Analysis
-
max time kernel
212s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
BytesGen.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
BytesGen.zip
Resource
win10v2004-20240611-en
General
-
Target
BytesGen.zip
-
Size
29KB
-
MD5
36c8c7e6265de469fd35d5da73fbad55
-
SHA1
a995722a6d96efb0a47f0c10b00ffe6dc72557ad
-
SHA256
d4d608a2a0763e50b5d6b651683abf63bb7b41673b181cfa6c58178c49cdf281
-
SHA512
ddaf2523fe52c9f48be4befd9637a1602c811540c8344bea5758bdfec7cff81b908878125b7e1835e3dfb3cb6dae9a8ca772652d0d9c5735e8a5c3e1183d8a39
-
SSDEEP
384:smuUFUACXk82FvDLTi6VhkYIX3kWNLKoH3936f0NWXlFmtxfjq0K568uD4H:smDFUAck8gvTi6VlIfHX936MNWVsLQ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 6 IoCs
Processes:
MBAMService.exeMBAMService.exeMBSetup.exeMBAMInstallerService.exedescription ioc process File created C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File opened for modification C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\mbamswissarmy.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\MbamChameleon.sys MBAMService.exe File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe File created C:\Windows\system32\drivers\mbae64.sys MBAMInstallerService.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
MBAMService.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys" MBAMService.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MBAMService.exeMBSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBSetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBSetup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Malwarebytes.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Malwarebytes.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 7 IoCs
Processes:
MBSetup.exeMBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMBAMService.exeMalwarebytes.exeWindows ExpIorer.exepid process 4036 MBSetup.exe 5340 MBAMInstallerService.exe 5264 MBVpnTunnelService.exe 5752 MBAMService.exe 5800 MBAMService.exe 3916 Malwarebytes.exe 6520 Windows ExpIorer.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
Processes:
MBAMInstallerService.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService MBAMInstallerService.exe -
Loads dropped DLL 64 IoCs
Processes:
MBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMalwarebytes.exepid process 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5264 MBVpnTunnelService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5340 MBAMInstallerService.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MBAMService.exeMBAMInstallerService.exedescription ioc process File opened (read-only) \??\R: MBAMService.exe File opened (read-only) \??\U: MBAMService.exe File opened (read-only) \??\G: MBAMInstallerService.exe File opened (read-only) \??\T: MBAMInstallerService.exe File opened (read-only) \??\U: MBAMInstallerService.exe File opened (read-only) \??\I: MBAMService.exe File opened (read-only) \??\J: MBAMService.exe File opened (read-only) \??\M: MBAMService.exe File opened (read-only) \??\Z: MBAMInstallerService.exe File opened (read-only) \??\B: MBAMInstallerService.exe File opened (read-only) \??\O: MBAMInstallerService.exe File opened (read-only) \??\Q: MBAMInstallerService.exe File opened (read-only) \??\Y: MBAMService.exe File opened (read-only) \??\K: MBAMInstallerService.exe File opened (read-only) \??\R: MBAMInstallerService.exe File opened (read-only) \??\V: MBAMInstallerService.exe File opened (read-only) \??\X: MBAMInstallerService.exe File opened (read-only) \??\E: MBAMService.exe File opened (read-only) \??\H: MBAMService.exe File opened (read-only) \??\T: MBAMService.exe File opened (read-only) \??\W: MBAMService.exe File opened (read-only) \??\X: MBAMService.exe File opened (read-only) \??\Z: MBAMService.exe File opened (read-only) \??\A: MBAMInstallerService.exe File opened (read-only) \??\E: MBAMInstallerService.exe File opened (read-only) \??\K: MBAMService.exe File opened (read-only) \??\L: MBAMService.exe File opened (read-only) \??\Q: MBAMService.exe File opened (read-only) \??\H: MBAMInstallerService.exe File opened (read-only) \??\N: MBAMInstallerService.exe File opened (read-only) \??\P: MBAMInstallerService.exe File opened (read-only) \??\S: MBAMInstallerService.exe File opened (read-only) \??\A: MBAMService.exe File opened (read-only) \??\P: MBAMService.exe File opened (read-only) \??\S: MBAMService.exe File opened (read-only) \??\B: MBAMService.exe File opened (read-only) \??\G: MBAMService.exe File opened (read-only) \??\V: MBAMService.exe File opened (read-only) \??\O: MBAMService.exe File opened (read-only) \??\I: MBAMInstallerService.exe File opened (read-only) \??\J: MBAMInstallerService.exe File opened (read-only) \??\W: MBAMInstallerService.exe File opened (read-only) \??\Y: MBAMInstallerService.exe File opened (read-only) \??\N: MBAMService.exe File opened (read-only) \??\L: MBAMInstallerService.exe File opened (read-only) \??\M: MBAMInstallerService.exe -
Drops file in System32 directory 64 IoCs
Processes:
MBVpnTunnelService.exeDrvInst.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\mbtun.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\SETFA4B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_d823e3edc27ae17c\netk57a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\SETFA4B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\mbtun.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\SETFA3B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{11e490f8-69b1-be40-a994-64ff1eb58c60}\SETFA3B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_81bff1eb756435c6\rndiscmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF MBVpnTunnelService.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MBAMInstallerService.exeMBAMService.exedescription ioc process File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ru\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Windows.Input.Manipulations.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\VPNControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\System.Windows.Forms.Primitives.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\UIAutomationProvider.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\WindowsBase.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\System.Windows.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.tmf MBAMService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.EntityFrameworkCore.Relational.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Sentry.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Windows.Forms.Design.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Theme.Dark.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.AppContext.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Diagnostics.StackTrace.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.InteropServices.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Text.Encoding.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-synch-l1-2-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Windows.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\cs\UIAutomationTypes.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\it\PresentationCore.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pl\Microsoft.VisualBasic.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework-SystemDrawing.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\tr\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Globalization.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.IsolatedStorage.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Resources.Writer.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\Microsoft.VisualBasic.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.CodeDom.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Drawing.Common.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\Microsoft.DiaSymReader.Native.amd64.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Runtime.Serialization.Xml.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Xml.XPath.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\System.Windows.Input.Manipulations.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pt-BR\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\PoliciesControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.ObjectModel.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Private.Xml.Linq.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\de\System.Windows.Input.Manipulations.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\fr\System.Windows.Forms.Design.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Reflection.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\D3DCompiler_47_cor3.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\System.Windows.Controls.Ribbon.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\rtp.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Serilog.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-namedpipe-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\pl\WindowsBase.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\PresentationFramework-SystemCore.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\api-ms-win-core-console-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.IO.Compression.Brotli.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\Microsoft.VisualBasic.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\System.Security.Permissions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\System.Diagnostics.EventLog.Messages.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Diagnostics.Tools.dll MBAMInstallerService.exe -
Drops file in Windows directory 5 IoCs
Processes:
DrvInst.exeMBVpnTunnelService.exesvchost.exedescription ioc process File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log MBVpnTunnelService.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MBAMService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MBAMService.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6452 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
MBAMService.exeMBAMInstallerService.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMInstallerService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000" MBAMService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MBAMInstallerService.exeDrvInst.exeMBAMService.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\Software MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MBAMService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office MBAMInstallerService.exe -
Modifies registry class 64 IoCs
Processes:
MBAMService.exeOpenWith.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF153224-DA64-41F1-AA87-321B345870FA}\ = "ICleanControllerEventsV8" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC2F8F62-D471-4AD5-B346-9F214FE941A7}\ = "IPoliciesControllerV2" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\ = "ExploitRecord Class" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\ = "IScanControllerV3" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E3D4AC2-A9AE-478A-91EE-79C35D3CA8C7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A583D5DD-F005-4D17-B564-5B594BB58339}\TypeLib\ = "{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD67766C-A28D-44F3-A5D0-962965510B2D}\ = "ICloudControllerV4" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D57ACF19-30E3-4B7E-BCDD-6EEB8E57AF27} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71AC94F2-D545-438F-9156-C231B7D94A56}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEBAD4E-3BAF-44F0-9150-BCCCC3801CF9}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A3E14F0-01F5-492E-AA97-3D880941D814}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC97FF29-5CE2-4897-8175-94672057E02D}\ = "IArwControllerEvents" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3498D9E4-6476-4AC0-B53A-75BC9955EF37}\ = "IMBAMServiceControllerV3" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3F70EF-D9BE-485F-A6F5-816DD0EDC757}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8E2CB10-C8DE-4225-ABBB-6CE77FF04FFA} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE77988C-B530-4686-8294-F7AB429DFD0C}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6724C143-DE69-4A93-80ED-19B75DD2AA99}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9442AA1-AEB8-4FB4-B998-BFBC37BA8A99}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDCB7916-7DE8-44C8-BAF6-F1BBB3268456}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MB.MWACController.1\CLSID MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63A6AB57-4679-4529-B78D-143547B22799}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A05281-DB9E-4E02-9680-E4D83CDAA6AB}\ = "_ICleanControllerEventsV8" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24F9231B-265E-4C66-B10B-D438EF1EB510} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\Version MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1}\ = "IScanParametersV6" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{748A86D4-7EDF-41EF-A1EF-9582643B1C9F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79D77750-02E0-4451-A7BB-524ACD93DD93}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}\ = "IAEControllerEventsV3" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172ABF99-1426-47CA-895B-092E23728E8A}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}\1.0\0\win64 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3FCAA7C-EA26-43E6-A312-CDB85491DDD8}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E96FEF0-48F7-4ECB-B010-501044575477}\ = "_IRTPControllerEventsV3" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\ = "IRTPControllerV10" MBAMService.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2058A31F-5F59-4452-9204-03F588252FFC} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{738848E2-18E4-40F8-9C08-60BC0505E9E9}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E8B60E-50A1-4E29-9138-A13421D2BF7D} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E8B60E-50A1-4E29-9138-A13421D2BF7D}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638A43D2-5475-424B-87B8-042109D7768F}\ = "_IUpdateControllerEvents" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5186B66-AE3D-4EC4-B9F5-67EC478625BE}\ = "_IMWACControllerEvents" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53260A87-5F77-4449-95F1-77A210A2A6D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\VersionIndependentProgID\ = "MB.LicenseController" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1861D707-8D71-497D-8145-62D5CBF4222F}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{778103CC-4FA4-42AC-8981-D6F11ACC6B7F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E41AC038-1688-417F-BE23-52D898B93903} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F22E03D6-F159-40A0-9476-16F3377B58C9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F245DA-55E7-451E-BDF3-4EE44637DFF1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe -
Processes:
MBAMInstallerService.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4 MBAMInstallerService.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exeMBAMInstallerService.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 541429.crdownload:SmartScreen msedge.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:SmartScreen:$DATA MBAMInstallerService.exe -
Opens file in notepad (likely ransom note) 4 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 7076 NOTEPAD.EXE 6072 NOTEPAD.EXE 3528 NOTEPAD.EXE 6724 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc stream HTTP User-Agent header 212 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeMBSetup.exeMBAMInstallerService.exeMBAMService.exeMalwarebytes.exeKeygen.exemsedge.exepid process 432 msedge.exe 432 msedge.exe 4356 msedge.exe 4356 msedge.exe 4496 identity_helper.exe 4496 identity_helper.exe 3640 msedge.exe 3640 msedge.exe 6056 msedge.exe 6056 msedge.exe 4036 MBSetup.exe 4036 MBSetup.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5340 MBAMInstallerService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 5800 MBAMService.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 5800 MBAMService.exe 5800 MBAMService.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6288 Keygen.exe 6500 msedge.exe 6500 msedge.exe 6500 msedge.exe 6500 msedge.exe 5800 MBAMService.exe 5800 MBAMService.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 4400 OpenWith.exe 6164 OpenWith.exe 1328 OpenWith.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 648 648 648 648 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeMBAMService.exeMBAMService.exedescription pid process Token: SeAuditPrivilege 4596 svchost.exe Token: SeSecurityPrivilege 4596 svchost.exe Token: 33 5752 MBAMService.exe Token: SeIncBasePriorityPrivilege 5752 MBAMService.exe Token: 33 5800 MBAMService.exe Token: SeIncBasePriorityPrivilege 5800 MBAMService.exe Token: SeBackupPrivilege 5800 MBAMService.exe Token: SeRestorePrivilege 5800 MBAMService.exe Token: SeTakeOwnershipPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeBackupPrivilege 5800 MBAMService.exe Token: SeRestorePrivilege 5800 MBAMService.exe Token: SeTakeOwnershipPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeSecurityPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe Token: SeDebugPrivilege 5800 MBAMService.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
msedge.exeMBSetup.exeMalwarebytes.exepid process 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4036 MBSetup.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
msedge.exeMalwarebytes.exepid process 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 4356 msedge.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe 3916 Malwarebytes.exe -
Suspicious use of SetWindowsHookEx 56 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6164 OpenWith.exe 6648 OpenWith.exe 6648 OpenWith.exe 6648 OpenWith.exe 6648 OpenWith.exe 6648 OpenWith.exe 7028 OpenWith.exe 7116 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe 1328 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4356 wrote to memory of 4072 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 4072 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3012 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 432 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 432 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe PID 4356 wrote to memory of 3548 4356 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BytesGen.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\README ! ! ! ! .txt1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd061c46f8,0x7ffd061c4708,0x7ffd061c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\MBSetup.exe"C:\Users\Admin\Downloads\MBSetup.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4008777596929574945,5613979788875854680,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5404 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "000000000000014C" "Service-0x0-3e7$\Default" "000000000000015C" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\keydata.dat2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\windows%32%.config2⤵
-
C:\Users\Admin\Documents\BytesGen\Keygen.exe"C:\Users\Admin\Documents\BytesGen\Keygen.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows ExpIorer" /tr '"C:\Users\Admin\AppData\Roaming\Windows ExpIorer.exe"' & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows ExpIorer" /tr '"C:\Users\Admin\AppData\Roaming\Windows ExpIorer.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5AA.tmp.bat""2⤵
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Windows ExpIorer.exe"C:\Users\Admin\AppData\Roaming\Windows ExpIorer.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\logs.dat2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\keydata.dat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BytesGen\BunifunTU.DLL2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Users\Admin\Documents\BytesGen\Keygen.exekeygen.exe2⤵
-
C:\Users\Admin\Documents\BytesGen\Keygen.exekeygen.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Impair Defenses
1Safe Mode Boot
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dllFilesize
4.8MB
MD54a6bd96ef1a04a332a98af3cd9505507
SHA11bd6a43804226c32573283a9ad3848608f383591
SHA2564a90709d539ca3194cf64ecff60896f0a8cc959f0cb4a83e5330c6c06951b8a2
SHA512c806faef29d979d0b0b7d0de3484508a1fd5737dfa73b54eba6a9ff351a3c11d00609da41ab8060b067ff02b18a4313a20df04e5593aab366fee8db271791550
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dllFilesize
4.2MB
MD580202b21a6f3df9d0d54f20a381df93c
SHA16915dcc75d0b84e5db40656d6382cb217a1996c2
SHA2564217a62ea3df3bd98e40d205b4fb5f9673c340c366551adb771ff3e34e7bdcfc
SHA5128d691deae1f7c5243d045940f7f728a874e72550859b291119c9b951bd95232980dc2a1b3c19154c723c42e0aa93747a046f747bbc305941594477a39c2925f1
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dllFilesize
4.3MB
MD53dab92561baa80cfd65cb12206f67909
SHA1c1af27bc59a047e1f6bfddced3c922f9a1c0c5d7
SHA25618bc533cc8f6995644aaf7d453c745a9ed696a1472033219b9cab6adccd8fc48
SHA5122bd06382f4a32f32a7ee548356775d2e3db382e07587dd6622be722f843f8f5c8cee0b131061142fb9605dc503435729410e1853895a0a8856db0776bfecea1f
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdbFilesize
13KB
MD50434affa018310878bcb593f1e687fdc
SHA18fe7a0b354fa1a2875c4a9486a759d6ffd660e64
SHA2569ef1b9e8f27ff518faa378ce7c967bba97d14a8d7f68a7cb4e08269db986b098
SHA5128652c4f99be49712c971a00d151582a33b97c5b76e50dffcdbf556a7859f7f36606602913d5d6fef74ddc0de0ceedbc6e4ae651eef740e3c0136ace6dc9600af
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.datFilesize
924B
MD5b0a4df5abe41faeaa6ffe3fa9f798b3c
SHA1f29e94e13f3b74f99eb093c609b3339558fbab50
SHA256b18900930b99ff13312a4dcb2fefb68740a574d6a8a5463974b1ef5f0a74535a
SHA5123f274288aecc5027e5676df509e5449de9b8fdf2193da58444769c2bba6e5f68a5c54083ed46a657a31a8139d957ffb867cc57d3554a834bb0f35311d7a4a0c4
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.datFilesize
514B
MD56da06f61916702d87f03be7b96a81c61
SHA1a0edb68a14561924d7df8f7c2d84d44b8c8ff523
SHA2562668c8799a332c9c90955f7cf41eb1ce96247b437300f86c36ee1c6b88d7ced7
SHA512ab7c4ced27d839db071bc1bf9f8c5b389c931179735ae667ec6539f573d2b4ada57158838335752beb76a00d318848818561d07ffee8e7e3bac4b5fa837af3a6
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdbFilesize
24B
MD5546d9e30eadad8b22f5b3ffa875144bf
SHA13b323ffef009bfe0662c2bd30bb06af6dfc68e4d
SHA2566089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f
SHA5123478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdbFilesize
24B
MD52f7423ca7c6a0f1339980f3c8c7de9f8
SHA1102c77faa28885354cfe6725d987bc23bc7108ba
SHA256850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55
SHA512e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdbFilesize
9.6MB
MD56288a7075210a909b6c04f958c2aec89
SHA181ac9494df9f11a448bce725b07df16ad1d36f3e
SHA256af5584761a73313464ce850a59f06a7a8c567ea3a94016f3fe860f392ca8280d
SHA51293c8745d3897f53338566053b6f800ff1ecd455bce9de8dcb400e8c5853f4cf5b5b8912e3841dc94ed3c67c9e8225359667b7075dcae5e2efa8b48e4bd2198d3
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdbFilesize
888KB
MD5b479a7ee661053c1cbf487f05528f885
SHA127a1163a7b1bd1d56ab1b360665b45586ea273ba
SHA2569c97c6fe7296207616b267adef5419b79ee33aaf6182d416c0a0ce2ca49e652c
SHA51261429b48d47feef93cb59bb70207faa0f82d8f62c1f2f46d0552a852b08ad2133691e8999bff8706093c8895e09b7b585ddccad3cb018bf731bed6241899019e
-
C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.catFilesize
10KB
MD58abff1fbf08d70c1681a9b20384dbbf9
SHA1c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6
SHA2569ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658
SHA51237998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f
-
C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.sysFilesize
107KB
MD583d4fba999eb8b34047c38fabef60243
SHA125731b57e9968282610f337bc6d769aa26af4938
SHA2566903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c
SHA51247faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exeFilesize
8.6MB
MD58ef5fe48aa57a5c252d9bc09bc21d17a
SHA1b1d73d06719c32163427ce69cabfd18630f20386
SHA25675348e3dae5d4e878df0655583cc00281d7eab72b0b7a708dbd6fb9206315ffa
SHA5127f8eac31a7cb9af960069785360e50686976f8f99ae709b0cfee6ed078dc9eaa80ba93ae1ea6d65998ca668e721162dbab237103c92ea38a76f6c8400e25d291
-
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exeFilesize
2.9MB
MD546f875f1fe3d6063b390e3a170c90e50
SHA162b901749a6e3964040f9af5ddb9a684936f6c30
SHA2561cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec
SHA512fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557
-
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exeFilesize
288KB
MD523f1360ae0e948d300f0f62b53200093
SHA1e44fd6f0248e0a02525ee67664d83b535d9cb7d3
SHA25640dfe0689b744e0812ce857f7221ff85431ca37315d9b4f75ca40892af5870da
SHA5126e34d2546626736aa26b369a86745bdb9816138244fba3d5b5e29de4585cf4e66d52c35b5c5a577f252b62a137e340dd9de36c08a06f5395baec5a726ffb5222
-
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.jsonFilesize
621B
MD5a33d5e09f15829c70b497ff56de5506c
SHA17863918492fc5c05835ad398733d78a386f023a4
SHA256a16e4987994e92f45f5fd21c7e2852cf59cea31e6ed948776c157cde5387fecf
SHA51279b53b8137731233cf62c805b8d2b7a4d338f0f2bf38cadc4841ce5d5749e97048ea96ddfb4dd1cb5c1f6aab0cc8c7cbdfae4c6fa9303395dcdef473870833f4
-
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.jsonFilesize
654B
MD573d230e1f515ac493bec1ada1fde8a6e
SHA15523374d7b4894c94a1d112371a8adb6eaf7b88a
SHA2562ebf7e4b2a5d8d2b3fce798a8768905d8c8bb88078e3f0106fadb2329fa6edf8
SHA512995f99b5cee57b78e0cd0b37505b750dde5dfb43022402c94f4b2d9d46602556e5c9f8b4656ad9b3a4c3638808e66ae7394305724494051d1544ebccdac3743c
-
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.datFilesize
8B
MD5dbee8e7bbcba63adfa242c00f228afb0
SHA16aae8d9e4053cb52a2f1b6847e65ec6335dbc0fc
SHA256c01415842abaa4bb6ada941a44c132a4a41c55097fb7e931decd04e8b5d6d380
SHA5121e82896df024fe6a2390e415bcf8dd92f71125639daebed99e115bd9ac219b5667201d29c6b2390a2fcd505c3780ba112ddfca128137b665da0cfdbd4d63f038
-
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exeFilesize
3.8MB
MD5d289d84c0406750cef937bdcdbd32740
SHA189a8a040a62bc0d2c2809177773f6a10bb83fae9
SHA256e21d1060a4a2ad8d0cc781d0ec252b497d96915b648fbc9d1ab46ab750c8d00d
SHA512c8abdac9756ba299ecd3285a134219ccc222acc9f005a71eae85fd815a93b17b8857ac1e446a8122755e8702a39b76c13df962ba79f45855c752e3347311e09b
-
C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dllFilesize
2.7MB
MD5b7e5071b317550d93258f7e1e13e7b6f
SHA12d08d78a5c29cf724bc523530d1a9014642bbc60
SHA256467de01d7cee7ec54166b80658ff22f9feebdb1c24eaf1629cf40e4124508064
SHA5129c35293c95c1a9141740ac99315605964aa37c4a42d3a11cae9e5649ff1427a9480d3d5e7f763212cf13db3511c5ea3c84e68f95f0067fe6339a9d3fb7b27c54
-
C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dllFilesize
2.8MB
MD52bbf63f1dab335f5caf431dbd4f38494
SHA190f1d818ac8a4881bf770c1ff474f35cdaa4fcd0
SHA256f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364
SHA512ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5
-
C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.infFilesize
1KB
MD55d1917024b228efbeab3c696e663873e
SHA1cec5e88c2481d323ec366c18024d61a117f01b21
SHA2564a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8
SHA51214b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a
-
C:\Program Files\Malwarebytes\Anti-Malware\offreg.dllFilesize
114KB
MD5f782f049b0e8c13b21f8e10e705bd7e5
SHA15c11f955e3983c50ea46b5d432c97c9148ac8e9f
SHA25616c450a310edbea07f578f31368f168ec338011cd117406898593e86ebb83dae
SHA512eed29c42b14ff26a030f53d61d6dc8e3971e478dc7646b26189f14f16699b6bedc170c4bcc37efe2e8f3048bde37480033b49eaf1a4712b88464f5da0efc18f2
-
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.catFilesize
10KB
MD5f7c8e0339bd48b6fe8eca81ac3ba5ba5
SHA11369bd4dcfa7709d8eed12fa76fdbebd39dd6bcc
SHA256a9dd01f84a075ea8d0b0968fd7a11720e49f019834f7d4fe80f50dacb12030aa
SHA512c722510c40fbed32bcda3b5b69c590a9043e4e51f8e804f77f73eb8ea0cac0f4a587ef540f2773981839f04e44f48bbc8b5e8c03ded3f0cf637ed1e3172c8e07
-
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.infFilesize
2KB
MD5d87c2f68057611e687bdb8cc6ebea5b8
SHA127b1311d3b199e4c22772fa1b7ea556805775d37
SHA256ff93773f55bf4a6a0242adf82276a8c95c0b244b9bc05e515c4e810c81a960e8
SHA5124aa65b8911d8a2a0f9ef0ee6e934b94db0a9ad4c2ec543b5edcf21486be43f6ab1fda6617ea2cbb85eff230628c9fa8e7649da915d6de695803b28e55bef5819
-
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sysFilesize
233KB
MD54b2cc2d3ebf42659ea5e6e63584e1b76
SHA10042da8151f2e10a31ecceb60795eb428316e820
SHA2563db4366ccb9d94062388000926c060e2524c7d3ee4b6b7c7cf06f909f747fc6c
SHA512804d64d346b3dbb1ce3095a5d0fa7acc5da0bf832c458e557dac486559fe53144f15f08c444fea84a01471fd5981e68801a809b143c56b5b63e3e16de9db0d98
-
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.datFilesize
9B
MD55e0e2d584de048ec8e1d96a8402b9074
SHA1bc939970e17845f19b5487ebc0f1962aa4f5a756
SHA2562b7b5bc2a6db622fd284281cd712081dc0a8c2650ac55133a96d2a719306f41a
SHA5128481bc8a5a7188e3d242f426d9daee162ed372101327ef6c452bdabb64cc3b5c38814715705d8341303a3ae1b377e6a0c77b8e0d7258376f563af8f9d21131f9
-
C:\Program Files\Malwarebytes\Anti-Malware\version.datFilesize
47B
MD53e97b6b68d223e9c0700c7a943013016
SHA14e1040cdb0e52dc26360bf4cd161a15035b9bab6
SHA2560a2f7e18507594521dbf96d4f0f70d7d19b6b4f76b9ff8e4d89ba04ddc7477a2
SHA5125ed7e4996b24ef03ffca63473c2ee4f92fd12c57a6d5c163a6ded4dc969cf48252dc00c1daa134bc6fcc7170c5dd15375886023177432179539de21f7bce1667
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
1KB
MD5a01d5834cfc97bf80913db4ca44d3502
SHA133e1b78cca450860d61ea12ba7c089d6060a51a6
SHA256660c404675f23ae99ae8bacbd78a4c8c4cb3da7a522727e1db7b6e8f87b4f18a
SHA51258d887835bbebd345a299bb714495a009f1ca25c757f673951ad4b0845b518310e7975621aa57c4a558e006cc10452365261d5604fc1dcaaca78d4038a69516e
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
47KB
MD50edacf1e04d104626fb34fc3af0dd05b
SHA1050d5d55b4a21efc290d8269a241f0c70153e907
SHA25674380d19fd241f60dc33d3c883b219d81c365efe3f21dd320f1b8f2551f084dc
SHA512d052c3d0e9bf40eee63a3c0dfc640f68311df1207e59c67bdf153ff67c4eb392eda48ab1a84e5e48e9a0883d39bd3eb79688b22f624b0a16a1aba8dc744cd3bb
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
66KB
MD5f7d2c079780b8c47fc3dfe74a318c9b3
SHA12073cdf74dc7ad9592c8f43f2f9f0da96b3c9dc5
SHA25698f2a18e3276244f569a9caf7f44cd376d553f7986743fe7cec5dfa418125f3b
SHA512b7570b1f820e01f7be0e259d9660d57a1ccb8efaee38fa3b31caa039fe0d6eb4b9fcbe2a9cadb8aa86a3ae7c2704f3532fb67cecc82bef98d3b25e0af8081e38
-
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.jsonFilesize
66KB
MD5b5e0c656c16147e979de54434d995acd
SHA1ad6279b733e450d49dddd4cd7e4f2b210a446ff2
SHA2567e20ccb854c977c8b4374eb304580f26424a2b7ec05f1f9ce999fa45139e1865
SHA512eac6e23b4ab699b86a070f95d47ac15e8a58f2db863434ffb95e15247368dd7c1f5def8577a3716eebbae32d2f7b62a3ccecdb6d1b70c16f062dc19c41f314e1
-
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.jsonFilesize
607B
MD5f09afb7eb9f0cd7af62b127109f01746
SHA1c234ae340cfce3a21302ef31abad67753ad8101e
SHA256ac6cf1c434abbcbe976a79eb6e504514aead20d4c765aa8e5f7784be86a18769
SHA51249f316d8d078a3c7b573e58d3def447913543bb82038a20654f4f111c275df1a64cee6af939f1559c2b9761c91dccac7f7abc2b7deb40dcf2b708730008e2649
-
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.jsonFilesize
847B
MD590f6e9c16af43def63d4e0a58d2dbf44
SHA19b17427cd965a481fd47f96e406153972ae94826
SHA2564387670cb3e26735a1c5d3703c124530d8499bc58265058aea021760e1b34ebe
SHA51203d4b982b914cbf8efe5e5b4a90f4013be486723f98149e506cfada099ef21d467ea2a02b4ba9717fcad93bcc1a9f7d921cf384d2e74de224a5f1048ca9999f0
-
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.jsonFilesize
846B
MD5be6452dc8646ddedfa6e6cde459f26ca
SHA18a35bd97137668c80a5a812f4b1eeec88999b70c
SHA256f7b290fe8f3360e870dc9466e15460a6833f777249175b2d6e61e434bc986f26
SHA5127765e64acb6b2c24f59839366761796afe840f2398b0af190736a39a64df9e5004a39082e5200d9c589ad2fa686b6bd7bcc215f9be8320affabba4a923adadf8
-
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.jsonFilesize
827B
MD52b55eb185544cb6009428e7537e4da51
SHA1a568a45fa157e1a3136c93703d409be7f3c5ad3f
SHA256d3b7cbd756b3fb2c6bbcdd57ee55bf2f502e864fab312491c7fdb89d12737327
SHA512e7734253f5f8e669d3ea65c5539bdba52607b5ae80569ef27f7625957452b799b4835b6c5b7c669fb5eab11ccdc0b5a2954d3851cbaec474ec85d2077c654516
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD564b295c89a2195f8508741aa68b7b816
SHA124ae16da90a4e6ab4eea1bd178caa9d0b4a90883
SHA256d0b60ebcc0b624bcf1918e7d3c8f04f3c16c0d749e838ee7086c8d28c57f8d66
SHA512adf6eff8f27f0538026f2858390a5788cc4518416b7a1e2a5b1df53337b468dcf1f27dba86064cbdb680ad50d8f1895a7f465a118e0e0bb0ebbd5182004877e2
-
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.jsonFilesize
11KB
MD5beba42771d09c27eaad6405566a8d9fd
SHA17903e15ad5816e1680593b9b59ef618a0a765e20
SHA25602ab60bd3c8725881b1887634e38181d18bb5b93469271086c738f85e248157d
SHA5129ab50b205cdafabf4ea729b174488cc05f9f113d83bd65982e1641def95514d94a44b6ca238c25d66b3c7753a70ec3b03e421fc0d187a97ae0f0f7643fdddf41
-
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.jsonFilesize
1KB
MD58379b4d49ab67533f139ee322cf71567
SHA1438559aedf0b4a65544d0112c0c1c4a067e1e019
SHA256e9a678b55fd040e0c6c427aed1210626f1507859069628b692ad4a17b585b629
SHA512afa967919a866c19a72ecd923c526bd7c594281bf4afefc61268393f8494025a660f204939de63f8d2d68019eb41a91bced9943a27083dd7d5fb4c438abb997b
-
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.jsonFilesize
2KB
MD53916796cad82a21209c95e275f0555b6
SHA1885e02fc2a3fa44111b9474f45af846540fa3cad
SHA2566d141b44c28906d346f55a7fc7e290545f124643787837f67b3c276a2ffed961
SHA512b511b05b18c7bd5a0e20996d983c8d43cf3beec26bb27d0fe806a02db6de7b45f1a4983b0f905ee60adf7f85d66ebd1781ecd6fb53668462b1d8803758b62310
-
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.jsonFilesize
814B
MD5e6b064586df65bbc8222530c2fe44606
SHA100b4974bf2895fe658477dcfe4aafda835ad2128
SHA256ea1c38aa757b91d6b14be1b82c8a36b079badcfdd9267451760eebbe5360bf5b
SHA51255e4b4f485d732b80b781b54f86c151cf9d1f2a61fdd28456dbf9a126a6889b0748c63c7b577582019cf2f652d46316153a10ae27b450fd005b90da67ba7ad7d
-
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.jsonFilesize
816B
MD5defbbf7fd5b6db21d3d3292c7aa60fc7
SHA110bfce2aa55b786d5c0529de1f6d782069b44c24
SHA25673feb4e5a5847d264e8704f7932e8e120301dacb5dff62bdab737928d0f13dc6
SHA5124a04a29ccb7cb191104030a3f1409dc41e66247cb337d5c3b2e15636511c94c3dd205a6bbb510887445e3d71d95fcc825a7adc9a496ec30166e887d7cdc7a221
-
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.jsonFilesize
1KB
MD5cf0913a694fe31a343fb9a6c348bdc80
SHA1dd43be6bcba4c55eb8b8f31fabf025313e110cec
SHA2565c2e425edaf1f699b8ce52809a7ad865593bd91df88ac220f3215c8dad9f8790
SHA512af24b3771383de79f2e5bdff7a6f9b2dcb36fbc37067f67c29787a648f394a9f4364c3bc21c05ca4b5ff9d463170fc90a78f0e1f792ca9dbf9f1d3e5607ed19e
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
2KB
MD5e2b846c43b64f486b9033d99dee6ae13
SHA1bdac1e8f8ba676cb2f9726d1133a6b13cc475d26
SHA2562ea3573f7c77c56130a11124b438994b0724bea6e034e7ebbb408e88508a853d
SHA5126f3f8a2058c1bb9010be0bc88c22bb01afe1222af45a16610f42e856882a5daa679cacd6e093542a37dae054c7450b4b3db4febe0bf5e00f7ddb7e32a9aefc93
-
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.jsonFilesize
4KB
MD5e7ea99c921ddbde3a33421f0b9b60038
SHA1de97c85a1025d00eb75cb49bad26f04139be11e5
SHA25673e321edbd4b0933dc7f3e70dc1d511700089c8707fe2fb27e5185aaa7969acb
SHA512c106b745c39c1ac2f694e99a945a193814888f4a0a5b53deb7702496fa11a355b4debae70cae9cab8597326ea2ed58e08b6dfcd62ec3205849f0926f354164f7
-
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.jsonFilesize
11KB
MD544291b22db63e8ff8c01e02b1bf0bab6
SHA12a77d10ad485504963a546bc5cbe8054531ea795
SHA2568f5bf31067531f87843d86adbe94f6d0eebd9bfae715c3e08b2518d071b82bbc
SHA5129e930f852d58f5df3a33bf9e21ebbbc03d2486b366a19e294031ca7667198fbce9d1195e3cbddad8fa843d7bb0a3e21a4c85f4506760c329165b7ec803e4e082
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.jsonFilesize
1KB
MD5a8bd8d487ab94a3bdd1ee04401a45d92
SHA11c8879bcef0c110220bb1e0a3d5738c6e5a8ef5d
SHA256a421ed5fbeb0c0cdd847203c1dba1ddf79694d7803ddcfc0fa9192d8346991cc
SHA5125f8eb828811c48fccd84c7fc32eaafc3a733b55fd1385de54b813d877c9f6c4f279b2b5d962867513e9b55d496117d9e828cda8f7f55e21c3aeff5e85ada038d
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.jsonFilesize
1KB
MD584dee3f896ed53fcd4c27b134a73b9ba
SHA19ae8901bfda8e7c0c6db5ed76b0bde57ce2a4c02
SHA2563756837613b8f142c539fe55e5a0d32e9798517363bd27f140f621befe7ecc09
SHA512bb801e42bd5299fe1f1ecb63609865bc4df24fa63ec49dd61390a6c26b46b81fc8fc39cabf7d7a2fc28900d7104b9c617e7f8e0c18fe6691572b863e0306b50c
-
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json.bakFilesize
1KB
MD5a8e11dcc1a944c972f6a227d218cb42a
SHA19be1e8ab5117d00f501b62f0f632a9a0d858cb6b
SHA256f7734907cabedb435a8d7e81a97153a12a07fc3e7b1e0cf55ae9e2f91369d82c
SHA5123f6df828181fee276993d0ab7f336d19372b2d55a3c29f37cb6f6611d9174d768697a68ed308d45e3bde5873523894537c34c9d33a7bcff7dea2a44feb6ff4ef
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD538b968d4062b3e86d352f3e1617f4fa1
SHA111e8ffee813ef8a85958553f87abaa999b47fdf6
SHA256251f2a7ec0df8579e75d24baa9dcb2b38dc8f2201bf8f376778c39865764b780
SHA512b749dad3a30141c4caae6d3eeab7b9b810ee170d19d127602182ded37a5dfc8b97173f45a116e051df28bbdc1c20c629faa3894955db1e3c338fac9084cd0b7b
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD54229a443bf4c21dd6a3603b8fe74c6fe
SHA1b0423311a22282a8cdf8967d3455305143d6beae
SHA25616bab2fb48eea2bcd70f2cf9ce3a7866660d4b3a90c5da904c921b69670b54b9
SHA5124dcef2eb114e88f057a40129f1196b9f7b8eba6f61fa424d192d1aa30354bed8be7a467296bc4f72311513d91b5a50fb7a3a45fa1e5c3787c5bc4c3f68a4c844
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5c5a3e8762495ca562fe4d8da56bedb51
SHA1f20bafe045c4aa357f8d4a54591dfe33e76b3bf6
SHA2565eaad5191403a19b7b162d36d7f0d0530bd0ac50516a476e6848ab3464a4bc90
SHA5120d7ac32d3aea78443bd3a3394361812bbc1442b2b2999ac9a4097759f2ce06d8e74579aa4dc9f387236e4474addb3dc7bb95fb40e59d1863e48b43540e2cc1b1
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD5d914b867e8ad9d1985173f310ea2773e
SHA1d728ff85207d4f84a107eb9d232cbfc6a5588437
SHA2568c046f873327e50467edde6c59bea634276f19a382e2df488b96669d5f859096
SHA51233f03db8cebe65d1730272d644a82a2dc9f495c3ca1c06253ec290e839fc267f3a2ee2a8d53ee2e355dd9259ff98b8a4d32caf6755a44aa84e35b02f83d9d68f
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.jsonFilesize
1KB
MD55065f0de836e7bc44788a4745d7524c7
SHA17c967f0e857ca431eab680b8e269016575274a07
SHA256d366a5a35994f8ee4415274839143dc7371b1d3edac7021a833f0e74a56b5d7d
SHA51255d015ab426b1d89f3f9a867a6100f2395479c7e1b60318b6d2c18770b3c9eed45a1910c94d250d97d405fd119bcdfdb69371a1c0505f9a36c892ab2363d7d0d
-
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bakFilesize
1KB
MD59a1b9e39983a7a21fb7f70e02ac7319b
SHA1fec9e3658c047eb0a8f978e4f4053a288c70b5f3
SHA256fd780280c0f0b0a2fefa3498ac859cf01e52ce6659b41ac114a295604ef36c4b
SHA512da9d30af57217eabc5c44b9f6f8846bea4d1164437e85c94a039065a4b4684b29d310e7a7cec3a053ae536d906b2a928ce2bc4c470f0f51ddb8b18cc51c37b1e
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.jsonFilesize
1KB
MD50f02f6924371920294f890189c8fdd50
SHA1836d722b01d66c2dfa1e0720b3b3a990e43470c1
SHA256cf6c6c7879f0f82af331a38b1c495f3c171f80604a164c0fc341d4b5f27c50db
SHA5123e6b46dba6f1bccd15e4fd1586156a7e12e71f1a4226312f34de8a821ed92c6fd6f3815912151d9792d208c9466e9dbf63f575099b62f0eaf348118b4f90f3ff
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.jsonFilesize
1KB
MD5f934969b73c459b45da6ddf90894ab7c
SHA14e5fce764c0809540678cc5fbc7cd44546c11eda
SHA25669d1556a6f49951a504be2dede1b7f474fd14e1fd05c3a7bc71a2b5ea4d8685e
SHA51250af3c291ca15c9564b258be226ccf5d68a2e1d264ed655577d313b492ae212ae12aace81068b11655a98cf68731d73046e99603c2417a87cb89a3aea47a980a
-
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.jsonFilesize
125B
MD5f8de9bc0c58cadd4bee9cee0dcf3031e
SHA14a60495b4bc090ef75a5e5d8ced5fbb18faed973
SHA256786a52a915da6a23d53d4c84855b76b58a987553d1ade29c2dffa75cacb8cd46
SHA512659eabab8026b111f944fe590e52f868368456c9aaca4cc7428dde0334f61a615b9f4da0ba6600993889c5ba352a6866a295a92a51cea53801ab8ba4ddcac931
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dllFilesize
4.5MB
MD5f802ae578c7837e45a8bbdca7e957496
SHA138754970ba2ef287b6fdf79827795b947a9b6b4d
SHA2565582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b
SHA5129b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dllFilesize
5.4MB
MD5956b145931bec84ebc422b5d1d333c49
SHA19264cc2ae8c856f84f1d0888f67aea01cdc3e056
SHA256c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3
SHA512fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nmFilesize
335KB
MD5ac657615f014ec0889d9817ce5191734
SHA146277408fc89319b152d86df03ddfccc11c51680
SHA256e3a36eb49ae5f521653001cb8384f97322f25dacb49b6fe481de346d5de30fae
SHA512309a2d1640ece5536e57c880711bb2752a9cae947f6015cd5b4b227a062c885363cfe3302c27105189c11c2ecbd34cd30348d2e2050688beceb3860fe975133c
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.srFilesize
17.4MB
MD5911082e3f5e7cd4488c8942010f67b74
SHA1ed48141abca2da0697b3b1e4210e501ef0924deb
SHA2564a5252d3ecd5741cc40a8f86d4f5c7431f028d1af249145672ae7f286e1dc37c
SHA5127c571337cbc5d257b8c0a911084e00e535aa04caec520188d9da1f226e2d079bc6a454ab898bc5d774c00988dd77e77e803f57711bcf2bccc626bd30292bf8ba
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.binFilesize
1KB
MD569ac80ec518ddfcb3428c91e1064f4ec
SHA10d28ef92f3b27a70dffaa780999dfdfca078de1f
SHA2569345fe4378ab8bc156b8e87d59f76f5dbde8f2a554941d5697c1c5d7bab508d9
SHA5126e91f24aae10fe9f872a9ac7c62a8ef86f9ceae7ef47d06d38d355f31d874d00a36527c08682b28ff4bd31040bfa5b2738ebc3dd732b74a01a0e764c549134ea
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.datFilesize
39KB
MD510f23e7c8c791b91c86cd966d67b7bc7
SHA13f596093b2bc33f7a2554818f8e41adbbd101961
SHA256008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc
SHA5122d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txtFilesize
23KB
MD5aef4eca7ee01bb1a146751c4d0510d2d
SHA15cf2273da41147126e5e1eabd3182f19304eea25
SHA2569e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f
SHA512d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exeFilesize
1.8MB
MD5ffe5a249402aecd1d0b141012ef5b3cf
SHA19fe9b21390d35a0f82097fddaf1ee18e91fd2f2d
SHA2561acc1c8c918e0ac6cdb4fc41d96339959d42a71947a02f573686ee091606ac57
SHA5121f7427472ca3f8a9abf06d761595fadca59b77ccea93477e6d71546a1385d654817cb356585dc05499ef87f61c504511399620852e95a46601f31fc6fa05f2d7
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dllFilesize
528KB
MD5ad5afe7fe3eac12a647f73aeb3b578bf
SHA129c482e6b9dd129309224b51297bff65c8914119
SHA2567d2c7bc745e07d54f1c26c06d7438eb40ec6f5d17dfa15928b67d447f4c63747
SHA5125be9f8384cc22bb7d69d8e532e7025675db16777b2d01ca1819a6e3d8c7daaaaa23d842d338d55d74eb9973e230a8f9a11ce7524667fee09b18fbdcb5a49289f
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdbFilesize
169KB
MD52b48ee7180940ce09e283a9a47a02641
SHA11719a2a520d1cffaf15597cab2789393156f3886
SHA256ff7c93365ce1f5403fc5de2de027b9a78f5acb86cb94f78f44a101f0fabc5ba1
SHA5125819ebc8bed0184c8243919e4306cf80da1eca0f5fe9ef69ebfb4ce28ff3239121e976c605158c471c0c3b12638268e06da05b111dda7b003af9cf8759f6269f
-
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdbFilesize
25.7MB
MD5488c34cf83da90e2ae6615043c54629b
SHA1448996b6e4a6b6b6dbc525cda72485dd3001c2db
SHA256060881be0310c9f05f4ef24f252ce1d309f149c9c855ff7faa331acfc0983929
SHA5125fd6abe8c87ff740d50c05b73c9bc76ba2a2a6280a0c78c407fb69950e177c5a2146d43c51704e595589e8d50e3e3766c5a5aef9992e37af471b89cc8e71d500
-
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.datFilesize
75B
MD50b798c20f3edf79cd7b51c2649e9ef11
SHA1f3d0f85ac8ed51f965555220b244cfbbcc765e58
SHA25668764bb51a9674d25c3f33b044ab8604457c940444cf10246128ffd6cb4985a4
SHA51234a24ac635b614e38c0c000d31970b7e2b45476ac6ff24f6e99a792e0452ab3aca820d2afe71591148ab0d7dbc84fcce160c9ef65e2d7e4fd809c4ada7dbd9bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\96f50d93-e8d0-454f-8b53-cf5d22061dd9.tmpFilesize
7KB
MD5dd665d07dbe72b2763badbbd3588733b
SHA1a5a8785bcb27dd0a14bf0680b52e0d4e519ad458
SHA25604bce3d86e5d8f2eaa2f88e40479f11984e67371200a211947cc92826b9b0e44
SHA512de14e20b7fafb2b91d0d7e2df440347c67a136856b42fcd9fa2b8d19c8866a8275c8ddcd810c06cdeec67adf9b93989bad6f6130986213aadd48ec702a4fa2b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD587589f2218a26913cae6ed29642e1006
SHA122d8b6de7983f2b79b38a390bd253e22dfc514d1
SHA256b34e298d91515c0c1c098b51de7c5c09f4d315b80af3a79ae4196924ee3899ba
SHA512b910b09fef5ecd514d43c22548d4e7b7e21d7e41dccaf5947aa6cd278cd23e2e73499a63d81e7cd92f1c4c63ef44e279623203673f23bca777357f9aac6ad4e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5e2f1c90d421a18d4befb365a7b8bac3b
SHA158dc407789eefe62205add6a6c2a2d5a2c85c206
SHA256c92bce9745234f492e739356cd00fc7aa4f595bece5bc3a486f3b7207db2004e
SHA512d97e6fbe310c0dd159b64d8a7c96a0313605b5b68970da43fdd95cc0faac2d9e72665dde2a176be2dd4749adb927b2aee2c720ea1832fce23b976930bd95db2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD50a5cd45119402a13f15690cc79a052be
SHA186d98bd6376344822567d090ae216068194759df
SHA256b5cfee2994c03ea4e9020fd44a92dee039b2ded9ee798d6ac217ea81e6335d8e
SHA51234dc2ca790c218ef8ddbdae3337af8b1e66db7c88cd8821a4a5c2b46d0558a227114f803b05b60f202a495e3902bbd055be342987c54941709e65d21b117acdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD575f2cb7a68b2bf401ab4ba3a65d605b6
SHA1745686415f2b06a045d45b15f214b7c31f4e34dd
SHA256820ba56616a0cdd80e03423961741624fac8bb56b7088dc38e8f7ce6bc33d86a
SHA5128f8a8782ada9b697a222c4d0b011336c4a07aae0ea01fa5e966f67f53400c9e636ee9fd36b8350e6ce49567bead7cd25c92e649ce09945139184fc7c0142ca33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ead764d29d00410b29336acfe522d2a3
SHA1a26e09c00706186b49082eeab2202d50f323953c
SHA2562217438495aa0f89f412e43a69afdd7a62d9e97ad4bfd780957cbac6dad6651b
SHA512f0b2bf75488082f5c8ccce1fd859d1b9aadb5a2635474db931e8b41cc7275478049f161173f02aab3f6adf316bae62a62db82f5ce74eb77614c26de234e49b61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51fe2cfe8d0acc61d70a345e88f88e33b
SHA1e5b270883b1cfe0bf4183a86a4ed5d992eba6e12
SHA256081c23315a8f71568e01b92069db7a6dc3738808c9b5cf38579347abaf1b8be7
SHA512b25db1685bdfed75630c2852273407008a1fa41d494dafaa909fd6072aa7aa3d1b980d08210406c58187ae10b278ad06402786ba83d1b7a5af25547eabdf1e7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b280fff53144f794bf99ddd29d0a1c15
SHA14e56e0b138663afb3245ea113d00b05c35fc70e1
SHA2567d75c79547662acbecf9a605d191b080271e31ed3f7fe7d74f89b51b6ca5a748
SHA512b26a70894814ade6db87275d1790af2e83d356d645dc6594812ba7d3788a9508b3ff1230f095d3ed5e69450ec43f6cfcab5386857841dfd3f6e7c7069beb7895
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5af080a59eabbb06d8dea83a7998ed522
SHA10eeea1903f96da291eec393bfc9e221d61385fc3
SHA256a1a6f5bdccb0dca7a24a5589845adf9c71020bd460919f769cd9b81583088d82
SHA5126773f96b2b447beac66d4a9d7a9c687ec541fb450f7e02aa306a38513238a82b3b7d2fe7619ec412a0d07b330a1d752b0b51d6b852e2bb512a89210604f7a5d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58c21aca492f9c5ca5a1c3754591c888b
SHA16d34665ef64fb420bfc00342dae2173257313093
SHA256c4f7fe3809fc6f29cc624f0231396696813a2439a85a96d114813f0fbaeb81e8
SHA5129cb1d5d5458b7594cd293629710044c0d38a7df9a6088a799b33f2f7ab59e7097558a7339ae3892705e320b0fb1766e5f6b22699335afd5769d80dace2c8e705
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD57d35e20892a753f44f097f656a246f4c
SHA194c9c7aa69e568dee7ecdbca7cd60ed25ce53994
SHA256e75a2f310b18a841cc8eda6b0d3061a4e2dd6b09bd026d6a75b5747c3774b052
SHA5122190c98ff83d8c5a453ee9e39f432dfb0b04d33b50cbe1bf2747a7688276d6c36f6d427d20646a0e360bc3db10a6d404ac08c226ac1093c4210705b3bd86cd89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585c73.TMPFilesize
1KB
MD55c8e77e24b9d8a72a693ac20c7243a1c
SHA12ecf0c58b5f51b5783b92cf8873b043d0ad56cbf
SHA25605418c9b91f533fb63873a6b76ce101fa6ce67a47f3294645bc520f02afd50a8
SHA51259a032d5482054e0c7d90f3258fe718b614dffcd3926ecbe7cf4e5877ddd3e5b5b0d6bf6dc5239a027df1d17489eac17161288e2c52495aba9e9c8acc32c5d9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54d279312ed4c1ea0a1d9797054bcfe21
SHA1e177d18f12b1dd7204dbd7060303359cf9eb2b8d
SHA25638574d60e6ef0ade73e5e74e6896201c321e152ea6f07235555a3b4af759a5fe
SHA512c290880f80741425a549e01457be3a1262858c7b4e49ae3a32092fa5bdd9c2fa679ae67e22321fe79bc2535e535b9da3e785c10564b320fa6d9eac6df0db4782
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD504245b92319eb6adf736e7b1efda82c5
SHA155b014095b29086fb1e440ad18152b726083b0f5
SHA2563054f3b8d32f4baf3b4e1246c72f9d834cd9d6067bb7ae73b3911b9646426c42
SHA512aeb68b18223dca51f7c6f36d18ba7e33357d5fc906eb0442190c8861b0d5c8e8a4404879940e8198df9e3e66707413055ef61f6f5d4ff51e4fac12efa35f27d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD599a951a825cf2a75784c3433bfd4ccff
SHA1f61af36f658cd43eaeb23d7a875038bb66a8d0f8
SHA2565ca92607a376b86ebb728fcfc3ad0592fb84f9d59b1409ab398c947dbf42497d
SHA512209bfd9b3ea7ce318a2ddd89fbb836d08f61c027e4f42c4d8728a8dc1081855f7f8e68721541aee5b1662b74a294de5e0c9cfd89bf0c6487336def769048135e
-
C:\Users\Admin\Downloads\MBSetup.exeFilesize
2.5MB
MD54e19e70399076ab58d1160d0fa2664ec
SHA1e7ca7e0f1895c6bf60a14d6fbb0ccd4fb10a3134
SHA256b9ee60f31be0b7dc3f814c8abbc7caacb6a3e1dc7eb1504b8e831dd42277f8d8
SHA512f6338b52cb5a80d960e6b1ec72a28538614782a75d0270cb89e911160c0a0e8e3a4d0f93fb902c70c37cc5f4da0529043776e2c0b59287096f976addb7e584d8
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
19KB
MD5ecab02ba59bbe195113691d8b509c6cc
SHA14dff86ae4941dbb8db4e0b30f86b7e15584fa8a3
SHA2562ba361b7ac686531e7182f23503ae57dd049297c2c9640da6bddf1c91cdc8d7f
SHA512a0f5c1e7b39a34a84512814f07357a725a9c0206c8aedbd0383a60772c854c94fce1dde388085798b478f1b2588b82e174fcf1838cd0c3df291e1da864367cb1
-
C:\Windows\System32\catroot2\dberr.txtFilesize
19KB
MD582c9c396a0478b1c0898a7bcb00142dd
SHA1a57adc62a6935d291cc1bdfc51e2eaa8a14da581
SHA256a7dbe1a8ce33f2e648345dad607cb15d675c5d6022e77e4d2eb1f398c5e185c7
SHA5129d45296f32b8638b0b6beff20d7d533b701f6ac55a321c9744f9a36a765ddfb3793170b6fa1af8aa0bdfd0fa85aa0b716e13c10cd4c2be92fe9a412d854c10d4
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\7z.dllFilesize
1.6MB
MD54da585f081e096a43a574f4f4167947e
SHA138c81c6deae0e6d35c64c060b26271413a176a49
SHA256623e628393bc4b8131c1f4302b195429dfa67e890d3325ceaa56940660052b1b
SHA5120fe168bf1661691dbaa103e478dd7e46b476db094bf1938bf1ad12ddb8a8f371bf611ff504d2eb3ac319862444cc64a27ebee8735aa3752aa32a399b09427243
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.jsonFilesize
372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\ctlrpkg\mbae64.sysFilesize
154KB
MD595515708f41a7e283d6725506f56f6f2
SHA19afc20a19db3d2a75b6915d8d9af602c5218735e
SHA256321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6
SHA512d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\dbclspkg\MBAMCoreV5.dllFilesize
6.3MB
MD50ccbda151fcaab529e1eeb788d353311
SHA10b33fbce5034670fbd1e3a4aeac452f2a2ae16eb
SHA2562a6ac5a8677bd1b410420183169b9ca9ec87dbb78ce0f11ebac2bfa022df7c70
SHA5121bf9b8849b27491ecadfb4caf4e61926f9a0a8479c247a2281ba2d7c1ae0587251330ee29cc053630047e279ef6b52d3a125e21144b9688f1328f101bfc3c2e9
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.28\mscordaccore.dllFilesize
1.3MB
MD53143ffcfcc9818e0cd47cb9a980d2169
SHA172f1932fda377d3d71cb10f314fd946fab2ea77a
SHA256b7fb9547e4359f6c116bd0dbe36a8ed05b7a490720f5a0d9013284be36b590b7
SHA512904800d157eb010e7d17210f5797409fea005eed46fbf209bca454768b28f74ff3ff468eaad2cfd3642155d4978326274331a0a4e2c701dd7017e56ddfe5424b
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\servicepkg\MBAMService.exeFilesize
8.5MB
MD531804b530a429b25e5763de3e7e5238b
SHA14d8eb7342a2bad8318ac51a02b7b55f978178422
SHA2561541c57f87f24610dff7a77af7e932992ef574d16ef3c5e7007255776951ee3a
SHA512efb6d78ad79c6edd8378640d2e6082320936b20462279ace63b127602009b06cc7097c822706cdbdbf9603e33372bfb5c8492c0319030a687589def37ba3c416
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\servicepkg\mbamelam.catFilesize
10KB
MD560608328775d6acf03eaab38407e5b7c
SHA19f63644893517286753f63ad6d01bc8bfacf79b1
SHA2563ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59
SHA5129f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\servicepkg\mbamelam.infFilesize
2KB
MD5c481ad4dd1d91860335787aa61177932
SHA181633414c5bf5832a8584fb0740bc09596b9b66d
SHA256793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3
SHA512d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830
-
C:\Windows\Temp\MBInstallTemp3abd5c212d8311efa524fa8f9e8c279d\servicepkg\mbamelam.sysFilesize
20KB
MD59e77c51e14fa9a323ee1635dc74ecc07
SHA1a78bde0bd73260ce7af9cdc441af9db54d1637c2
SHA256b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0
SHA512a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186
-
\??\pipe\LOCAL\crashpad_4356_CGOJPNVWDKDEBSXDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5800-4357-0x000001F22E540000-0x000001F22E987000-memory.dmpFilesize
4.3MB
-
memory/5800-4392-0x000001F22E540000-0x000001F22E987000-memory.dmpFilesize
4.3MB
-
memory/6288-4397-0x0000000000010000-0x0000000000024000-memory.dmpFilesize
80KB