557
-
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exeFilesize
288KB
MD523f1360ae0e948d300f0f62b53200093
SHA1e44fd6f0248e0a02525ee67664d83b535d9cb7d3
SHA25640dfe0689b744e0812ce857f7221ff85431ca37315d9b4f75ca40892af5870da
SHA5126e34d2546626736aa26b369a86745bdb9816138244fba3d5b5e29de4585cf4e66d52c35b5c5a577f252b62a137e340dd9de36c08a06f5395baec5a726ffb5222
-
C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dllFilesize
3.1MB
MD55557e886d8981d10a12a954dec4bd103
SHA1622c9e9e6c98a1d18df162dbd83b7a9651607719
SHA25699bc675421b15dddd928f82b3bb8865a1301b65a9699b43b3c31d15bbfc843d5
SHA5125b6c401b890a591fea2fc611a6be3de55837a3dee26f4d4552267cb6abe752de917f6652d751a80de673c142fa2a9e6d5c794ffbffd324a07051e630323ff032
-
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dllFilesize
128KB
MD5e5766890c20c1babcb99498c39025b2b
SHA16bfeb3b4deff705882f16f15c83b761ec90d368e
SHA25656d6f3193d6bbbf9416cb51b7e1ada182571fa4aad8a94282eb1c8724b3b7bf4
SHA51244be428240e9c17da7eb53edd692b3869122f72358d9fd370f132575b5058a33e1dbd350a7cf8aea69866cf34325cd926f53d09837bfb3356bd60d3707d985c8
-
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.jsonFilesize
621B
MD588b95b7116045866fd204987f3c35677
SHA1b5ccf414b58ca667045b2bcbfc5c041cfe3d7815
SHA256cc9fdb0e29ec17cacd4e534663f8e22ca4e0739a3a29dbf3d53802d3c9483b8f
SHA512537279612464091da5baff08b090149864297c14e1b059554e0b1229433618082baadaf5463d6c0088e202a510ca0f5e6e0e689a31e25e471ccde5d0782b900e
-
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.jsonFilesize
654B
MD55c3593a211bae28cd788d42b71fb5f63
SHA1e114e15f619f943a4c0ef566bfa69684e3a8f733
SHA2560aa55c478ed634f0f090648fd2f9d71dd5448f83301edb4e3d651189a7afb985
SHA5127978bbc22bed98df5ea52bd80df1eb12f8cee19a544ea054258372ceb5c54aefa43ccad34a2f7c59374294e1ee14854c98000a1504a97ca26f402ddc28cd5ffa
-
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bakMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dllFilesize
448KB
MD5b1a4d8866dda0a7c71d54cae048c1216
SHA1b03b6b8366af332b73328d5d81c86b9fbd53e1d0
SHA25688f74617e4f6fd30959d52e1f065d63f4405b5512835838347c2403a2c9d004e
SHA51221aface4d1835ddd682b816bc2d4738c6b66dd106eaf7387aca46f71716dc161896e3d4c6928ef34abfe67912a88129da05e6f7f170393f9daa09dbe1a39c362
-
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dllFilesize
3.1MB
MD5da3608ff85764a876ed7a7f7a640e57e
SHA184553bd9359b92e5b335b1bdd7a7a8533926b7a3
SHA256a5005427d65f83e20b13ba5b57b1d71940128896909e41702948c9c44c771264
SHA512f389fc879616e8cc68a6b30dd67297443f5089c2955db3e27426a47db5a71ebe3c98e639e5fc8ec0ea42e8b617ea053e882188e6fe92603031e572b19907c168
-
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.datFilesize
8B
MD5dbee8e7bbcba63adfa242c00f228afb0
SHA16aae8d9e4053cb52a2f1b6847e65ec6335dbc0fc
SHA256c01415842abaa4bb6ada941a44c132a4a41c55097fb7e931decd04e8b5d6d380
SHA5121e82896df024fe6a2390e415bcf8dd92f71125639daebed99e115bd9ac219b5667201d29c6b2390a2fcd505c3780ba112ddfca128137b665da0cfdbd4d63f038
-
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exeFilesize
3.8MB
MD5d289d84c0406750cef937bdcdbd32740
SHA189a8a040a62bc0d2c2809177773f6a10bb83fae9
SHA256e21d1060a4a2ad8d0cc781d0ec252b497d96915b648fbc9d1ab46ab750c8d00d
SHA512c8abdac9756ba299ecd3285a134219ccc222acc9f005a71eae85fd815a93b17b8857ac1e446a8122755e8702a39b76c13df962ba79f45855c752e3347311e09b
-
C:\Program Files\Malwarebytes\Anti-Malware\mbamsi64.dllFilesize
2.9MB
MD53bc4d2bb173c005c678da34697c17d99
SHA12e07b4f3af7dc82d8f7a5fdc920578f6e908a0cf
SHA256fbcfade08f8d2617b6e9f2e279f81ce3b5e1fc0cce5bcfd927cde1335114f6da
SHA51236864cef0ba96899d1c9ce088ae931b10461f1360a21fe8791b61acbd6ff1b30786a0f6745eac6acbdcfbcd3f05347aa1aa05fdaaf9e36e8fd0da3768ae78a17
-
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dllFilesize
1.2MB
MD536a4ce53e0aa4d9c5851ce01f1b1f249
SHA19d26250d0bb42e7caa9e768456c1c70d4d45992b
SHA256f39ef1786c08ede63c1e7c4590a07c7c3625d7d8ba1e919757f111953c64b08e
SHA512fad03a0efb89f026ac463d4f178164f9a188e96b0e7ef3e03864c424f415b493f621fa674d9d23326a16a8a0e801827af586ca73465b6e3c6ecfd02eca14dcd0
-
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dllFilesize
2.0MB
MD5cb0262588c155b66991c739e156613d7
SHA16d39cd12679c51edfb73e93129113a102576b6c2
SHA25673580a98c0c0b98dd5a37e51623dc2efc7f5c24978ba0bb2761dd3ab65cb5e5f
SHA512dac666df37352c8b540ab55f6c7b13921198c283e83236c38f9c2ec838e08d57a0049402a27550898ec65c4a7ad550483cf781630ebd72f42c18a9643f0732a3
-
C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dllFilesize
2.8MB
MD52bbf63f1dab335f5caf431dbd4f38494
SHA190f1d818ac8a4881bf770c1ff474f35cdaa4fcd0
SHA256f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364
SHA512ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5
-
C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.infFilesize
1KB
MD55d1917024b228efbeab3c696e663873e
SHA1cec5e88c2481d323ec366c18024d61a117f01b21
SHA2564a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8
SHA51214b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a
-
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dllFilesize
114KB
MD5f782f049b0e8c13b21f8e10e705bd7e5
SHA15c11f955e3983c50ea46b5d432c97c9148ac8e9f
SHA25616c450a310edbea07f578f31368f168ec338011cd117406898593e86ebb83dae
SHA512eed29c42b14ff26a030f53d61d6dc8e3971e478dc7646b26189f14f16699b6bedc170c4bcc37efe2e8f3048bde37480033b49eaf1a4712b88464f5da0efc18f2
-
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.datFilesize
9B
MD55e0e2d584de048ec8e1d96a8402b9074
SHA1bc939970e17845f19b5487ebc0f1962aa4f5a756
SHA2562b7b5bc2a6db622fd284281cd712081dc0a8c2650ac55133a96d2a719306f41a
SHA5128481bc8a5a7188e3d242f426d9daee162ed372101327ef6c452bdabb64cc3b5c38814715705d8341303a3ae1b377e6a0c77b8e0d7258376f563af8f9d21131f9
-
C:\Program Files\Malwarebytes\Anti-Malware\version.datFilesize
47B
MD57f0ac115d34db24927ad71f77412a171
SHA16ba631008cb4ac76d6a59b83630d08e0f7eda6e7
SHA2568ebe68a5e88f08f98fb9825c9f55302d0452c45294c5ea89fe3882503f6b01c0
SHA5120ee0e5e0fae00ba3195b07c5b3a7fb68e8163f9e5e0e708da8ae9d4dec43529242801f733d58b4a4b74945ff93b9a1a92d912055953b46236cd4d5deef597086
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
1KB
MD566f4587b608612a64352df9bd0949b33
SHA1412df353c39b038ad4ca34cbeecd185f5bcbc5f3
SHA2568228ddf0d0ea912afab633181d2b96446f5a7e986af658b6b033b43f23a9ae21
SHA512cea0676bd15c5fe627cb50341c279871efbe945e0fa1437a5910be6dcb694e7dbd4595b4f3d8baa838c4f5df3a204c031846b1f2e3531296e8a031acd7d1fd7e
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
47KB
MD54244abe4890d991b6ba081cc51d77436
SHA19ad0e8bb718d4d8681860437a67b91fe60d832d7
SHA2560befb7e87603036c9be7529392d8d2b16f54cdf28f4deda47844ae062af112e5
SHA512e99d3111d22cc0d508b97b94bb4d9aebdeb3f04f146981c5ab6c2e6ad9dcde19af350c9efc9be431c3ac95e150fa71416eedd8985fe9addb2ae73f14833c72ef
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
66KB
MD5756807c5948fc3c686af148a51c7fca3
SHA18fec0d8d0b010346b5d644c55ce5cee8f3bef1fc
SHA2568ff46c6e3a9eb71e0f733a2b444ca878546a3220fde8ac9061b91d1fef59756a
SHA512e93ad4efe0d615aa6b760b9016a1b5d4d678813e8f09029c1892ee871f39322736f9b8bd3060c16314b967825edbf00bf9203294df55a0554b372e5c2ab361f8
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
66KB
MD5b1cc3143f6c5f44d09cebaaafd4f8ecd
SHA1347909203a50f273e5e49c198cc0f913c6758c61
SHA256397101d3f703e62ff6d26a2d377a30e4343193485a6823d7a0d9d8d3fb2b9331
SHA512c25238632eb6506dfaf659cf9c39d1de41ee7125683abcb093cb645644448af9c2391fcce9067fe4f1e6a8f543141fb1528515c62ea5e59486a7b999ed613176
-
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.jsonFilesize
607B
MD52d763a90abcd5bfecc3f9ea28119544d
SHA1d4868c954cca233e1ca869dc117cee44dfee1a67
SHA256df50719b06d37955fd7aed6a8d7c2e0955c4f9cf936e25f1e1284ede1f6e27a1
SHA5124e60e4147e1fc6ea03e656d02bd031f5d2f2f7c398b3a1a3ed53a3d5615bd5f60d6adeca1434453e58dda765ea54582d64567527f43eaf814be01d2f9c0597b9
-
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.jsonFilesize
847B
MD59e77dc58178a05febfd15bad8130074b
SHA1bf72068ad2b361bf60661dfc00955af507bd853e
SHA256280b593c5b1bf9e95637eabfd08f4a2912a2b0c61993d80ee36d05e8cc0b31b5
SHA51230a53aaac9c60e15ce9313587819fb8796c192fc16da5517c739c46b7767ddc3583ecb06f06ec9c519303ad49de420055c9f6611096664a6b681afbb22435952
-
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.jsonFilesize
846B
MD538e9c2c8236469cd1b3f3d5d36e68f4a
SHA11d8c6e4026bd2629a2369c8c6cc623b6ab69ea82
SHA2564fc67360562b09210dcd1a7a2091d3ae2060633e2f00e21f7d50d8c2833879d2
SHA5126cab5ba16933797fb86d6162b3bc8c9d0b8e9b807c6d75a316a2dc7e9400046809e9841bd20dde8ee296452b8881f7b9f020e8eea0d0646cc110709f96acd3cb
-
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.jsonFilesize
827B
MD5edd0e31ebdc194d4ea847eb352e5fd76
SHA1c66297808352c2e7850e5bcfc188ecb196c7ca6e
SHA25608ded32935f044c1b6fe4874a270d3764a32c03e19c21da4fd29a3bc5ecd4a98
SHA51238c00f9499b0fe6daea278f31d52ddd08945d9cd4564a4418418f0304890d5738ac72a106e90704e7eb4dc0773b12c00382db780cb2b3ab39cbf92013c78c854
-
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.jsonFilesize
1KB
MD56a229a4b6705714512fee328ff295004
SHA1c0e2ee811242571f9bcac56a8062c321473b9526
SHA256f164f29397c304218f75291004e37e477d12de03732685e5ec27baa9a3e46d7a
SHA512929be6914e4bf3bfbbfe3dfcb26ff34e092139321755e180728d130820224dedee9c812d4501a84de530f06d1e1c0dcbd7066ba233f7ee1138770bd7abffc607
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD5b03e071b831ea455d2138b1cf046d4b6
SHA17115c2acaf011c5d0b8b9415b60046c1514c3559
SHA256da5c0ab150447897a10c9309201e7333959cf23089f3d2167b8337c100bcf2f3
SHA512339c765c3cd53048b1ace918b3f10bace3f4cc5a28508ac4cd155ef5cb7ea726ccce245ffc928a0446a553847a27f090275d532b9c1709d7b8cc6af07be292e1
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD591bdcf1752a4dcb9c378c51adc90bbd1
SHA1f50edb6ad3c9457063b8b6d576321736325b3b0d
SHA256fd2a42633bd21d63470aebc1ed5756684ac0d028c1ec0a9662a4f026e62aeeb3
SHA5125b62bbb4b304bb49d9c93b604b8da99c6c835c9db982e9805b5d082911e5f9acd9c4277b19db394ecd4251a56f9189df5d4e3693a917613db054bebc3ad12292
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD5e9860344e0b057366c02ba0ed1f0e925
SHA1dbf8d4b98dd76362bf09936e0130e5e18d0ac0d4
SHA25641e23ddcc03cdaf901e55d8cf9054b95789db780bfb9d7257671189cd36b40df
SHA5124da81223ac6a37a71a5ce5aa353e05b70c27607443cf79b3913f72cf8abf10bafff199a57495811eaa3f931bfce56d5d639784d9ae39e902f50e39c8449d099a
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD59978cc1e22b65b6fe2bd93fa3c6422d3
SHA1ac5cf0df31be6f8ee32b6ad21e78dd72d1b4bd6e
SHA256216c5ef73ff0925350a3f7c2150f5a45532f9e44d693840ae7b1879e28720d32
SHA512cb91b0ce6465989730cf6fa32565c3d8f89f98d626ee630bf2ab3d5c03da67cf7b832bf8f5db4fc29cd7d89afc876f5d87bbdb83100f071d987e8cbc038631b9
-
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.jsonFilesize
1KB
MD566f247486a8022b571da6d4d096fca54
SHA12cefbcc4250ef7e085cd3d8c3774d019d5fd4f71
SHA256acdccaf1fb2bd041e061a5ad6a26b62b7f067672855fb66c121a4a31a283650b
SHA51298acbd6e933f2f36c2637d377d860676425a065732246e12092e0a2b7b180a0f0cb9ae9d504ddbe8636b04cceed21d4a047da18f6f20657fa14d478655ce7fe8
-
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.jsonFilesize
2KB
MD5ede4587cd474fe68037c10fe0057266f
SHA154abda3322ce2d61fe4986988f5efcf544ca5495
SHA25675b8a75840d92c018ee8bdc936a916a990352572345c8d961c4cfc4e8c9991ff
SHA5123b3852fd747a2d780bcd9e0e4b862a705dda75f8db434c053b985e2dcd8ac030b6dc0cf49656127ae0b37ae773b2fec06b8de28958cd227f06ac9d899a756c8c
-
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.jsonFilesize
814B
MD5a37e4272ae8983b3b3d6fac2385b8456
SHA17d76f53fd68e846cfae81ed722316a5ca9273f53
SHA256be87270cf49dab363491bb4717e6b27fe13d174be5284dcf6bdd2b23b8eac13d
SHA51234d295b6ff89ff23c361b4b17949d8c3e7aaf17e20db31d256a4b0fe69880c346fe6aa5ebf3d0fc3c3056f3d9ecc9ec21a6a97560f65dd93fdb4956128f8d733
-
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.jsonFilesize
816B
MD57a2b5081b205846dc06bd24b24994766
SHA114e6d3916f95305be8e6b7fd7556ca73f7206160
SHA25625dee790d66bd87d2a6a8fa5ef0310a4bc9b9a96d6283b4a18f83a99523bf3a1
SHA51236e979551c024233ddc334d301ee23481562ab8875978b3279d14e51b71b4f6446f85507b5a933be85a0d7e4c21d253c654cc21a3277ef94b6aa89ee3adaacfe
-
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.jsonFilesize
1KB
MD5cbd4c73446eebcbf0eae9fda81eceaeb
SHA16c80b408b98548945eee3df55dce39eb15195ddd
SHA256ffe0ed465ab51b9d9cda3a2933ea1f5e6cc0817c187d506f646a3731dc545ba6
SHA512e7b93ab30e57ce72af7db2c73a76df1f9d4ec7420c0564db4ed51053ddeb5c9eadfcb558330f4466c38a1615bcdee7993bb6d0d13f78a63f4553d6090c78080f
-
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.jsonFilesize
1KB
MD5af9a7cab0be64a5a02d207a5fa4784df
SHA1ea733834fc4bd8b32605e71c495a00e917f3a56d
SHA2568240d072fd788cb4bee3a6327c25519b053366de38f21bb4ccf7c21f7e4f4b88
SHA512726eb2d4e522496620f0f1ffffe1c4287a02e108cc341acdb9e285f03b059914e83e3c8197f9dca69dd0c2d993680f91890a82818b85c43695a4157d981092b0
-
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.jsonFilesize
1KB
MD50ccb148902b07e39d2bc542ed1f0617e
SHA1c66ffe14dd28eec310f66080b64626230c7c302e
SHA25699b634c673d7f76e438f7f080eae7e769ff3b74de0975afe2a1fdd6f71d1bc71
SHA5121debfede8bda96b6cfeb0dfae6302d79719dd4cb614a3789a667d3fff28892dacc33742ee4b8482fe05c49abd474a4243eca62c1a90a4c0a245887034136279b
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
2KB
MD5cc4df95d984d5d058116dfef8aa369df
SHA16155ebf046f62299dd3da800f919103b99a3f5b1
SHA25695cf89c620293c1d5c4f05e40c7d52a0265e26c5c9c3f6e40e47a7de07ca6051
SHA5121a7c954d5fdba17495c0007c2f7dee79b108147b6d35244133376f1a54a0d7f7eea55746ade3d97b917db5bf9cc2fbc012f0dffbbab6453d99f90ea3a06077a0
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
4KB
MD5e44e7bfa2ead35a91410925091485dfd
SHA147bc32df1fd9f9124916740186601dc5664f585f
SHA2560aad79e1786bb4c03c9ca77aafce8e5a5e6383c838c2b79ec790c2eb72a7e3a1
SHA5126bfabd467856968866f7da97e24a4caa36a2c9d931cdb8b9aa4050041a179029850d2c830ea3597a2fe2b733fca632fe92448a1f0b0fa27c8decc2f933edfe52
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
4KB
MD58966a6cf2d6a96bad7ef1c9d6a281024
SHA1f5ad15890941af8e18d11f2dfb8831663711d7a4
SHA25673d38e04c2d15eaddeb1a31c35237c640cf9927e12941d8e54bca0020aa77bfc
SHA5126f303948c94da4aebd82cf31b95416fe846675803bc30944e1b0ca03a9b87a24dfc7e6e50ffae6fa32d3a97e2824ed0878c9b0fd84c59dcd6d5b24cc3c96828c
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
4KB
MD5758a3dd0602a88f0261c3b2f12d9416a
SHA197bc29a7e4243b163dae8383fa32a1d435b6018c
SHA256f2af74eb2cdbf976ea77a7fb561631e5297ee895072a25184484944bd1466737
SHA512654174bd3cd5b4559b3ad77ece4c3bb2c90d327e010701d5447120856efff3f71d1d573f2f5c199883fa8f25d1ef8e98ded71d3ea17eaf2bf07640d15ebc1727
-
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.jsonFilesize
11KB
MD50479c57539f8eb2f239ed1a76083ef8a
SHA1b5553b41fa4abb435f87a2c118ecb197c7a07560
SHA256cd651c014e87a01d5dc473edf024beee0d90fbdc2858bf60d828b7ea03621e34
SHA512a12e2433b8078a613acacd190d421120e6da293f443b82652eaffca3dee31a1366db39090fe9ef6d1f8a0a631cf7d6bb518f1db852a923b1ff83f818e6adfb26
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.jsonFilesize
1KB
MD584e5381bd4bf1b6d6db9dd8418c8e4d0
SHA1c880e4e1a0590b2be0488adf3895201327394cd2
SHA256065386e6986c41c23f45b8cbc0498b337763c630ebee0093519fbdee86b6ce82
SHA5122120c3409d07898ab27a6170b2fc255f8b9dee8ebb70d63fd10d8d81e701388d8ab3b629c3c5e918f7873f596ac4215cf46f6afebb81891199f8750a5b979d58
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.jsonFilesize
1KB
MD5197f77715179326a5b3205066045f79f
SHA101bcf72dcb7ddfff8a087f8b2fdab997d5ba986e
SHA256c434d678efab31ce92d2afc07f260761baaa48c22b74e79ee9549c8eead45364
SHA5122d8e3929d15a2bfd6550bad78ed491214221d46541522f1eb7e938afb20421ec0371b54f4008621def8b29140655ff7dc7c98dfb8939aa61154ea3bb0143c610
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.jsonFilesize
1KB
MD525ad045a2047c3802e1e737d48b1e877
SHA1a0cea1b94c4a462eff9676a5881e1626d04e6013
SHA256d69b809ed4559da05c49b6181fb315079bf33dcb3ca966976df06b893bceba4d
SHA51242fe4dd5ba3b449af0944e2549df9eb8bfbd95f87f312e5b2e21758db0c0d57f92efcafca21054d0ad7d564ea27aaaa1edb259d7151ab4cef6b64f23b553b7d0
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bakFilesize
1KB
MD52f81194bf9eb1240f4b0a0b8364069bb
SHA146594c8cd1481c130252a6eacfedd3cf2bde7953
SHA256cd2acc3dd22a239cd1f58400a1b6a22c6e47a4e22937d667d18b5e56dd0bb9df
SHA512ca4e6c78bd4f20e74951c19e1b134c6e138a6011473bb639b36c94a6040f9f267670d21b74e4585db53884c527b9988f287c35d3fc7cb91e8fc99a25c2bd23fb
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5a3b9c2936e9c21e83a3a082e8cb4ea4a
SHA16b135af6a83d657fff334299430e034de6bf796f
SHA25641447e33e29003f39e0e81f7b6a9b172cd09c57c5fd2b28ce90287e9077f3614
SHA512d09742b9576104d5ad147e336e753331c265eaf16189a7402e3aec176d1749fc994b87717ec180dab4f614be0da4c24a47678a864dfdcbf50903b16a80b3e950
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5bf8bd2c2b03bda4aff12b610bb701c86
SHA110308b7b2ac87ff8ca84317afd96d13f3963c159
SHA25614004ed4a00b64bf40e8473db03d2eaf4113ef7a86b867244a3c10f1a7790755
SHA512bf2d85386e290c07c610e0f333a2ef7d5fcac04a9c306248c1aa1c2ea1eb22df2dbc726dbb47278d2b313cb182862b3b31d3d81fa92c340941dbd7bb643771ee
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5d67d08746a95b2f5caa48614cd70f448
SHA13a7cb9a4aa364968254bd3bcf5b5eee973892efd
SHA256b588ddd30fc2d8a8063490b3aeb3cb630780005826ae7a1d80ce59a6d9f4ebb4
SHA512c7e0c72798c85a0ae488672b0c32e4fa137d2678bf4cf1ff2892cab3a9b29eebe886488d5ce5b83c81b5b15a22579ff84ae38debc0a49e1450fe5bc9eae6ddf4
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD592075abb95a027c3215954f18dd81480
SHA1ad9513836d246017c184b60e2b3333e24b8ce79e
SHA256c7605f8e5d5cfbde385472e9732597fb57fe0922852d450d4051b6db65846301
SHA512019ed8530cfef951f4d6516549621124cbbc6ae5046111e907b002521fe36f626958da61d75cb471840869449d24026f70ea85aede3c4fd52f9ca572f6f4e5b0
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD567136c18211d2857763214dff5d4164f
SHA174bcb7fe9641c1315b49330dd5f3a8869ac40eca
SHA256029129c046798b02a35dcfc3c27810fb27795004b86be2ab149047a790464d30
SHA51215091e3917548e42d17a896ae5ebce401a48d257cc3eecaea306e127b9610d34b393a73c6b0eaa26886ec63056ff79e639fcf8d242c833f0f23429e645136722
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5c98cbbaccf2fbcc3e3c41d36d4961922
SHA148c1b5e13dbb82c0ff99fe49e4ff6bb56c7cf41f
SHA2563984ed5d816c06310e0ca1ed7cf60a280e45e70f6d79a4e3cd1f67b77382d872
SHA512c18b673bc9d23c6aeefc245bb60ef3cf0ca80bd7173820842c8e2325db9cd010f63d5a05065544891f1f2dbc01f851a74f5e8267fee923cc85230d86fe9447b7
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD53c15392db6fe80271b626b9e1a8445b8
SHA17ad6166d33af832c7f9b5b694f075cce51a75dc9
SHA25627b046dda577c3f39b298d56ab07a1e541304141173f1c466d036666eb7bb1a3
SHA512b638f9cea6879d6ca3a6632c9127200fce08d9500cfb809edf7b19c7fd9f4db6f5ff3f64fc872bf1c5e53566e32a18ce6c4246ee25197a8e9e2d90f9482a6f1a
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5c287c0ff2b52446fa3648e4e60dcac82
SHA13639d187f44402298c5d945cd3eb80f7285f0d77
SHA256413c3b38714e661ee2100a64d382db85fb04a2c925df3bc69b9a8bb60988eddc
SHA512221dd85023f75f1b2f330d0d358867b8d378ca2c9ebcbdceeac5189f086a804d9963d9db653dd083b6aefa508c3a0b5ab51e77b6f0fe422715fdc5586110d705
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD586ba5203f1ac2f4a2ba2d4e4df50edf1
SHA1a9a49255a7f4eb4bf27c44b23f3aae704ac82a98
SHA25603c2a3b9412c74a30f40d3c5c85acfe17eacba9ccff35f5c0e575b24675d16fc
SHA5121e3919f0a812560af4a4e43634bf8ddb159ce16da01ea132d13489f714b1ea0c2eaa567badc8ce6594f046e495ceb9d6af566dcf909839ff8dede53d1123e694
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD51ac91ffee47081a7a5dda2a19affd6db
SHA13b86b5a63e619f062e1e62a5c645b1a83ceb2664
SHA25650aff4c73d28ebe620832e48ef657546d3347886c29244e8f561ede1d5097efe
SHA512275a448afcc7e037945836568f2213375c79250e7c72eaa37d9634f8ea2d165eea8b746ac216a242d3633840ed886051195b8afae344bf5b9119917c828c114d
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5612e5b42da0ec8728ad286d4e73bf9bf
SHA1cfbb648ca8e8d435fd552d56842310ea4f6e4d28
SHA256f88312f403f89c00586f670f0e17d7da03ab7a21dbcd4c15cb197cbb9119f6a8
SHA5126e3150852eaf41e2c9a018140ffa14dd55764db255e4f7bcf369b5582b1599ab7d319cf11cacb875501ba513e2d9808261bd37676ad06bf84b94a0eef0511ae0
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.jsonFilesize
1KB
MD541b123ed7749d14b830fd57c977a0047
SHA13422d013b502756062a4aed1ed6ace4649dd71fb
SHA2563cf52fab0b0cda74647fa0e3b0e7a03c20569f401d6eed7e133c33f52f03aaa1
SHA512be77486ff610d98fffc59f14fdf269ac9554e00f37ed36a210649564ee9e3472bbb4d9e78535d4ea163b13d25fd173c485754666aad43ecbbc9803a5bf9f71b6
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.jsonFilesize
1KB
MD52e0840f995a8757c49d5edbfe4e782f9
SHA19b46d3a6dcf9ae66d180e433cfbe0813b6c27cd9
SHA256e7fcada17ee06cf7b628e677a44f2986086e4cac288ef1832a97d4cda1cce5c4
SHA512fde165d35d9941687638f98a937c0c84113ca04152130d930976fc456230e52764380074a0a9d1f68e53f171e4b44e15a6a4a3ff37e043fa2848c39e55931e62
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.jsonFilesize
125B
MD5c086314d7ca26f4e32a6eae238a6541c
SHA14e99213bacba72df99f21cce80cd6139aaef3e99
SHA2569602143a8b59ad218dac9928d8f44a75587f9f6f4dd448cb24ff65f5453492b7
SHA512526131703f64f417acc17407a6eb39e2c57e94af3879caf7ec5f7e908fcb828cd7d75b461c56fd90ec866d312594d935027678bbe6f40cd7b69c4f20a92a3ab2
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dllFilesize
576KB
MD5b757f9268b222971f04b2eb0dab2d929
SHA12382981ee4df3360b895517d2459591fdcaa6800
SHA2568d6096366067928ea6975a4f836a2bdc11af9c6f6d8fd13ab744af951f06b2ff
SHA5127464f0579458374fd71660bb5dd44a7fb5e75c379fbd8844fdde07874429efc46a896b1227f5f0f57af02854619a4bb5f1629fd6d6369c06d57bbb96d9c62a35
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dllFilesize
512KB
MD58fa77131342ad19dcbd23bf31244997e
SHA10a6968613af393ba924bd40d526bbef59a4ee527
SHA25674eaa6c68066960cb40bc787efacbc4bb0f4562f049fac2f6d57f2415884d1dd
SHA512ca28092361a252963ffda908e2c7d9639b3a84d793736e594d8c30b3543bf344cfd4c240eb9db4b291e2f09e0aaa167cf43db0f921825524bcd181dab2d77d1a
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nmFilesize
335KB
MD5ac14203c4b95e98e76b2a698632fe35f
SHA17269c981f1893e54d61f746f528f509af416bbd6
SHA2562e50639db2b22a71eb0ee13f33c0eec9ffbbf8bde52c3f7479de34727939193b
SHA512d3c39b9ff3c48553ea7f49135272a7757ba13505cf85815de3a34f3c99a1b91e3c5b49ac5b0ba358adf9c2c97aef8806aab3052311ceb328c39f4bd369904340
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.srFilesize
576KB
MD5570a375934b543458b08970a56d63a9e
SHA1a64af9e056e677efe90c3c4618938aaa185bcca4
SHA2567b96af8badccf36559835fedeb1142891dcd35b08396d3854cdebd5b369a11d1
SHA51255908bf09eab473780c43845db28651c1bf986a184f12bfc07c9f21729a27a4b1570dfeceb03486329c4ca744648aca0cbcec8c66980ae735b44522a18e95f34
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.binFilesize
1KB
MD5634c582955715ab32ddfe83406564b05
SHA179c0a481c1ff351c2e622e440bf7e6795ca6efff
SHA2564783d65126b8c83fd9aa8ee0e8428d10c20adb3daee6b6c92dab9aaa26964a67
SHA51238af39912704bed274cbea2c8cc0d136b94e328433cc02bfa7f04fdd9313473e11f6e6cd34a7b4614de55de0d8746ade1040a9eca4f37fff178a07d3e8f5b1d6
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exeFilesize
1.8MB
MD55f4f4838ed0a41b4ae61b16cbdb7c41c
SHA1c9e300e9f5245d736d6fcc42dfb990b2639aac52
SHA256cd1e8db650a73bfbc124467737b96fe2080f27f27e031e1043ddc76a9844fb06
SHA5129bb1ac32b62fb1398616081574b03c0eac37377b4102641299202601f4881fe64c98111334f783d013b509f7eb36ec9b79a7b71bf07436632c280c1ae3142755
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdbFilesize
448KB
MD52d3124670fea1df012f99e728c3ce571
SHA19ccdbfd1a3f70bb43885382daaf7f7306b813ea2
SHA256161074d827ef1efdd66a99a3e731c2fd9981894aec2cab20b153121bd0778f8b
SHA51286f75b4ff3b085303b9daa0d61260758fc61aa3ae8a0768d6bf279536d7566a370e8334e685e728b569749f229d5df556c643f9d87b9e4737b6160155e7c0256
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dllFilesize
512KB
MD5ff5845b201b6d21e8353801035a11939
SHA1dcc64e798f069260ea86855fa7bbd59ea859f190
SHA25639b75cd597b6a56c47a70737c1bbf8e6662e1f15fb7184b5fd8ac1ff96a1b48b
SHA5128b2364d77ade5acd93a40ce87ba41cd64453613d1af3aa177d1030dad509d9eb5a56f8e827a4c72410c211a0f09d133c5972e3b95199880d9403d927381879fd
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdbFilesize
448KB
MD556eb84516aeaf6dde353d07321c450a7
SHA1f74f98ea4620678e6790f16e896c2fdce5029943
SHA256c5d082577c3445e4a5e37beb2954aee2d58a69bbe99f981dfe2b13c5a7cfa00d
SHA51219ee13daca63e2e8be394cedd86f792e1803d16257d129e5ca456d50deed3682df78c95132efe7ff5ee5f09285dee7f0e8ecf198ac09997bd1844c378adf3c68
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdbFilesize
2.0MB
MD577c22b7f42708e12f3afa221af2cae6a
SHA1520953438889145a924e4df64cdfb509a179b008
SHA2567df22b3352679fa20383690ce7671df863cacd0c9092c5d02829fe06e72158b2
SHA5127625e2d0d5006943fdf4338a75e692553cde2f59bf98cdf6e1d6e296c6781a3d7ddd82d02025d06d3f6f0649fb47c2baafc7430237181c23dc15cbcc7e4cb959
-
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.datFilesize
75B
MD59e9dc6735769b685f617f19037ff89bf
SHA1e51e3d9dbfd734b37e4cdf56f4c369cf4d7b7caf
SHA2567e8fbeadd706a6092cbf7a02280029a748232ac4d11ef298bb48a911ac91e78e
SHA512dff4781825fedea13e86697da134418b28d5d23d4bd715ecc49dd22f10b913503991b8cb86c4782d4448d61430562e1604b7d00fe70c2821c70ec2663c6de787
-
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\SdkDbUpdatrV5.dllFilesize
2.6MB
MD55c4b6998682070ad73cd246eae251ccb
SHA1d4e3eef6332a6598e5d63741f3407574c7de5f5b
SHA25654e0e90cc5cfef91ceab363c6cad54c7190cfbbecf6353181779938a3f8de8a1
SHA512e1f844ecb631b628ff37068ef474b070e22c5be6453c77acde53e886b7e9109f22d09748a7902e64237f5cc9d05818080c0bb5697918235ea2d4ceefb68b8524
-
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exeFilesize
5.9MB
MD5ab258c2dec1945b65cd09b302652e8d5
SHA190e660cd3502d9bde40227ec0c0c2820958bab3c
SHA256c488c36827fc5505fc797e4d7f9bc56c2c2ab9d8c432ff9eb55657179bbe5e36
SHA512de9e9d01f7cfe40fb64ff4e9ca83ae8f7a87b2e460d89b1fd6717f007afbaffb8cd4dd34e13352c46bbc00372c3ff7f9d9027f54df44f2fba16bd0dda4cfe7fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD501f23613bd4e76dfe06e94f295e67b8b
SHA1295b0e53c6d51197803483de59f9c7a20683ff3f
SHA256242b801564567816049f89087a4d5ea36d9a00438389ab1fbd947dd79add91b4
SHA512e33ffe4a73bd780944a0ef471bafacfc0a3860d66ce6e9e8a362b4a48d3a28e5e8486fac9c8ae1db65901218e95ac490969e0bfe98105eb6cd2f2ebcc054bd3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
6KB
MD513a85eb16c8b4543e10ed1f35f2157fd
SHA1ffbd7347e26c6d6b49f7a765b19350f7980eea17
SHA256174657068aa10ae5498aeb4e88499c05b97434451864fcb0724d71c8e4411c1e
SHA51207f296b4b3c287ca31bffb2cef314a15fa2f8bad5c4eb898c9d88176c1cca99339327dffd2e25bdd40929c6702e6588d5a1428e4400f91d2e9892a750f131ac3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5d56d660acd8fe0e6ba567fba0883b2fe
SHA1bfa5fadef40f972a55a87748a87c79ebac39fff5
SHA25612a01750e6e846dc61c78821b1cea75bf6c57958ce4b6a1de33c7daf9adf1e51
SHA51253cd581b6d7ec6ff914c67f3d659f04f161ef26a3ba0b0353e5183658bf08d3c49f1ca90f2bbef8f70d3f2eeeb6af7497de33cec770cae4fff9ae5f3526164b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
12KB
MD5ef62c2388c8006b6cdd83508ea46dbbd
SHA1dad24faa68d856e6b5a9c70c5e0ca8b22aaba94f
SHA256e1555e89f3ae043b2d464353f42c2fd603cf1d9a33f03f4de95c7001bce2c1d7
SHA5122d78033a109f67ca57248e56a2b404b899b67b27cf011907fbe1bedf0db512092559fc51b511b60339bd400a07ed5653d0c7a7f2fc7ed3559bc2e5773b7ef2b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
12KB
MD57bb401bdcc79885d7b76b31bba144d94
SHA19765e416110027489c9839d0862c2a3978233d57
SHA256c9004a0ee3e08aa340ed134524b6ea17b9740f0262069c254ebf33ebca57ce1a
SHA512b2eb8aa71f149f8c7bb6dd0582020cfd94e93f1374d81aa200fe39742febd3d71d1cce455fc6468f3178f73522552da240e51d713a76f4ab6945efe9067d2bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
33KB
MD5e123213efd7d279e5e65a69e1946874d
SHA18c4c6f56e867cfd55db7d9ff4ba8fbd8232dd2f2
SHA2567643b74772c497059a869d5c0fd781226325dfd3acdb8a4be233c88e5de4bd57
SHA512d5dbd86272b7d621b12e7c9cca78eba4cb6837dc020c922a1a33a6ef769df4d15f4a56f98ffd13c7a9891059e29a52913097ce05ab3bf36f3274452c2be55d42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1Filesize
264KB
MD5ff87a2995369aea1cb9940c718317b9c
SHA15132d63a352dd37f8a92b31986059858d56cb4be
SHA25682a2384fafd2eb6fb8b1a8ebe83fef9ddaedb14dda5361dadceaadae115b3bb0
SHA512ba6321418df27d9d400b181a6d18b5173f9f9a55163c80caecdce059f37b91eb07747c1cd530e53e39436d6a1cd4bd93e356ae35ce10de333ccbb053a35857ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
72KB
MD518944e00b54ba4196c1c4511619babd5
SHA172ef2ef7f49c23c08af8fddda229b00f980cbc38
SHA256f2e162bd14d9c1bf8717b34c3ff699eb6d0fe118305b106ddef0c4882425f33c
SHA512e6b30c511f5817149917c4a061b7ae00fed04c83bcaf0359bde2ddf6d19efddeb220602f9fbb43e9e935845472aef0bd42d19f2f9deb112371fe46ae53ccf647
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
69KB
MD551e12dd744e641b44de08a9c8422edb6
SHA1939da19556ec3972d0612db1f23a557de6ca39e3
SHA2563bbfaebc8fc33c10d1449c8f2e46f2cc69846a8d1a70e51ec509109b0a1b6e52
SHA5122fd4f2fc0014f8fa2462fd84097c7dafd65844db92ecd7f52cbacc87a16390c503d57cc3eb3dcd034baeb02008b4eea531b253f54bdeb156584f64dfd240a023
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
69KB
MD55c3036e5bb01bc97c8bc20be2de74ae1
SHA17c481cae1e852e748127e703f0294b48e00432c0
SHA256bf4fb630d38e1f3584d435c4d45a85f59f12470e5f8dc149cf1f65012ea1b794
SHA5129c773def3b91b5c22646ebe886448056c2198e76fc4abc92d86b55b2aa62ccf98cb61bf8f8ea712d8a244ab3a60d48a9b848b899d2e320709c516c394cd25f15
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.binFilesize
9KB
MD5cec636b3b052d43b2c9c767114bbad1c
SHA11c9cd91c6d8c73d9da997718d6f4d8c86266e7ed
SHA25626d3680f02e043d609f4cb92e96dbbfebbbafee6fddf342971505cef2da0f55f
SHA5127706f058c56f197972364bb28dc9f6ca65823f244ecbb5f079745521b5b422091d1fb74d55ada1c5f2da2086ca5c15a5540eb66522d9b1e9483fb75b242f5871
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\b050411b-2b0a-4651-8709-7cd533bfd70cFilesize
734B
MD50da2e7fd54b4f183b7d7cf6bcfd162f1
SHA16bbbd1a273f3c18b6d0ff3acfd7b79bce2da0782
SHA256c2fea97b6c7faf30b97685c117f4a28a9d9ee74a88f54f4c3a9672e962d0eb85
SHA5125758af570833c6b5a1e331b6d398e8c405a77998cff7514feb9c517c72630f29c58eaefd41dfbfaa465bfc8658b884783d06484f464f5caf40f9968578a3d94c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.jsFilesize
6KB
MD552e2d90aeeaa3a2a1c726360938f48f0
SHA14da2341cd3305dfa7af94a83bc896723883819c2
SHA256ecb7d72b316087cee223f3f6e23ebca09d8fda149a26870ddd73eaf5935b40e2
SHA512c1a2d626e79211bb605b47c59f69d416a763e5c1fb4703710254b25638a5a0305e945bc488d5c7910515ede2dc2cc432bf7fc4a6eb6195958bcbbab78766fcdc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.jsFilesize
6KB
MD5afecf499b6dd14685f7e1fcf9ff06d28
SHA139cdca91dc599f29e9af23c00064237415d6b04a
SHA256811941ea74368168fe9c2465434a50de2f65e78537f71370ada6a67cd703931d
SHA512c32a48621494ae4a9787ff8a36d92d98c99762e1d928c710aac60586113f82c9b8a4580ce417f9fda7092c60bef474e872599cb99b505cb8ac5eb9b58d3857be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.jsFilesize
6KB
MD5f79536321e001fe7a0568041488e90de
SHA1c9db06788e0458c6ac2a9e4fb63240c6607c8511
SHA256b824a2b0ce97c48128bf111e53742c67e261289dbcbe4b076fda12ad896b6c0d
SHA5121535fab83abda52c9384830e55fe40769f294a7cecd059e61c00c1d64e5111d798028ae1d30deecd86ec6905b248561a343c3614ae2c343435325ecd8e3ab5b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.jsFilesize
6KB
MD57774314ba2acad8ac9f40887f9e389de
SHA122f45ac77e14d5d248a0e4621855fc5592a7912a
SHA256c01248aaa07a18c5123e917ac0e9997654de0d8cd58c88f82ff41b76594ffb8b
SHA512bba556e4ce37aa8551db49bc40c69f0bddcd4e8d97f712aa6517621f080fe5dab1ab888dcc2f93a61642641590e553311d46dfa89cf0038bffad6ba30be9aba4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4Filesize
989B
MD52735555235faa129dde30d2d4a9a2024
SHA19516481cfb3da8921e0bd0e46a075da3ddf10d28
SHA25669f6f8d130dd949b48821e484446356df35d565107fc713cae01f2f978f7a4e3
SHA5129a0d602d50ba426eb2537dc7745f87ca2affc2f01168d0ac7b24ca267ec61cef36c16ef90a8ce9018deb36672a709d2853d257608d88ab9d9d68a53c29806c1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4Filesize
458B
MD5896a7064bdd38f41500a1acc76d56d7b
SHA1f46cd08670ad5749a865b8e2605f9a4bf1842223
SHA256c65639f8d8d261517f4f1a9c2d134ebb986b7087a27c736e5b10fd29d4bced85
SHA512f23039afea5c4b34d49c87827bca2b250f02d2ff05d8c6e29656146bedc376438d2976ad57ebee1c06333176cb78789515621a01e2b1202d0a5a2cae6de4bf01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD5b01efd0877d8bb4a5d754d6d5a5922cf
SHA16dfaecd4219afbb206185171c64c777e9c73ae21
SHA256ef1ebedd446ce18b79317f09953ff8a6069f92749188b45945567c315388aa90
SHA5126f5fce89b6dc7e6979fdb01493c0811bcd55cb945d7665cd9a23e93419a5aa28207b3f614461103f04b0406741e8020c35252fda5529e41e3e918e42fd89c086
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
19KB
MD5f182870a641edc4f19b0ba491dc6bc92
SHA1c37356bc388e33b7c03aba125e324eecfcb26b31
SHA25677692e9b2da62df3bd9fd2d7b8f2ec8e99590967017960da753d99fc1b6500df
SHA51252eed92f6543830fada28e837bd6ac9207064a3ce370906fa2496b40f840a1321c54d295f3a1b329ba682aff76f84a923b7dd769813cf42c7d010d7fad40eddc
-
C:\Windows\System32\DriverStore\Temp\{9eb96a88-2d2f-8042-a7e2-9548098b0fae}\mbtun.catFilesize
10KB
MD58abff1fbf08d70c1681a9b20384dbbf9
SHA1c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6
SHA2569ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658
SHA51237998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f
-
C:\Windows\System32\drivers\mbamswissarmy.sysFilesize
192KB
MD529cab46fc7a117efb911fa2f6d15dac0
SHA1006b1ff6942078339865dd3f30224a46bbe96663
SHA256dc7718443d1ac29d1d0325803f0be60ef9a7b6395071cfb1847e7a746e790d23
SHA512a179481edfcce87a44520feadf0a81a2c2881957c89a066c94b08db72244dbfb91708880bcf9e8f91f3b97da5dc06b2e10c742e031646ec202bf07262c16f9d7
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\7z.dllFilesize
2.5MB
MD5a144e24209683e3cba6e29dab5764162
SHA1ab2112cce717bec8f5667721a072d790484095ec
SHA256b2ff9dbf90cbd0c45cd7d95ce4892377ec7e92970e05f2e56b0ce93861190348
SHA5122c823981b53b7eb7c1b726468d3b28c234c7e555aab35e759e88d38658566d267a20867f1cb18d96c830e7d53643629a9fa313eecee8b553703086fbb64cc984
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.jsonFilesize
372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\ctlrpkg\mbae64.sysFilesize
154KB
MD595515708f41a7e283d6725506f56f6f2
SHA19afc20a19db3d2a75b6915d8d9af602c5218735e
SHA256321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6
SHA512d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\dbclspkg\MBAMCoreV5.dllFilesize
6.3MB
MD59bbcbee54b8adda7eb979322ee9c803a
SHA182d1c65ae32210b6ec3df6c2dc5a395ea6b7a9ac
SHA256fe5c67c1e19c1137a4d4b3928d8b37db1845ac6d4b3f13d7b4d4bf4b325e331a
SHA512fc0637f2f55698775840720480bc65fd40911913a509f0fe70cd2653aa2bdfb0605e4db24283da56a83ed7d74eb5837d2eab876c3025a94606bdfa6715ce19d9
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.28\mscordaccore.dllFilesize
1.3MB
MD53143ffcfcc9818e0cd47cb9a980d2169
SHA172f1932fda377d3d71cb10f314fd946fab2ea77a
SHA256b7fb9547e4359f6c116bd0dbe36a8ed05b7a490720f5a0d9013284be36b590b7
SHA512904800d157eb010e7d17210f5797409fea005eed46fbf209bca454768b28f74ff3ff468eaad2cfd3642155d4978326274331a0a4e2c701dd7017e56ddfe5424b
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\servicepkg\MBAMService.exeFilesize
7.1MB
MD52a04ba83060427c8dab782517a07e01b
SHA1f4573f20473db0ab32c3348e536e2287151c4c4f
SHA256569379dfd0bac0b2ef4408c2786c982a9b4bf5bcf530518564ec7db1af764295
SHA512749e66f94cb516fd98b2acd9219a2adfeba49729510b255ecabb5f1610f75eff214d361a4fbb2e2efb59a0eff25b9d49b8758b6e0c4592e5713e59df6a194ebd
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\servicepkg\mbamelam.catFilesize
10KB
MD560608328775d6acf03eaab38407e5b7c
SHA19f63644893517286753f63ad6d01bc8bfacf79b1
SHA2563ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59
SHA5129f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\servicepkg\mbamelam.infFilesize
2KB
MD5c481ad4dd1d91860335787aa61177932
SHA181633414c5bf5832a8584fb0740bc09596b9b66d
SHA256793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3
SHA512d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830
-
C:\Windows\Temp\MBInstallTempe02577d126d811ef8b33d6c6679d10a6\servicepkg\mbamelam.sysFilesize
20KB
MD59e77c51e14fa9a323ee1635dc74ecc07
SHA1a78bde0bd73260ce7af9cdc441af9db54d1637c2
SHA256b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0
SHA512a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186
-
memory/2432-4127-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4366-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4234-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4044-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4193-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4498-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4198-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-3892-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-3156-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB
-
memory/2432-4521-0x000002A339BC0000-0x000002A339EFF000-memory.dmpFilesize
3.2MB