2297bee34b1751b2ca0f20b6625bf822b3837a70f6f2b456278fba92a7188e0e

Analysis

max time kernel
46s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupMBAM.exe
Size

261.5MB
MD5

98d22b94ba9bd9f5ade2a46fcc55d91b
SHA1

2f079d4fa2764cc4c769143be93f0305a07d920c
SHA256

2297bee34b1751b2ca0f20b6625bf822b3837a70f6f2b456278fba92a7188e0e
SHA512

4b0e15bf15f24ab15df27f178dec2e160e5acf70962a857ca0f7dd3c8b40f7817e5257fa9dc009ac477911e4dc616129a824d250601b97e51ef55faba6b2fa3f
SSDEEP

6291456:2s67aozPfjFufVrr70zgAKOU2cPSdYdcnUBp:2sidzPkdrrwMoPfadcUBp

Score

8^/10

defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETC64D.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SETDDDF.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mwac.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDDDF.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETE8AA.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDDBD.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\farflt.sys	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SETDDCE.tmp	mbamservice.exe
File created	C:\Windows\system32\drivers\is-3JTDT.tmp	mb3.tmp
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SETE8AA.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbam.sys	mbamservice.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	mb4.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File created	C:\Windows\system32\DRIVERS\SETC64D.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SETDDBD.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDDCE.tmp	mbamservice.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbamservice.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
4196	mb3.exe
4920	mb3.tmp
5028	mbamservice.exe
1408	mbamservice.exe
3952	mbamtray.exe
7012	mb4.exe
4500	MBAMInstallerService.exe
5332	MBAMWsc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService	mb3.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service"	mb3.tmp

Loads dropped DLL 64 IoCs

pid	Process
4920	mb3.tmp
4920	mb3.tmp
4920	mb3.tmp
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
3952	mbamtray.exe
3952	mbamtray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	mbamservice.exe
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\U:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-S3LOM.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-HAFD0.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-VVU9U.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\unins000.msg	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-FK17R.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-6H9U0.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-1KECQ.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-SQC5O.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-DPKDC.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\iconengines\is-JT3TT.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\is-US1VH.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-REI2N.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-ETLBG.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-DNJG5.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5I1F3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-7HNCV.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-IO0AP.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-8L8AM.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-QIT5E.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-R2HIU.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-0DUC3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-1CQ4N.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-LHVE4.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-JFON4.tmp	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbshlext.dll	mbamservice.exe
File created	C:\Program Files (x86)\mbamtestfile.dat	mb4.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-PMOEK.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-GUFF2.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-8C7QN.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\settings\is-LPL16.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\settings\is-BRO0O.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-2K1MR.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-M4ETE.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.cat	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-713H7.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-2O458.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-0DF6U.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-MTS8N.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.cat	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-86F6O.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Window.2\is-QSBSU.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-FTJ5J.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-G1IPB.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-I1CCN.tmp	mb3.tmp
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\unins000.dat	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-O6VHA.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-UNTR6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-1BV6T.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-O8JDA.tmp	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\is-BI67N.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-4U2ED.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\is-IV1IG.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\is-B14IE.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-Q7QDV.tmp	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.cat	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-MD62F.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-APC4U.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5OLH2.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.inf	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-UTGUO.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-TS001.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-1FO30.tmp	mb3.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbamtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupMBAM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb3.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
540	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	mb3.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	mb3.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	mb3.tmp

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DB6AD16-564C-451A-A173-0F31A62B7A4D}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63A6AB57-4679-4529-B78D-143547B22799}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\ProgID\ = "MB.ScanController.1"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC97FF29-5CE2-4897-8175-94672057E02D}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53260A87-5F77-4449-95F1-77A210A2A6D8}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1D8E799-D5A2-45B4-9524-067144A201E4}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\Version	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17A7CC72-3288-442A-ABE8-F8E049B3BE83}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77AD284A-4686-413D-AA76-BDFC1DF52A19}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFFF19F6-ECFE-446D-ACAD-8DC525DA2563}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2870643-0645-41F9-BCCB-F5969386162C}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2446F405-83F0-460F-B837-F04540BB330C}\1.0\FLAGS	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\VersionIndependentProgID\ = "MB.SPController"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2650A9C4-A53C-4BEF-B766-7405B4D5562B}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\ = "IAEControllerV5"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\ = "LicenseController Class"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\HELPDIR\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F12E228B-821D-4093-B2E0-7F3E169A925A}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E3F0FEC-3E40-4137-8C7D-090AFA9B6C5E}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB53395-8218-47FF-91B7-144994C0AD83}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\ProgID	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\0\win64\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\\2"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}\1.0\FLAGS\ = "0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA484BC6-E101-4A87-AAF3-B468B3F2C6BB}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt\ = "MBAMShlExt Class"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\TypeLib\ = "{C731375E-3199-4C88-8326-9F81D3224DAD}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\ = "IRTPControllerEvents"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79CAE9D0-99AA-4FEB-B6B1-1AC1A2D8F874}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\Version	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77B440A-6CBC-4AFD-AA22-444552960E50}\ = "IScanController"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCF0F42-EF8F-4450-BA68-42B61F594B2F}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A993F934-6341-4D52-AB17-F93184A624E4}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89AE2EF4-3346-47C7-9DCF-ED3264527FDE}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B471ACFB-E67A-4BE9-A328-F6A906DDDEAA}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172ABF99-1426-47CA-895B-092E23728E8A}\ = "ICloudControllerEvents"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F12E228B-821D-4093-B2E0-7F3E169A925A}	mbamservice.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2036	reg.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df0030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4740f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc250f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc32000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3952	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
1408	mbamservice.exe
3952	mbamtray.exe
3952	mbamtray.exe
1408	mbamservice.exe
1408	mbamservice.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: 33	5028	mbamservice.exe
Token: SeIncBasePriorityPrivilege	5028	mbamservice.exe
Token: 33	1408	mbamservice.exe
Token: SeIncBasePriorityPrivilege	1408	mbamservice.exe
Token: SeRestorePrivilege	1408	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1408	mbamservice.exe
Token: SeRestorePrivilege	1408	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1408	mbamservice.exe
Token: SeAssignPrimaryTokenPrivilege	1408	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	1408	mbamservice.exe
Token: SeSecurityPrivilege	1408	mbamservice.exe
Token: SeTakeOwnershipPrivilege	1408	mbamservice.exe
Token: SeLoadDriverPrivilege	1408	mbamservice.exe
Token: SeSystemtimePrivilege	1408	mbamservice.exe
Token: SeRestorePrivilege	1408	mbamservice.exe
Token: SeShutdownPrivilege	1408	mbamservice.exe
Token: SeSystemEnvironmentPrivilege	1408	mbamservice.exe
Token: SeUndockPrivilege	1408	mbamservice.exe
Token: SeManageVolumePrivilege	1408	mbamservice.exe
Token: SeSecurityPrivilege	1408	mbamservice.exe
Token: SeSecurityPrivilege	1408	mbamservice.exe
Token: 33	5192	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5192	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4920	mb3.tmp
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe
3952	mbamtray.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4100	1736	SetupMBAM.exe	88
PID 1736 wrote to memory of 4100	1736	SetupMBAM.exe	88
PID 1736 wrote to memory of 4100	1736	SetupMBAM.exe	88
PID 4100 wrote to memory of 3492	4100	cmd.exe	90
PID 4100 wrote to memory of 3492	4100	cmd.exe	90
PID 4100 wrote to memory of 2036	4100	cmd.exe	91
PID 4100 wrote to memory of 2036	4100	cmd.exe	91
PID 4100 wrote to memory of 4016	4100	cmd.exe	92
PID 4100 wrote to memory of 4016	4100	cmd.exe	92
PID 4100 wrote to memory of 1152	4100	cmd.exe	93
PID 4100 wrote to memory of 1152	4100	cmd.exe	93
PID 4100 wrote to memory of 540	4100	cmd.exe	94
PID 4100 wrote to memory of 540	4100	cmd.exe	94
PID 4100 wrote to memory of 4808	4100	cmd.exe	95
PID 4100 wrote to memory of 4808	4100	cmd.exe	95
PID 4100 wrote to memory of 4196	4100	cmd.exe	96
PID 4100 wrote to memory of 4196	4100	cmd.exe	96
PID 4100 wrote to memory of 4196	4100	cmd.exe	96
PID 4196 wrote to memory of 4920	4196	mb3.exe	97
PID 4196 wrote to memory of 4920	4196	mb3.exe	97
PID 4196 wrote to memory of 4920	4196	mb3.exe	97
PID 4920 wrote to memory of 3208	4920	mb3.tmp	98
PID 4920 wrote to memory of 3208	4920	mb3.tmp	98
PID 4920 wrote to memory of 2828	4920	mb3.tmp	100
PID 4920 wrote to memory of 2828	4920	mb3.tmp	100
PID 4920 wrote to memory of 5028	4920	mb3.tmp	103
PID 4920 wrote to memory of 5028	4920	mb3.tmp	103
PID 1408 wrote to memory of 3952	1408	mbamservice.exe	106
PID 1408 wrote to memory of 3952	1408	mbamservice.exe	106
PID 1408 wrote to memory of 3952	1408	mbamservice.exe	106
PID 4100 wrote to memory of 7012	4100	cmd.exe	107
PID 4100 wrote to memory of 7012	4100	cmd.exe	107
PID 4100 wrote to memory of 7012	4100	cmd.exe	107
PID 1408 wrote to memory of 5332	1408	mbamservice.exe	112
PID 1408 wrote to memory of 5332	1408	mbamservice.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SetupMBAM.exe
"C:\Users\Admin\AppData\Local\Temp\SetupMBAM.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\setup.cmd
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\fltMC.exe
    fltmc
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1
    3⤵
    - Modifies registry key
    PID:2036
- - C:\Windows\system32\findstr.exe
    findstr /i /v "malwarebytes mwbsys" C:\Windows\System32\drivers\etc\hosts
    3⤵
    PID:4016
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:1152
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:540
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\MB2Migration" "C:\ProgramData\MB2Migration" /i /s /y
    3⤵
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\mb3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\mb3.exe" /verysilent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\is-QK9LM.tmp\mb3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QK9LM.tmp\mb3.tmp" /SL5="$801C6,75987422,119296,C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\mb3.exe" /verysilent
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\BaltimoreCyberTrustRoot.crt"
        5⤵
        
        PID:3208
    - - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\DigiCertEVRoot.crt"
        5⤵
        
        PID:2828
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
- - C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\mb4.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\mb4.exe" /verysilent /norestart
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:7012

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off false /updatesubstatus none /scansubstatus recommended /settingssubstatus none
  2⤵
  - Executes dropped EXE
  PID:5332

C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe
"C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
4.0MB

MD5
bbf8d1bd3fed70264553c43933c0778f

SHA1
ee482444cd5c8751b1e593f0ee9c4102a6b3e73b

SHA256
541236c5093e7d561049a9aa4aef0f4610d2229ac0f268098d028ac0acd0ebef

SHA512
427d177da0fb71869f604d316d3cf2a49c426d743bc0c48e2f75bf9dc6a574a82a25a1096d26d774c0221da4c9efaa21e2371dea3aaa7226fed0ff6a51dd9d04

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ActionsShim.dll

Filesize
2.0MB

MD5
81cf22f2206cc72aa0430943042cc57d

SHA1
b1548ab1f95c2f99747be7f4758d48f2a97f3d66

SHA256
7ab470e83005cfde857d7d45a40058f790c097852a7fa3e252cf69f1de9eba88

SHA512
e9b094a6ec9ed8b5d69aabc3f89963df5ffc14db88dec2d67c494911498979f9ab703e1c7f007e59075dc871fc44fff4d27fb2b88a0a20bc53025fca908bfc7d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

Filesize
3.3MB

MD5
92e9642560b3824d14886b5a07abc0fe

SHA1
ea27777f0ac8c84d8f2acf14f4f3d76beaa3600f

SHA256
ee7bf546ff261caefe63b9291a359681e8167d3eae48529c8b03df83992d5f3f

SHA512
31c17b5019767980f900d7fc85a2a21e39e01ab52425418c2aef877584c26379b0bd0e79fffc155b14efb7187a7f4d1d6c57420ed83c028ab94574b5644f5bf3

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CloudControllerImpl.dll

Filesize
3.3MB

MD5
bdb0adcf1fa2d6ad11ca148925fc6056

SHA1
14348951d1749ac6fa25edb26fbdfc38261ed0ca

SHA256
56e54267ea2594d7b2a7b69d751f6aa70e99b7006dfff2f6ab516c83f5a5a09b

SHA512
017658186f962376de6affc45535f9e156f4a11027a8000ae1ed37b0699d598e3b41a3a29c2031982127adf2a575b3978bc7a2183fca822049efa61214b8d49a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

Filesize
3.3MB

MD5
c091823974c144a4ad60253346be986f

SHA1
6268491af4b35824a25b3a879412aa3894073c90

SHA256
53aad200edbab6e1591c1502afab7e2014aaa98e52c4be6bdfdd5332248d2032

SHA512
02fb68f67eb49c7e76f3772ef830b9981487eda9c87243dd8b6b4406a9bcc2de0253ac63271e7c35dc27102211ffc31ef550d5b6d49734dce762f0c47bd563fa

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll

Filesize
4.4MB

MD5
357fc4ccbec4ba925ceec54ba1940de6

SHA1
16ff9d20c00b575c7fe3d19ed47ba2e1c025446b

SHA256
a99c1e7a2408fde154a259894bdce12486ba8aaff9904098c2febf60cf2d0142

SHA512
fe20f82a16001c3919bf8ada707532c7ecc3b0ff01170a8063dac7dbb6dca2f23c18a1fd2894836d1ad9d8cf5efc3f376d1a0536b29b77297709ded9306ab366

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
2.2MB

MD5
9461138ffbdb975a8e125163bf948158

SHA1
8275135bf4ceaf57c5ba8f66dd49d69d992c0c66

SHA256
373cf9d48fbb81f4ff07713428d50a62c7bbc0fc594af3987e0bd655f83ed3a0

SHA512
c0f7978527c24c9d767e58dfb53e346f9d1af1c09674bef723830754125985ae3846da262fad641e8cdc615779a244710fbb8d9e0e36a1205da4392c7782a34a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ScanControllerImpl.dll

Filesize
4.1MB

MD5
a7e39e856a7a4846c6fc0b4cd31c18eb

SHA1
3c1b6029fa3a80b02963a7627e1f8016015512f2

SHA256
b22cfbea6caa65db558a70e98a6a3a03135f6ea76636dcae78835da1f5cfb885

SHA512
17f3ec344b4c20c2a585258cf4f7841d2089e7eeb02943e4bbc8b89c92ec302c99643fd8ebeb4b8ff5a1ecc78586b77952152412331813c17422de11d7c1437d

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Swissarmy.dll

Filesize
2.6MB

MD5
ddc20450bd11ef763fb94d5e4b9c9734

SHA1
70d9cd634984746b0bfc16a9b3558f0c08299f95

SHA256
40b795529049730cd841654c73a499c0ff3cbee6f5e05df96359c2d968f362be

SHA512
dd0d7e0185eead8d6104f3bebbd2d78825ec28eabadf488c0d58a594854b37784a8d0b7c9b4852e618395662b0427dfb31f39e81802b9d0a9a20c0eec100b759

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbshlext_proto

Filesize
2.1MB

MD5
5265576f992af1de32d79b8570f95922

SHA1
e355fd829c9eb02f56cd60103438164e79643c4f

SHA256
85e2fcb69ee45cb81cfdfcc4ece39caf3fc25a545df30a0f04d6c4c64520db7c

SHA512
fec8316d3fba8470d6d7582f1e494110a6ba4fc30eacaf134f093350361fe789278b13be5ddac23e42b1ae7a1956d0cff8cb702da5e637e0d2621e81d9a16869

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
50B

MD5
f92c71ddf5b699d9bf113cc80d5bc826

SHA1
1a8091b51c8328cffe98958c3098e4b9c1228bfc

SHA256
b110e26dcf57e8d3923c7b0e6a660e06a70246a2d0285fb3fd4a775579dda83f

SHA512
463c8f4810ac52b12e8620d748a8a087ef140e5d6ab6a3afdd1baf28beca17a0b6c069003391c66cf0fd2ef75112be1306201915c6a8942404c80e5b99947411

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\version.dat

Filesize
46B

MD5
8fb6a018f79059337fc548f2994bee6a

SHA1
2bfa752f3c9f4d8f952682614490fb1014c14823

SHA256
4e1a6a6dad48a69944d19afd8258c34f2880dea9b2c0a5515e6f64f1336de276

SHA512
2c2d8b835435fcb9f4e97c354165040417b5e7e37db4cccf9247b8ccb8c7be9b6a7c62b7ef7f6327cc049ab91a408439ebea221ab51365482106ebc6aa7bdb19

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll

Filesize
1.6MB

MD5
7580437d0fb8c1ae60d96dafb6883d30

SHA1
be89b488b258555a8cf971e4d29c40ce92bf881d

SHA256
3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef

SHA512
e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\BrowserSDKDLLShim.dll

Filesize
2.0MB

MD5
8ca739a4012b8c0954d96e7296794102

SHA1
97e958fcf50716dd6b74e1b0b011de121d8a9088

SHA256
63228855f6633fa834f0da4863c34db9d8463c3721eff41379d94b7d093ee7c6

SHA512
494347bf4f045671c817ce1c70ccc24a56b8fa4ab01a3c7866e1d7f6d0d8315f33c9efe09d76aef6f0aff647665dbfe76ee22f9cd564ab6fe6f1925f544ab7d4

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll

Filesize
5.1MB

MD5
6fc8a69f6702c7dffadfdcd17101f737

SHA1
6fbeb417b75098df88c364638e0cc703a87a0ae9

SHA256
28b7288e810e61871cc60ba7095401d0a241601a15a3c119e0a49e07355bd813

SHA512
96b1963255bf8581c49a8fbb200e8ccd88e2ca2dc188724dea8725eb3bdca49490f495b67f0511e3946c43ec584801a832fc257187b33cdbfd05be0d180db8b9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Languages\lang_es.qm

Filesize
239KB

MD5
15cf1cf7b807776cc0b326fb13346dae

SHA1
49729240f86b74067183413aea526e9f9a769642

SHA256
5d4df71edd63c510af04d27aa15aaa009c24e07e53efb0559dc6cc6b67e1c6cd

SHA512
ffe781c632aa839cc66377ae31384bbeb4c4443d1e4875a902a6e1fc9c272ef1b911dfc7a423fb4902dd3033638919934a077639d19314380c5b219b52d102f7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

Filesize
6.2MB

MD5
f7265b7490428499f2fe409fa9247866

SHA1
aa7ef4ddfa80551e0e636a3411ea28c5217d92b6

SHA256
43a406c74689b72020e4669b45f19d377a5ff3efe79b03af58c2679d14405e9d

SHA512
0b239376a42ea094d2ae202f0c05504de7f8317c414c3aa6f5e4571b435aee2940075f5d88dc89756cb447b96356ee6c4ad44efadbdc1d80a9992d8d21048164

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll

Filesize
1.9MB

MD5
23d71c3090e1de46e5e5686f58f4571b

SHA1
c8ef6443aa1cb7bc74ba1f48e5b5c1dcb0b65c24

SHA256
a64270ddf9af5db895be90e913475e8c456e097d53075e19b7a8265dc81490cf

SHA512
8feeb817968b9d2b93a40c9271d79724cde852b26d959cabf106b97d24b4d8b4896cf88e151d4031f14f7546737004909eb4e93b0411ecb8417b4e05324f592c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
607B

MD5
2d107da49fe3e461dfa71d657c187a12

SHA1
5ed917c2c67a59430b075251c837e37e127f90b3

SHA256
96e49b484bace16a6dfca4b7538f3b7e382bab25d719f3799cebb4ba365fbfee

SHA512
7a4549a39d0b797a2d7270a7d15265bbb28a0bd9d6c565faa2060fd9662a56ccf337f31cead29838d1a0b571bf65198183fb9607f5d7e786677782a8433c6ca4

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll

Filesize
1.9MB

MD5
744524ba97e4f000a05ad256add6d96b

SHA1
2cc1a6b0ecc17db129bf479724e12ae1374cbc77

SHA256
c529264098ab30cb6a79ba8db9c5e208cf221e72aee47b70878986f19b2acf45

SHA512
ed0a99defe9ce9c2df2fd089b5ebe9a08b4b61e19017638269be53a74ce28d1e31e1e34519585d6b8a934eda7108e5610147f92d83414f5adf6b1f91e52d2717

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\TelemetryControllerImpl.dll

Filesize
3.9MB

MD5
78f99c1fb3d8205824c758285f7967c9

SHA1
b4be038a5320a558ca6743cf96255b054a89e60f

SHA256
12b1d507ac03e261558e9f7da15a0dada975e1ae930ea0df6b3bb62e141e15a3

SHA512
afe82f1867f2bdde6af7d1b8474bfbf8a23fa0a3f20323980f701b1e6944c1e7237675169e0ef7c65f2c4b8c939b679555ac91d332c106dfc3560f5d1b4599ff

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\UpdateControllerImpl.dll

Filesize
3.3MB

MD5
441ec847e501ddd547fc10492fd5a287

SHA1
c67e70d2d0ddfb46b4fa0c80856c90feb918dc93

SHA256
3e63054601f976aeda5c2fcdf0d222bacf38f48eb729e51b3392c915b4686e36

SHA512
435241c11918276714079f98c67ebde4834ece5c0ac973594d2f28e9b8d444df1735ceec459a977868ddabb226d5c1e461f2bdd178710761b31bf3018d162356

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
10.8MB

MD5
bc378eebe3b5ad857a0c2a3d6759d1f1

SHA1
accc2aef3f96ba1adfd31ade0dd5716599b8d2e2

SHA256
cb0c0072d1690c5e0a4aae29d13496cd7ecfd48fe618c3ea4b3a65cefb26668a

SHA512
e5941c023524510c66a37bfc55ba6b28f02ca53d4ff6e85016411bfbff0fbd5e3a013fdc77985380f87fe291c526b9db11151ff6e2c0d419a2e37c51d1f9bf75

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
247KB

MD5
351bf8f77b0a15a7b5a2ae098c52a387

SHA1
be04e8000a3352f41588aa084c2b1ac7ca5145f2

SHA256
a84330df5c4f0e5d6251d311b5dc78722d7724e87daf5de5a11eb73bb3502e26

SHA512
04d062b5b5f5c3285aa9b3fa921905a0ac13b630eb5bf7fa412eaf432b415c3b33dda4fdfe5e73dbcba4575aa3610cbcfeddc498b8439a90415969a9ae1151b9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys

Filesize
110KB

MD5
30531264292dbc7507aa1ff4123f1f39

SHA1
5f938678984b63695b061c43e7c58d59d7035a9a

SHA256
ad27317bfab1d5c1b332000df51336424b4b80af725392eb4a0fe53dc0695c41

SHA512
344dea38a565a7f9fb8349e2a32226526ef8b546598c63a6465093e53e39512b509c7c3774b646231614b665d474c5b104805a4f1dbda173cbced67e06811bcd

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbam.sys

Filesize
43KB

MD5
0987b4bb03fa1f3c0c7d37347b707d4e

SHA1
282b0c57a2b5a2af3c3393e8ccbeccc05faa9ec4

SHA256
edea667695a680b955f42024ad349a9b795a2365c59312edcc3fe5bf362f59e6

SHA512
0bb44543ee6acd08d22270f9d4ccdcaf35e72867d2a12f888ad7f93d77237e83a5df3f140178f787c1a0ebfd02cdf3006066298862a36da74d8d1d8bf3390a53

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
186KB

MD5
0b4a62420642b842df8656dbff663b0c

SHA1
22a89c1d2085a4aa8b1a99f54e2d75fe330067fb

SHA256
acb7961eca32a50fcbd51b194488ddf40e610c2384edfd06235ae427bcb80c96

SHA512
e9ad9be23bbeb1c2fcfc17ce16c48af67f380e72dbb3ba292965e340f2a868402b5812934b56864486cb890af80f5316a2b81cc916da9b01f7135bc02c972bf5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys

Filesize
101KB

MD5
a2814db0a52a490ae674ad06ecbdc4cf

SHA1
88bfe28759135d87377999596286fb5233766d79

SHA256
d3fa7326afbc7a5a94f7a4aec84a51acab89179d7caf0cb5f2af3794e6dba7f5

SHA512
6d3ac4bad74c226063aa2ea951dd72608ac884be0a7d9b5347de2e363811207b5a9ee3e8177ef44d11a6bab6538ae691a4825185784e47aa483c11c17be075de

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
c93db0dd9fca609418b3d478ceab21c3

SHA1
86b421593597648342a160c0f04b0fe0d321ff8d

SHA256
2454cf3c723d0ce6bde80af382678649adcc7fa7f1304903d4781599272e7655

SHA512
30587b30910c4c5a80f3566f2bdd0f03a10ee36da7ae2f21e99fcbc7e146056efe5352fc5fec9e2ee3f8575a90948a2ec1cbc802d96c0284d5c4e80673595d5b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
12b6b9fd708dda766036c2d4cf85070d

SHA1
20010fa49b130081b1cfb458c77ff24fb555dfb7

SHA256
ee36f6a14a0c29d546f8002512f55bef2e1fad61257c4ace6de8083513ceb8e7

SHA512
e9fc11eeaa37fa7da24c534e4d84d49f6a059703ed070dcc68e80018347b31ac62d54b59053a200e961ebb720cd2cb53de02e0eba300afc9de01954ec54e2819

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
a581db1b7efd34a9d32a5b66e0831d65

SHA1
d3942033a67650fa329af6a540a3cd48d019c4f5

SHA256
9084ed7ca083a4efdb049332282738b7384ff8cfd40b031bb848e9c372b0f306

SHA512
031ce0a8ddc092c89a12433d71d00475dc7b07c16dbc3e954bb85e3b6d3b72f56837c017eebec8171eeeff346ff5cc72d4628400a4e5e409ae954e1f379b11ca

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
0ec4c7f3d02b107b601d495a501e0844

SHA1
0abaa820987c7ea418126a82cfb7c25fef1a6866

SHA256
f0e871359366c167d51bc44b175c1d2f3ad69335d735fad7119547bd04934d6a

SHA512
ffbed0b25232b058fdf616eca16d138b85d6c4a75d820b000acc6106e1581e12f630ff396723702ec753d3fa318456fe8420751f23c254ae526e9d62aac16931

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
925B

MD5
32f18b877ed11b5279d284097fa19a46

SHA1
796d00b76b2bbed9d1f036c630500fe2cbb0781b

SHA256
a2bca0b783d29bf822e6ecea122933bedc1a84e1513b5dca2e962e84a26dcf11

SHA512
e240d49b39d0ce4b89737da1c133ab5d1f306bc19f66d9d4e36244c4aeb46048802906281fb416aa62dae4fa0842c9b38e9bc03ce8ef1de72251507e579b507a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

Filesize
2KB

MD5
5f795d65695f88e6103657c805227b1c

SHA1
178e176f79d3c057f5cd762f1edbafd890f462df

SHA256
09b3fe5b5b0bd58ad87eab08698f8615e9d0c833693f3d7201b76577e9f2023a

SHA512
b3d4a1fc3457b07e89b6e84ce063ffbd6c784d4b0bb4aa63cdade143e6fc06261cda9f3459df2f970a12af5b4232159d58643c2a30e7d03fc6cbebbdfcc390a3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\clean.mbdb

Filesize
3KB

MD5
4ab0d936d15fad1bfe1c9843c975a5b5

SHA1
c79b4a6d5ef3544bb9428b4fe1aa26dbddbd7f09

SHA256
5dfdd203c6aa96909fcca1eada34ac9f7fff0adf1db655e13753a84958c95874

SHA512
80829716ed63eff784767a0d316eb890f9065a80a8cfb26dfec34422c70aa02796f730b61b24ae6708e66c76a8cceb972a51ec93dfe423fb9c46b51cad79e6a6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest.dat

Filesize
775B

MD5
b3381f9aa89142e99b7cb53b3bb4c75c

SHA1
6af16450d96d258759850b45c22fe343b8b26b09

SHA256
de77da47eea08b013f3a17511cfbf078110ed62c35cf301d9fa916b7297a0b4a

SHA512
806e9f117ec6d60521fb95dc3da3b575aaba9e5d943817a05d5252d771d58578be64b44f98ccc6a88870936c13bbe02a5b683ed936b9f7df32959214e99f7dfc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest2.dat

Filesize
775B

MD5
f3880fc3faa78872a9ebe2130344809a

SHA1
5592ab261f4ec22698106124fa49d335bf7179c4

SHA256
63bc73d9a26148537b51234ed4a7a8d03fba2529e78be052617cee6f06b130d6

SHA512
198fd603d3f45baf95f0515a931c41d528d90a77324822649185757cf18eaa0aa223779f7b52a071358c862ef99593d7fb145d47164c22c2319b452174d0969c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dynconfig.dat

Filesize
22KB

MD5
885d647474d6eab46dd4b5197bbcf6c6

SHA1
5a8bd3b8f17b6501354dd646a6baf0a22cb55695

SHA256
1d7f22839b23f76773fdaed74aecc5bafc09aa24cd8500f3609ab2aa09d05845

SHA512
c876d81e32cdcbe244930b6c6a9fe870bb14f8f9dde47300ce08daa05bdac0f8960facbde7f5f78546f5dd777cc0371984cf8dada79bba33c961ca633ae68f99

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\exclusions.txt

Filesize
10KB

MD5
9a4ac2b44a9ad3ec5cf9534c2acde781

SHA1
a61d029ac93ada329c70633a7fcaeb754a22dded

SHA256
96813f362732ed0516316ae0f3119a6ea6bcefd53c940e59232546600853444f

SHA512
3c0ccc6ed19728f61e9075888427edf9b6bb9d47274b61beb6da9edf52c526848a07d6a559300d5a5696614ffdd9432ff007b1b853e601e4c8f28fc3bd2b51ff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig.dat

Filesize
514B

MD5
dd15d093dc51c98167f736d69a349add

SHA1
957f340b5f3690bdee750bdbfdd1f1c698ca7be6

SHA256
e54e69d1293b6a7058fc580d749b643cca6aa823d1fc00ae7e245665fc62a7f1

SHA512
467417445c106ebf06620b1c33fadfd578f8cba28465ad09fb5147e914dd3607c420ed79fe6d3be80bc31e45b54bdf8fea17d14767ff984c3eaeb5d9841eba6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig2.dat

Filesize
514B

MD5
98b4099b3d487621c580a0d29c722efc

SHA1
0d533cf45a311b6033db4532448d04492b5491c8

SHA256
4eae4a8483bce998f40bf1247185bf5bbcc9a844d3f1ee2262aad0bd7bebd78a

SHA512
0c6997ed4a7580b6f545a0da91fb8bee2af692bb45468235c646f09acb1efc326a1b20652c8471a136386be712be4a45e953c676aed07726d4342231742954b8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rules.mbdb

Filesize
18.6MB

MD5
be363c81439b1875e81cb6cfbd53f6d4

SHA1
b02017e19deffe541ee7613fa5efcee41d864178

SHA256
fe8b403929c13bfc48e91c5b5ae71d1efb3f52397a4832407914b313b81a0b62

SHA512
81ca1e7996c602fc7ed7c790f16557b4b269e0fce723c22167a0f1389d1ab28d8fccb7ebdb81149f1f8a235e5251738819b8dc24d9200c8f4e5ff8e8f2adf624

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\scan.mbdb

Filesize
1.8MB

MD5
dd762b25660bc1301ad50631f9dec302

SHA1
8093cd2bd83572646b8d6a9ac55b6758c6839be8

SHA256
6e62ed7029d73f8625db3309bf3146a3a1a793353faec7d1b70f67e71204e936

SHA512
1b0d5fb2d5cc0fb4b3494fa84502364d6582f054bd47d2ba58e2fd8ea00be6a7b660c80b4eac86b04ec8823d04cb611b0e9b46dc16cf9d0353a5a1a9c233a2b7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\tids.mbdb

Filesize
198KB

MD5
7ae4464544f8ec6dc2a19d7413fb40a1

SHA1
d6a48e08d9f43388544ced6e6ee0c3387bf358bd

SHA256
bd4acfc46b74046d5fc2a8fe1fc3c88fef43fda04681369347f762e21b7f0065

SHA512
19ef8eabf6b2d7069be05fd33e85d2b0774f67175c2cc033103ff966d15c5aeee815b9457e2acbfa5c188ec4e8bf4f963fa5c831cc054a88a50d0db4759d1041

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\wprot.mbdb

Filesize
9.4MB

MD5
bb2294822ae2c2349907d0b5b7d0bbe7

SHA1
27f10b774ce5a1bf5633a73b2b12e7dc9cf38c88

SHA256
7f9b7a30ad2ed3f40a2285afc1c8526916e7b7a2fcdfd33265e76e6471696333

SHA512
84666ab71397e041a068aeba6ce8deb7d8bd26b8c60d566d3e156ec874cfd7ce95d4a59d7e41a9f0be215d880cda670f4c56e57c1bb53b5bb8288ae4e1b13d0c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\wprot2.mbdb

Filesize
6.1MB

MD5
b48e5f5448fe8fc971128a8686e17e40

SHA1
c8ba1082c02262c881a842fe16b95c3eeaf82b7f

SHA256
681dbb59a2f88a2c498940534761801c341a5c901f2c41b2f94dd8cb42a4350e

SHA512
9da5e8da866112686f49b61ec29151ff293baa810975f6e49019a742630904cfcd706e4a9825c1fedc182e7252c934c0553772bd554cc07f359860cf94b3de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\MB2Migration\Configuration\license.conf

Filesize
100B

MD5
a1e5a9e508fc1ffd94da7ff8474cd74b

SHA1
8e24fc7a0d84a58ce19d4d54eea5b2e9a0c6c7b4

SHA256
1b936920211bf35d9bc8cb198ddc582e903a5f5f98a213fbcc50d52e336b5026

SHA512
b2de1aae006ef6f0223dd032ca08714489cf90446c7154de8ae514427017af420abd1b9bf90330f05dcebf83bbde4a57225eda45574dd1be1efb871686e2b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\MB2Migration\exclusions.dat

Filesize
104B

MD5
481e08b086e1663fabd9afa850093696

SHA1
5b283959d8f5d356b25890f89babc22a8cdc7d73

SHA256
8990dd342de96d5849ca93f4bc87a96cec4f33227e440e679668ee11207f3e38

SHA512
e01fb0c54923a11a2956eb5797513c1a6525b9d66b5ef044c646ae957b95e2b16bb19ea1b6214e94f65c30834f8b43d401bbfde1ae50290e06ab73af4375febf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C65ED97\setup.cmd

Filesize
2KB

MD5
670d1358da6ceb98522768c559bb0c52

SHA1
8ddea4b7cfa63c2c4c1fbc9904af4c5ada97f5b5

SHA256
9579dfd0b67a233cc54201082bd0a6fb6ce500c541cb6055a412c0d202004678

SHA512
333899e94a1b4412fa76da9220d9981c5c755ebf9f14340127df0dcdab109f2dd67a009ba72d865ac9ce39c4de74b7a82e4164536cdee7cd403e784c9438bb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QK9LM.tmp\mb3.tmp

Filesize
1.1MB

MD5
4fbe9e047364e20b94e885e54d8846db

SHA1
e087573ec32542cd413b98de241f07b6d0a53552

SHA256
011678bfa9d1d8bd25b6131ae5d887326f46bda9b1b82c5795121bfe8b75d53e

SHA512
65870b8b8d1b9b6221701e7af646d26ca14e583663276728f0e962d2a49e3b84b951d248cd9c7f5389c607f9424c2bb9cf8e20780a23a6b659e6f8f1474fcf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\BaltimoreCyberTrustRoot.crt

Filesize
1KB

MD5
379a301592736712c9a60676c50cf19b

SHA1
c103790503bf8c2ff3f119adee027ebb429b9d21

SHA256
cc7400692bd90e1b5fc44e11c8dd7c788cbb462f52ea3f3decb579e4d51eb268

SHA512
dec25a31f2930eb575a43e654c29f170c261c1c4516767c0e71cc172ad6ad115914fb58d9cd79f681ff3d7c6baa6b7c0d6de99de09d7582c9807ae436f15572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\DigiCertEVRoot.crt

Filesize
1KB

MD5
d25e0f479b9601edf2c9c2dad7ba2706

SHA1
2f1d0001e47394f4c4deec9645c5f2df99f91a95

SHA256
63ff360aafde5ff959fb9671ec27002f99cbfae4907b410046b6a1b0f51cba9e

SHA512
3ba164dad3cadf1ea9f0c555695e4d39cba47612599f547d0d0d59014577995c0ddbff0ef6a5e436867454da02d500136b54c034c2223586271b26108b2cfb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\mb-header100.bmp

Filesize
7KB

MD5
4f8b110e37a818130310f0c34ec90dc5

SHA1
3bef6199fa0ba4c7b98d9c6a6c5a29c52ef9f3b1

SHA256
db72101e43020be81ff304f50cf593497d66073be946502c16bcd64e7b2adcc3

SHA512
d998b6f09e8750f8f99491e2c2dcbb0cec4a65f8154d795ca070eb131a4f88a30116715b67d1904a0b774e77d0b3ffdb994d10de5688e47f1e2901b10202402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJIJH.tmp\suhlpr.dll

Filesize
2.5MB

MD5
fad7ff3ad298b98af90ee28e8ac9e8ea

SHA1
8ef1656215747bbeaaabc3ca1a82d4d2de4166d9

SHA256
86f1c7b02c2c1cb100757b18719b1613f9035ae89cf7dd460a39da9f9f163c95

SHA512
812a04bd6e6800ca2f78224356a1035a78b3b4cc5c921c2c1d6a13a8bd5063cae8fd5352e39d2150a6f18790a23a02f4d45079cbfe52f854e006aefb9f167fd3

Download Submit
memory/3952-645-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3952-620-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-642-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-592-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/3952-644-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3952-643-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3952-641-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-640-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-639-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-638-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-637-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-636-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-635-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-634-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-633-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-632-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-631-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-630-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-585-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/3952-629-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-628-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-627-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-626-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-624-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-623-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-622-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-621-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-625-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3952-619-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-618-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-617-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-598-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-615-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-616-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-613-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-612-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-614-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-611-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3952-610-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-609-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-608-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-607-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-606-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-605-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-604-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-603-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-602-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-601-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-600-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-599-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3952-597-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-596-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-595-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/3952-594-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/3952-593-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/3952-591-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3952-583-0x00000000035D0000-0x0000000003DD0000-memory.dmp

Filesize
8.0MB

Download
memory/4196-586-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4196-33-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4196-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4920-588-0x0000000003480000-0x0000000003495000-memory.dmp

Filesize
84KB

Download
memory/4920-587-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4920-46-0x0000000003480000-0x0000000003495000-memory.dmp

Filesize
84KB

Download