2297bee34b1751b2ca0f20b6625bf822b3837a70f6f2b456278fba92a7188e0e

Analysis

max time kernel
147s
max time network
164s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 20:25

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SetupMBAM.exe
Size

261.5MB
MD5

98d22b94ba9bd9f5ade2a46fcc55d91b
SHA1

2f079d4fa2764cc4c769143be93f0305a07d920c
SHA256

2297bee34b1751b2ca0f20b6625bf822b3837a70f6f2b456278fba92a7188e0e
SHA512

4b0e15bf15f24ab15df27f178dec2e160e5acf70962a857ca0f7dd3c8b40f7817e5257fa9dc009ac477911e4dc616129a824d250601b97e51ef55faba6b2fa3f
SSDEEP

6291456:2s67aozPfjFufVrr70zgAKOU2cPSdYdcnUBp:2sidzPkdrrwMoPfadcUBp

Score

8^/10

defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SET6C3.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6C4.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET6C4.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET14FE.tmp	mbamservice.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\DRIVERS\SETF1F1.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6A3.tmp	mbamservice.exe
File created	C:\Windows\system32\DRIVERS\SET6A3.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF1F1.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamChameleon.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6C3.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mwac.sys	mbamservice.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\farflt.sys	mbamservice.exe
File created	C:\Windows\system32\drivers\is-O3T5O.tmp	mb3.tmp
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	mb4.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET14FE.tmp	mbamservice.exe
File opened for modification	C:\Windows\system32\DRIVERS\mbam.sys	mbamservice.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbamservice.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 14 IoCs

pid	Process
4596	mb3.exe
1920	mb3.tmp
2688	mbamservice.exe
4256	mbamservice.exe
5104	mbamtray.exe
3236	mb4.exe
5428	MBAMInstallerService.exe
3556	MBAMWsc.exe
3872	mbstcmd.exe
680	MBAMWsc.exe
2360	unins000.exe
4928	_iu14D2N.tmp
4564	mbamservice.exe
236	mbamwsc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService	mb3.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service"	mb3.tmp

Loads dropped DLL 64 IoCs

pid	Process
1920	mb3.tmp
1920	mb3.tmp
1920	mb3.tmp
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
5104	mbamtray.exe
5104	mbamtray.exe
4256	mbamservice.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe
File opened (read-only)	\??\X:	mbamservice.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\iconengines\is-8MVBS.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-AAEEN.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-GPFF0.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	mb3.tmp
File created	C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\mbam.cat	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-4368H.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-TGSMS.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-TRI4E.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-ELH3V.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\is-IIQ9D.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\is-IN6LU.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-O9MP6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-TDJO0.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\is-91EJH.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-3MOGG.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-55QAT.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-7H2R9.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-OB7Q7.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-LSBOF.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-4C3M6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\is-H38P6.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys	mbamservice.exe
File created	C:\Program Files (x86)\mbamtestfile.dat	mb4.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\is-BRGBB.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-0RJEI.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-SNFKS.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-RR8L7.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5LR7A.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-N6Q6U.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-4BRV8.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-JMHJI.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5D849.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-MRJ8V.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick.2\is-P266N.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-FE96Q.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-DUTKM.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-7SVU3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\unins000.msg	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtWinExtras\is-4B5UV.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-RP85R.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-I9482.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-OE6DM.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-T6PUR.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-J0HF3.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-I1AQK.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\scenegraph\is-06EGB.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\is-G3L1K.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-GTVF2.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.inf	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-MM0HH.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-4RSFV.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\folderlistmodel\is-LTTTA.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\is-OPK5S.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-077S0.tmp	mb3.tmp
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-JNK52.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-NH2A8.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-EN6FN.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Layouts\is-221SN.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-B25DI.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-EB00P.tmp	mb3.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-6SP8J.tmp	mb3.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbstcmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_iu14D2N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupMBAM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbamtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb4.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4796	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	mb3.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	mb3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	mb3.tmp

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237E618C-D739-4C8A-9F72-5CD4EF91CBE5}\ = "IMWACControllerEventsV3"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EA9E3C-6507-4725-8F4F-ED4DDDE7A709}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9442AA1-AEB8-4FB4-B998-BFBC37BA8A99}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F73DD6-F2A4-40F8-9109-67F6BB8D3704}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}\ = "IScannerEvents"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63A6AB57-4679-4529-B78D-143547B22799}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19184D37-6938-4F54-BAFD-3240F0FA75E6}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FFB94DF8-FC15-411C-B443-E937085E2AC1}\1.0	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77AD284A-4686-413D-AA76-BDFC1DF52A19}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}\1.0\ = "LicenseControllerCOMLib"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win64	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAD5232C-6E05-4458-9709-0B4DCB22EA09}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\ = "IAEControllerEventsV2"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226C1698-A075-4315-BB5D-9C164A96ACE7}\1.0	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A173904-D20F-4872-93D5-CBC1336AE0D6}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1097B101-1FF8-4DD8-A6C1-6C39FB2EA5D6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFA1689-38D3-4AE9-B1E8-B039EB7AD988}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CLSID\ = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C710FA9-862A-40CF-9F54-063EF8FC8438}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B14402F-4F35-443E-A34E-0F511098C644}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController.1	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566DC5CA-A3C4-4959-AB92-37606E12AAFF}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4EA13DC-F9D2-4DB9-A19F-2B462FFC81F3}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2650A9C4-A53C-4BEF-B766-7405B4D5562B}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\Version	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638A43D2-5475-424B-87B8-042109D7768F}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC97FF29-5CE2-4897-8175-94672057E02D}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{566DC5CA-A3C4-4959-AB92-37606E12AAFF}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}\ = "IRTPController"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4BDE5F8-F8D4-4E50-937F-85E8382A9FEE}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71B13605-3569-4F4A-B971-08FF179A3A60}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5250E5C8-A09C-4F87-A0DA-A46A62A0EACF}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\TypeLib\ = "{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ = "MBAMShlExt Class"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A583D5DD-F005-4D17-B564-5B594BB58339}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{553B1C62-BE94-4CE0-8041-EB3BC1329D20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{638A43D2-5475-424B-87B8-042109D7768F}\ = "_IUpdateControllerEvents"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77B440A-6CBC-4AFD-AA22-444552960E50}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\ = "ICustomScanParameters"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CE94D34-A1E4-4FA8-BEDC-6A32683B85F5}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106E3995-72F9-458A-A317-9AFF9E45A1F0}\ProxyStubClsid32	mbamservice.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1156	reg.exe
1408	reg.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df0030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4740f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc250f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc32000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mbamtray.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5104	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
4256	mbamservice.exe
5104	mbamtray.exe
5104	mbamtray.exe
4256	mbamservice.exe
4256	mbamservice.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe
3872	mbstcmd.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
692	Process not Found
692	Process not Found
692	Process not Found
692	Process not Found
692	Process not Found
692	Process not Found
692	Process not Found
692	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: 33	2688	mbamservice.exe
Token: SeIncBasePriorityPrivilege	2688	mbamservice.exe
Token: 33	4256	mbamservice.exe
Token: SeIncBasePriorityPrivilege	4256	mbamservice.exe
Token: SeRestorePrivilege	4256	mbamservice.exe
Token: SeTakeOwnershipPrivilege	4256	mbamservice.exe
Token: SeRestorePrivilege	4256	mbamservice.exe
Token: SeTakeOwnershipPrivilege	4256	mbamservice.exe
Token: SeAssignPrimaryTokenPrivilege	4256	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	4256	mbamservice.exe
Token: SeSecurityPrivilege	4256	mbamservice.exe
Token: SeTakeOwnershipPrivilege	4256	mbamservice.exe
Token: SeLoadDriverPrivilege	4256	mbamservice.exe
Token: SeSystemtimePrivilege	4256	mbamservice.exe
Token: SeRestorePrivilege	4256	mbamservice.exe
Token: SeShutdownPrivilege	4256	mbamservice.exe
Token: SeSystemEnvironmentPrivilege	4256	mbamservice.exe
Token: SeUndockPrivilege	4256	mbamservice.exe
Token: SeManageVolumePrivilege	4256	mbamservice.exe
Token: SeSecurityPrivilege	4256	mbamservice.exe
Token: SeSecurityPrivilege	4256	mbamservice.exe
Token: 33	4564	mbamservice.exe
Token: SeIncBasePriorityPrivilege	4564	mbamservice.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1920	mb3.tmp
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
4928	_iu14D2N.tmp

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe
5104	mbamtray.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3700	3340	SetupMBAM.exe	81
PID 3340 wrote to memory of 3700	3340	SetupMBAM.exe	81
PID 3340 wrote to memory of 3700	3340	SetupMBAM.exe	81
PID 3700 wrote to memory of 780	3700	cmd.exe	83
PID 3700 wrote to memory of 780	3700	cmd.exe	83
PID 3700 wrote to memory of 1156	3700	cmd.exe	84
PID 3700 wrote to memory of 1156	3700	cmd.exe	84
PID 3700 wrote to memory of 4844	3700	cmd.exe	85
PID 3700 wrote to memory of 4844	3700	cmd.exe	85
PID 3700 wrote to memory of 4836	3700	cmd.exe	86
PID 3700 wrote to memory of 4836	3700	cmd.exe	86
PID 3700 wrote to memory of 4796	3700	cmd.exe	87
PID 3700 wrote to memory of 4796	3700	cmd.exe	87
PID 3700 wrote to memory of 5100	3700	cmd.exe	88
PID 3700 wrote to memory of 5100	3700	cmd.exe	88
PID 3700 wrote to memory of 4596	3700	cmd.exe	89
PID 3700 wrote to memory of 4596	3700	cmd.exe	89
PID 3700 wrote to memory of 4596	3700	cmd.exe	89
PID 4596 wrote to memory of 1920	4596	mb3.exe	90
PID 4596 wrote to memory of 1920	4596	mb3.exe	90
PID 4596 wrote to memory of 1920	4596	mb3.exe	90
PID 1920 wrote to memory of 1544	1920	mb3.tmp	91
PID 1920 wrote to memory of 1544	1920	mb3.tmp	91
PID 1920 wrote to memory of 632	1920	mb3.tmp	94
PID 1920 wrote to memory of 632	1920	mb3.tmp	94
PID 1920 wrote to memory of 2688	1920	mb3.tmp	96
PID 1920 wrote to memory of 2688	1920	mb3.tmp	96
PID 4256 wrote to memory of 5104	4256	mbamservice.exe	99
PID 4256 wrote to memory of 5104	4256	mbamservice.exe	99
PID 4256 wrote to memory of 5104	4256	mbamservice.exe	99
PID 3700 wrote to memory of 3236	3700	cmd.exe	100
PID 3700 wrote to memory of 3236	3700	cmd.exe	100
PID 3700 wrote to memory of 3236	3700	cmd.exe	100
PID 4256 wrote to memory of 3556	4256	mbamservice.exe	102
PID 4256 wrote to memory of 3556	4256	mbamservice.exe	102
PID 5428 wrote to memory of 3872	5428	MBAMInstallerService.exe	103
PID 5428 wrote to memory of 3872	5428	MBAMInstallerService.exe	103
PID 5428 wrote to memory of 3872	5428	MBAMInstallerService.exe	103
PID 3872 wrote to memory of 680	3872	mbstcmd.exe	104
PID 3872 wrote to memory of 680	3872	mbstcmd.exe	104
PID 3872 wrote to memory of 2360	3872	mbstcmd.exe	105
PID 3872 wrote to memory of 2360	3872	mbstcmd.exe	105
PID 3872 wrote to memory of 2360	3872	mbstcmd.exe	105
PID 2360 wrote to memory of 4928	2360	unins000.exe	106
PID 2360 wrote to memory of 4928	2360	unins000.exe	106
PID 2360 wrote to memory of 4928	2360	unins000.exe	106
PID 4928 wrote to memory of 4564	4928	_iu14D2N.tmp	107
PID 4928 wrote to memory of 4564	4928	_iu14D2N.tmp	107
PID 4928 wrote to memory of 236	4928	_iu14D2N.tmp	108
PID 4928 wrote to memory of 236	4928	_iu14D2N.tmp	108
PID 4928 wrote to memory of 5484	4928	_iu14D2N.tmp	109
PID 4928 wrote to memory of 5484	4928	_iu14D2N.tmp	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4836	attrib.exe
5176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SetupMBAM.exe
"C:\Users\Admin\AppData\Local\Temp\SetupMBAM.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\setup.cmd
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\fltMC.exe
    fltmc
    3⤵
    PID:780
- - C:\Windows\system32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1
    3⤵
    - Modifies registry key
    PID:1156
- - C:\Windows\system32\findstr.exe
    findstr /i /v "malwarebytes mwbsys" C:\Windows\System32\drivers\etc\hosts
    3⤵
    PID:4844
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:4836
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4796
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\MB2Migration" "C:\ProgramData\MB2Migration" /i /s /y
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\mb3.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\mb3.exe" /verysilent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\is-QPB5N.tmp\mb3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QPB5N.tmp\mb3.tmp" /SL5="$A022A,75987422,119296,C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\mb3.exe" /verysilent
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\BaltimoreCyberTrustRoot.crt"
        5⤵
        
        PID:1544
    - - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\DigiCertEVRoot.crt"
        5⤵
        
        PID:632
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
- - C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\mb4.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\mb4.exe" /verysilent /norestart
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3236
- - C:\Windows\system32\attrib.exe
    attrib +r "C:\Windows\Temp\MBInstallTemp\migrate\config\LicenseConfig.json"
    3⤵
    - Views/modifies file attributes
    PID:5176
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\MBAMInstallerService\Parameters /v SetSPStateCompleted /f
    3⤵
    - Modifies registry key
    PID:1408
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 0
    3⤵
    PID:5264

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5104
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off false /updatesubstatus none /scansubstatus recommended /settingssubstatus none
  2⤵
  - Executes dropped EXE
  PID:3556

C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe
"C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5428
- C:\Windows\TEMP\MBInstallTemp\mbstcmd.exe
  "C:\Windows\TEMP\MBInstallTemp\mbstcmd.exe" /y /cleanup /quiet /nomb4uninstaller /noreboot
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\\MBAMWsc.exe" /uninstall
    3⤵
    - Executes dropped EXE
    PID:680
- - C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /LOG /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Windows\TEMP\Mbam3x.log"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\TEMP\_iu14D2N.tmp
      "C:\Windows\TEMP\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /FIRSTPHASEWND=$10060 /LOG /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Windows\TEMP\Mbam3x.log"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /unregserver
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe" /uninstall
        5⤵
        Executes dropped EXE
        
        PID:236
    - - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll"
        5⤵
        
        PID:5484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a18055 /state1:0x41c64e6d
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

Filesize
4.0MB

MD5
bbf8d1bd3fed70264553c43933c0778f

SHA1
ee482444cd5c8751b1e593f0ee9c4102a6b3e73b

SHA256
541236c5093e7d561049a9aa4aef0f4610d2229ac0f268098d028ac0acd0ebef

SHA512
427d177da0fb71869f604d316d3cf2a49c426d743bc0c48e2f75bf9dc6a574a82a25a1096d26d774c0221da4c9efaa21e2371dea3aaa7226fed0ff6a51dd9d04

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

Filesize
3.3MB

MD5
92e9642560b3824d14886b5a07abc0fe

SHA1
ea27777f0ac8c84d8f2acf14f4f3d76beaa3600f

SHA256
ee7bf546ff261caefe63b9291a359681e8167d3eae48529c8b03df83992d5f3f

SHA512
31c17b5019767980f900d7fc85a2a21e39e01ab52425418c2aef877584c26379b0bd0e79fffc155b14efb7187a7f4d1d6c57420ed83c028ab94574b5644f5bf3

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\CleanControllerImpl.dll

Filesize
5.1MB

MD5
6fc8a69f6702c7dffadfdcd17101f737

SHA1
6fbeb417b75098df88c364638e0cc703a87a0ae9

SHA256
28b7288e810e61871cc60ba7095401d0a241601a15a3c119e0a49e07355bd813

SHA512
96b1963255bf8581c49a8fbb200e8ccd88e2ca2dc188724dea8725eb3bdca49490f495b67f0511e3946c43ec584801a832fc257187b33cdbfd05be0d180db8b9

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll

Filesize
4.4MB

MD5
357fc4ccbec4ba925ceec54ba1940de6

SHA1
16ff9d20c00b575c7fe3d19ed47ba2e1c025446b

SHA256
a99c1e7a2408fde154a259894bdce12486ba8aaff9904098c2febf60cf2d0142

SHA512
fe20f82a16001c3919bf8ada707532c7ecc3b0ff01170a8063dac7dbb6dca2f23c18a1fd2894836d1ad9d8cf5efc3f376d1a0536b29b77297709ded9306ab366

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

Filesize
2.2MB

MD5
9461138ffbdb975a8e125163bf948158

SHA1
8275135bf4ceaf57c5ba8f66dd49d69d992c0c66

SHA256
373cf9d48fbb81f4ff07713428d50a62c7bbc0fc594af3987e0bd655f83ed3a0

SHA512
c0f7978527c24c9d767e58dfb53e346f9d1af1c09674bef723830754125985ae3846da262fad641e8cdc615779a244710fbb8d9e0e36a1205da4392c7782a34a

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\TelemetryControllerImpl.dll

Filesize
3.9MB

MD5
78f99c1fb3d8205824c758285f7967c9

SHA1
b4be038a5320a558ca6743cf96255b054a89e60f

SHA256
12b1d507ac03e261558e9f7da15a0dada975e1ae930ea0df6b3bb62e141e15a3

SHA512
afe82f1867f2bdde6af7d1b8474bfbf8a23fa0a3f20323980f701b1e6944c1e7237675169e0ef7c65f2c4b8c939b679555ac91d332c106dfc3560f5d1b4599ff

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

Filesize
3.3MB

MD5
441ec847e501ddd547fc10492fd5a287

SHA1
c67e70d2d0ddfb46b4fa0c80856c90feb918dc93

SHA256
3e63054601f976aeda5c2fcdf0d222bacf38f48eb729e51b3392c915b4686e36

SHA512
435241c11918276714079f98c67ebde4834ece5c0ac973594d2f28e9b8d444df1735ceec459a977868ddabb226d5c1e461f2bdd178710761b31bf3018d162356

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbshlext_proto

Filesize
2.1MB

MD5
5265576f992af1de32d79b8570f95922

SHA1
e355fd829c9eb02f56cd60103438164e79643c4f

SHA256
85e2fcb69ee45cb81cfdfcc4ece39caf3fc25a545df30a0f04d6c4c64520db7c

SHA512
fec8316d3fba8470d6d7582f1e494110a6ba4fc30eacaf134f093350361fe789278b13be5ddac23e42b1ae7a1956d0cff8cb702da5e637e0d2621e81d9a16869

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

Filesize
50B

MD5
f92c71ddf5b699d9bf113cc80d5bc826

SHA1
1a8091b51c8328cffe98958c3098e4b9c1228bfc

SHA256
b110e26dcf57e8d3923c7b0e6a660e06a70246a2d0285fb3fd4a775579dda83f

SHA512
463c8f4810ac52b12e8620d748a8a087ef140e5d6ab6a3afdd1baf28beca17a0b6c069003391c66cf0fd2ef75112be1306201915c6a8942404c80e5b99947411

Download Submit
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\version.dat

Filesize
46B

MD5
8fb6a018f79059337fc548f2994bee6a

SHA1
2bfa752f3c9f4d8f952682614490fb1014c14823

SHA256
4e1a6a6dad48a69944d19afd8258c34f2880dea9b2c0a5515e6f64f1336de276

SHA512
2c2d8b835435fcb9f4e97c354165040417b5e7e37db4cccf9247b8ccb8c7be9b6a7c62b7ef7f6327cc049ab91a408439ebea221ab51365482106ebc6aa7bdb19

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\7z.dll

Filesize
1.6MB

MD5
7580437d0fb8c1ae60d96dafb6883d30

SHA1
be89b488b258555a8cf971e4d29c40ce92bf881d

SHA256
3dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef

SHA512
e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ActionsShim.dll

Filesize
2.0MB

MD5
81cf22f2206cc72aa0430943042cc57d

SHA1
b1548ab1f95c2f99747be7f4758d48f2a97f3d66

SHA256
7ab470e83005cfde857d7d45a40058f790c097852a7fa3e252cf69f1de9eba88

SHA512
e9b094a6ec9ed8b5d69aabc3f89963df5ffc14db88dec2d67c494911498979f9ab703e1c7f007e59075dc871fc44fff4d27fb2b88a0a20bc53025fca908bfc7d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\CloudControllerImpl.dll

Filesize
3.3MB

MD5
bdb0adcf1fa2d6ad11ca148925fc6056

SHA1
14348951d1749ac6fa25edb26fbdfc38261ed0ca

SHA256
56e54267ea2594d7b2a7b69d751f6aa70e99b7006dfff2f6ab516c83f5a5a09b

SHA512
017658186f962376de6affc45535f9e156f4a11027a8000ae1ed37b0699d598e3b41a3a29c2031982127adf2a575b3978bc7a2183fca822049efa61214b8d49a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Languages\lang_es.qm

Filesize
239KB

MD5
15cf1cf7b807776cc0b326fb13346dae

SHA1
49729240f86b74067183413aea526e9f9a769642

SHA256
5d4df71edd63c510af04d27aa15aaa009c24e07e53efb0559dc6cc6b67e1c6cd

SHA512
ffe781c632aa839cc66377ae31384bbeb4c4443d1e4875a902a6e1fc9c272ef1b911dfc7a423fb4902dd3033638919934a077639d19314380c5b219b52d102f7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\LicenseControllerImpl.dll

Filesize
3.3MB

MD5
c091823974c144a4ad60253346be986f

SHA1
6268491af4b35824a25b3a879412aa3894073c90

SHA256
53aad200edbab6e1591c1502afab7e2014aaa98e52c4be6bdfdd5332248d2032

SHA512
02fb68f67eb49c7e76f3772ef830b9981487eda9c87243dd8b6b4406a9bcc2de0253ac63271e7c35dc27102211ffc31ef550d5b6d49734dce762f0c47bd563fa

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\MBAMShim.dll

Filesize
1.9MB

MD5
23d71c3090e1de46e5e5686f58f4571b

SHA1
c8ef6443aa1cb7bc74ba1f48e5b5c1dcb0b65c24

SHA256
a64270ddf9af5db895be90e913475e8c456e097d53075e19b7a8265dc81490cf

SHA512
8feeb817968b9d2b93a40c9271d79724cde852b26d959cabf106b97d24b4d8b4896cf88e151d4031f14f7546737004909eb4e93b0411ecb8417b4e05324f592c

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ScanControllerImpl.dll

Filesize
4.1MB

MD5
a7e39e856a7a4846c6fc0b4cd31c18eb

SHA1
3c1b6029fa3a80b02963a7627e1f8016015512f2

SHA256
b22cfbea6caa65db558a70e98a6a3a03135f6ea76636dcae78835da1f5cfb885

SHA512
17f3ec344b4c20c2a585258cf4f7841d2089e7eeb02943e4bbc8b89c92ec302c99643fd8ebeb4b8ff5a1ecc78586b77952152412331813c17422de11d7c1437d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
607B

MD5
583b1ce5d38e08c8e32f218015769319

SHA1
7875af8dfbe541df6b9b8548914dda55c4f2cb8a

SHA256
1de36268392ac0c69b1cc4d10845544ef3739742ec15e721f2036914d987bf8d

SHA512
7d7461ff4ec0a0b4312047a18d590bffdc9efdf474d4085fd68ff9289dc57f39a9538337ca80690cb7dec12c73cbf855d91a2e0b3ccb9fa73bcb0a1c32fa144e

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Swissarmy.dll

Filesize
2.6MB

MD5
ddc20450bd11ef763fb94d5e4b9c9734

SHA1
70d9cd634984746b0bfc16a9b3558f0c08299f95

SHA256
40b795529049730cd841654c73a499c0ff3cbee6f5e05df96359c2d968f362be

SHA512
dd0d7e0185eead8d6104f3bebbd2d78825ec28eabadf488c0d58a594854b37784a8d0b7c9b4852e618395662b0427dfb31f39e81802b9d0a9a20c0eec100b759

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\SwissarmyShim.dll

Filesize
1.9MB

MD5
744524ba97e4f000a05ad256add6d96b

SHA1
2cc1a6b0ecc17db129bf479724e12ae1374cbc77

SHA256
c529264098ab30cb6a79ba8db9c5e208cf221e72aee47b70878986f19b2acf45

SHA512
ed0a99defe9ce9c2df2fd089b5ebe9a08b4b61e19017638269be53a74ce28d1e31e1e34519585d6b8a934eda7108e5610147f92d83414f5adf6b1f91e52d2717

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

Filesize
10.8MB

MD5
bc378eebe3b5ad857a0c2a3d6759d1f1

SHA1
accc2aef3f96ba1adfd31ade0dd5716599b8d2e2

SHA256
cb0c0072d1690c5e0a4aae29d13496cd7ecfd48fe618c3ea4b3a65cefb26668a

SHA512
e5941c023524510c66a37bfc55ba6b28f02ca53d4ff6e85016411bfbff0fbd5e3a013fdc77985380f87fe291c526b9db11151ff6e2c0d419a2e37c51d1f9bf75

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe

Filesize
6.2MB

MD5
f7265b7490428499f2fe409fa9247866

SHA1
aa7ef4ddfa80551e0e636a3411ea28c5217d92b6

SHA256
43a406c74689b72020e4669b45f19d377a5ff3efe79b03af58c2679d14405e9d

SHA512
0b239376a42ea094d2ae202f0c05504de7f8317c414c3aa6f5e4571b435aee2940075f5d88dc89756cb447b96356ee6c4ad44efadbdc1d80a9992d8d21048164

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
247KB

MD5
351bf8f77b0a15a7b5a2ae098c52a387

SHA1
be04e8000a3352f41588aa084c2b1ac7ca5145f2

SHA256
a84330df5c4f0e5d6251d311b5dc78722d7724e87daf5de5a11eb73bb3502e26

SHA512
04d062b5b5f5c3285aa9b3fa921905a0ac13b630eb5bf7fa412eaf432b415c3b33dda4fdfe5e73dbcba4575aa3610cbcfeddc498b8439a90415969a9ae1151b9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys

Filesize
110KB

MD5
30531264292dbc7507aa1ff4123f1f39

SHA1
5f938678984b63695b061c43e7c58d59d7035a9a

SHA256
ad27317bfab1d5c1b332000df51336424b4b80af725392eb4a0fe53dc0695c41

SHA512
344dea38a565a7f9fb8349e2a32226526ef8b546598c63a6465093e53e39512b509c7c3774b646231614b665d474c5b104805a4f1dbda173cbced67e06811bcd

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbam.sys

Filesize
43KB

MD5
0987b4bb03fa1f3c0c7d37347b707d4e

SHA1
282b0c57a2b5a2af3c3393e8ccbeccc05faa9ec4

SHA256
edea667695a680b955f42024ad349a9b795a2365c59312edcc3fe5bf362f59e6

SHA512
0bb44543ee6acd08d22270f9d4ccdcaf35e72867d2a12f888ad7f93d77237e83a5df3f140178f787c1a0ebfd02cdf3006066298862a36da74d8d1d8bf3390a53

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys

Filesize
186KB

MD5
0b4a62420642b842df8656dbff663b0c

SHA1
22a89c1d2085a4aa8b1a99f54e2d75fe330067fb

SHA256
acb7961eca32a50fcbd51b194488ddf40e610c2384edfd06235ae427bcb80c96

SHA512
e9ad9be23bbeb1c2fcfc17ce16c48af67f380e72dbb3ba292965e340f2a868402b5812934b56864486cb890af80f5316a2b81cc916da9b01f7135bc02c972bf5

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys

Filesize
101KB

MD5
a2814db0a52a490ae674ad06ecbdc4cf

SHA1
88bfe28759135d87377999596286fb5233766d79

SHA256
d3fa7326afbc7a5a94f7a4aec84a51acab89179d7caf0cb5f2af3794e6dba7f5

SHA512
6d3ac4bad74c226063aa2ea951dd72608ac884be0a7d9b5347de2e363811207b5a9ee3e8177ef44d11a6bab6538ae691a4825185784e47aa483c11c17be075de

Download Submit
C:\ProgramData\MB2Migration\Configuration\license.conf

Filesize
100B

MD5
a1e5a9e508fc1ffd94da7ff8474cd74b

SHA1
8e24fc7a0d84a58ce19d4d54eea5b2e9a0c6c7b4

SHA256
1b936920211bf35d9bc8cb198ddc582e903a5f5f98a213fbcc50d52e336b5026

SHA512
b2de1aae006ef6f0223dd032ca08714489cf90446c7154de8ae514427017af420abd1b9bf90330f05dcebf83bbde4a57225eda45574dd1be1efb871686e2b881

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
f3fc3523ac90ddae37b9f0336605f41b

SHA1
3815883f256c32aa635a1e7c257fabfcacbac4fa

SHA256
b1139f9dfac8c3caa831a75d4d54e792bfa98b7a6d668fde05a66a8a995a8f37

SHA512
a33cf7f892adb5e3f9d6975888ecccfd332082c0beacad67fd51d502c9fd442334af50909315737a20823296b1e389fe1d3c0072608aa0b61607c1a06e8333c1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
9KB

MD5
c6958640d171821f419a3ba5a8e56104

SHA1
5c15d8264acbe41d8e62376918ee7e71a4a95f2a

SHA256
b46478677cee1930f4b7e3733f05068c0c50cd38f122c901ec1392246bc90bc6

SHA512
79d5c661fc04ed4a19d68b2cec0ed26c976dff2b117bfd5f76de02fbc8fa63fb1e2a8eb30ad05c27a15c67ec09ab64598600652070fd2d1e47e527b4b54b0627

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
7ad641aef2cec03cf573ae3f18eaf50f

SHA1
efe70c1be17a6587c3deb4105919ae78218a71c0

SHA256
81e02567517feb1f6de5c8c8f5beb6b5a82c0827fb7b70dcf6707b80d2d0e1d0

SHA512
295e3ac10039818d7f23fcd15f5c87cea8dab3b84dd3d4f3f04b40f48b6d20fcd00121d5383176a20cd1e089e2720dd221a85cab91e6e3592ed922e2163032dd

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
fd9af526c54dd8397aa5a1f5036380fc

SHA1
2ea48ae8e8cdd4df0af2ff449de052cd4c67c532

SHA256
80a40f76bc127e695417f5c6bc5c8931d97a38e1601e7cde2aa62179aab308e3

SHA512
7ba0868d54b0a8e05fa665e4c6dfa8b2e62c75690f26eddb20cad49b25ad39a74d0774d082959799259e483f74c38617510a6dc2058f69f4d8c6a4226a1fdb9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

Filesize
2KB

MD5
921ee4fa6d5dacfef7b36132dd018a25

SHA1
74a3dbf149135525c28ffc553479e27c54e3421f

SHA256
6c85b2f128a49526a16faf06f6e872144090d938bacbfb85dcfbca81e236abb8

SHA512
9ebb7f8bbd220c3c0ac3faa83206b89b6012120071fb413edf26837082c47c6a4acccedf84dfe4215e1d9e865f4115a5294d4280e65656ee1fdce019c9e32765

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\clean.mbdb

Filesize
3KB

MD5
4ab0d936d15fad1bfe1c9843c975a5b5

SHA1
c79b4a6d5ef3544bb9428b4fe1aa26dbddbd7f09

SHA256
5dfdd203c6aa96909fcca1eada34ac9f7fff0adf1db655e13753a84958c95874

SHA512
80829716ed63eff784767a0d316eb890f9065a80a8cfb26dfec34422c70aa02796f730b61b24ae6708e66c76a8cceb972a51ec93dfe423fb9c46b51cad79e6a6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest.dat

Filesize
775B

MD5
b3381f9aa89142e99b7cb53b3bb4c75c

SHA1
6af16450d96d258759850b45c22fe343b8b26b09

SHA256
de77da47eea08b013f3a17511cfbf078110ed62c35cf301d9fa916b7297a0b4a

SHA512
806e9f117ec6d60521fb95dc3da3b575aaba9e5d943817a05d5252d771d58578be64b44f98ccc6a88870936c13bbe02a5b683ed936b9f7df32959214e99f7dfc

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dbmanifest2.dat

Filesize
775B

MD5
f3880fc3faa78872a9ebe2130344809a

SHA1
5592ab261f4ec22698106124fa49d335bf7179c4

SHA256
63bc73d9a26148537b51234ed4a7a8d03fba2529e78be052617cee6f06b130d6

SHA512
198fd603d3f45baf95f0515a931c41d528d90a77324822649185757cf18eaa0aa223779f7b52a071358c862ef99593d7fb145d47164c22c2319b452174d0969c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\dynconfig.dat

Filesize
22KB

MD5
885d647474d6eab46dd4b5197bbcf6c6

SHA1
5a8bd3b8f17b6501354dd646a6baf0a22cb55695

SHA256
1d7f22839b23f76773fdaed74aecc5bafc09aa24cd8500f3609ab2aa09d05845

SHA512
c876d81e32cdcbe244930b6c6a9fe870bb14f8f9dde47300ce08daa05bdac0f8960facbde7f5f78546f5dd777cc0371984cf8dada79bba33c961ca633ae68f99

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\exclusions.txt

Filesize
10KB

MD5
9a4ac2b44a9ad3ec5cf9534c2acde781

SHA1
a61d029ac93ada329c70633a7fcaeb754a22dded

SHA256
96813f362732ed0516316ae0f3119a6ea6bcefd53c940e59232546600853444f

SHA512
3c0ccc6ed19728f61e9075888427edf9b6bb9d47274b61beb6da9edf52c526848a07d6a559300d5a5696614ffdd9432ff007b1b853e601e4c8f28fc3bd2b51ff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig.dat

Filesize
514B

MD5
dd15d093dc51c98167f736d69a349add

SHA1
957f340b5f3690bdee750bdbfdd1f1c698ca7be6

SHA256
e54e69d1293b6a7058fc580d749b643cca6aa823d1fc00ae7e245665fc62a7f1

SHA512
467417445c106ebf06620b1c33fadfd578f8cba28465ad09fb5147e914dd3607c420ed79fe6d3be80bc31e45b54bdf8fea17d14767ff984c3eaeb5d9841eba6e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\mbdigsig2.dat

Filesize
514B

MD5
98b4099b3d487621c580a0d29c722efc

SHA1
0d533cf45a311b6033db4532448d04492b5491c8

SHA256
4eae4a8483bce998f40bf1247185bf5bbcc9a844d3f1ee2262aad0bd7bebd78a

SHA512
0c6997ed4a7580b6f545a0da91fb8bee2af692bb45468235c646f09acb1efc326a1b20652c8471a136386be712be4a45e953c676aed07726d4342231742954b8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\rules.mbdb

Filesize
18.6MB

MD5
be363c81439b1875e81cb6cfbd53f6d4

SHA1
b02017e19deffe541ee7613fa5efcee41d864178

SHA256
fe8b403929c13bfc48e91c5b5ae71d1efb3f52397a4832407914b313b81a0b62

SHA512
81ca1e7996c602fc7ed7c790f16557b4b269e0fce723c22167a0f1389d1ab28d8fccb7ebdb81149f1f8a235e5251738819b8dc24d9200c8f4e5ff8e8f2adf624

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\scan.mbdb

Filesize
1.8MB

MD5
dd762b25660bc1301ad50631f9dec302

SHA1
8093cd2bd83572646b8d6a9ac55b6758c6839be8

SHA256
6e62ed7029d73f8625db3309bf3146a3a1a793353faec7d1b70f67e71204e936

SHA512
1b0d5fb2d5cc0fb4b3494fa84502364d6582f054bd47d2ba58e2fd8ea00be6a7b660c80b4eac86b04ec8823d04cb611b0e9b46dc16cf9d0353a5a1a9c233a2b7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\tids.mbdb

Filesize
198KB

MD5
7ae4464544f8ec6dc2a19d7413fb40a1

SHA1
d6a48e08d9f43388544ced6e6ee0c3387bf358bd

SHA256
bd4acfc46b74046d5fc2a8fe1fc3c88fef43fda04681369347f762e21b7f0065

SHA512
19ef8eabf6b2d7069be05fd33e85d2b0774f67175c2cc033103ff966d15c5aeee815b9457e2acbfa5c188ec4e8bf4f963fa5c831cc054a88a50d0db4759d1041

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\tempdb\wprot.mbdb

Filesize
9.4MB

MD5
bb2294822ae2c2349907d0b5b7d0bbe7

SHA1
27f10b774ce5a1bf5633a73b2b12e7dc9cf38c88

SHA256
7f9b7a30ad2ed3f40a2285afc1c8526916e7b7a2fcdfd33265e76e6471696333

SHA512
84666ab71397e041a068aeba6ce8deb7d8bd26b8c60d566d3e156ec874cfd7ce95d4a59d7e41a9f0be215d880cda670f4c56e57c1bb53b5bb8288ae4e1b13d0c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\wprot2.mbdb

Filesize
6.1MB

MD5
b48e5f5448fe8fc971128a8686e17e40

SHA1
c8ba1082c02262c881a842fe16b95c3eeaf82b7f

SHA256
681dbb59a2f88a2c498940534761801c341a5c901f2c41b2f94dd8cb42a4350e

SHA512
9da5e8da866112686f49b61ec29151ff293baa810975f6e49019a742630904cfcd706e4a9825c1fedc182e7252c934c0553772bd554cc07f359860cf94b3de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\MB2Migration\exclusions.dat

Filesize
104B

MD5
481e08b086e1663fabd9afa850093696

SHA1
5b283959d8f5d356b25890f89babc22a8cdc7d73

SHA256
8990dd342de96d5849ca93f4bc87a96cec4f33227e440e679668ee11207f3e38

SHA512
e01fb0c54923a11a2956eb5797513c1a6525b9d66b5ef044c646ae957b95e2b16bb19ea1b6214e94f65c30834f8b43d401bbfde1ae50290e06ab73af4375febf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0D94CA7\setup.cmd

Filesize
2KB

MD5
670d1358da6ceb98522768c559bb0c52

SHA1
8ddea4b7cfa63c2c4c1fbc9904af4c5ada97f5b5

SHA256
9579dfd0b67a233cc54201082bd0a6fb6ce500c541cb6055a412c0d202004678

SHA512
333899e94a1b4412fa76da9220d9981c5c755ebf9f14340127df0dcdab109f2dd67a009ba72d865ac9ce39c4de74b7a82e4164536cdee7cd403e784c9438bb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\BaltimoreCyberTrustRoot.crt

Filesize
1KB

MD5
379a301592736712c9a60676c50cf19b

SHA1
c103790503bf8c2ff3f119adee027ebb429b9d21

SHA256
cc7400692bd90e1b5fc44e11c8dd7c788cbb462f52ea3f3decb579e4d51eb268

SHA512
dec25a31f2930eb575a43e654c29f170c261c1c4516767c0e71cc172ad6ad115914fb58d9cd79f681ff3d7c6baa6b7c0d6de99de09d7582c9807ae436f15572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\DigiCertEVRoot.crt

Filesize
1KB

MD5
d25e0f479b9601edf2c9c2dad7ba2706

SHA1
2f1d0001e47394f4c4deec9645c5f2df99f91a95

SHA256
63ff360aafde5ff959fb9671ec27002f99cbfae4907b410046b6a1b0f51cba9e

SHA512
3ba164dad3cadf1ea9f0c555695e4d39cba47612599f547d0d0d59014577995c0ddbff0ef6a5e436867454da02d500136b54c034c2223586271b26108b2cfb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\mb-header100.bmp

Filesize
7KB

MD5
4f8b110e37a818130310f0c34ec90dc5

SHA1
3bef6199fa0ba4c7b98d9c6a6c5a29c52ef9f3b1

SHA256
db72101e43020be81ff304f50cf593497d66073be946502c16bcd64e7b2adcc3

SHA512
d998b6f09e8750f8f99491e2c2dcbb0cec4a65f8154d795ca070eb131a4f88a30116715b67d1904a0b774e77d0b3ffdb994d10de5688e47f1e2901b10202402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P7UM5.tmp\suhlpr.dll

Filesize
2.5MB

MD5
fad7ff3ad298b98af90ee28e8ac9e8ea

SHA1
8ef1656215747bbeaaabc3ca1a82d4d2de4166d9

SHA256
86f1c7b02c2c1cb100757b18719b1613f9035ae89cf7dd460a39da9f9f163c95

SHA512
812a04bd6e6800ca2f78224356a1035a78b3b4cc5c921c2c1d6a13a8bd5063cae8fd5352e39d2150a6f18790a23a02f4d45079cbfe52f854e006aefb9f167fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QPB5N.tmp\mb3.tmp

Filesize
1.1MB

MD5
4fbe9e047364e20b94e885e54d8846db

SHA1
e087573ec32542cd413b98de241f07b6d0a53552

SHA256
011678bfa9d1d8bd25b6131ae5d887326f46bda9b1b82c5795121bfe8b75d53e

SHA512
65870b8b8d1b9b6221701e7af646d26ca14e583663276728f0e962d2a49e3b84b951d248cd9c7f5389c607f9424c2bb9cf8e20780a23a6b659e6f8f1474fcf27

Download Submit
C:\Windows\Temp\MBInstallTemp\mbst-clean-results.txt

Filesize
2KB

MD5
9681c1d616009a64b56934d61be6571e

SHA1
a8480f31590cfc2711a03024492e6e26c234d9db

SHA256
cd25946daaf616d57165d9ce29530e8bf511c424287d517987273bfd28f7870b

SHA512
e7e19cbdb91d3b341b1106903312eac91bc712121fdd235a6bbd62b2fb6af238918883a42751f375cfe65a84c3e619f192a0e1ae87d1c1dafd7c7ea8ce16f8bf

Download Submit
C:\Windows\Temp\MBInstallTemp\mbst-clean-results.txt

Filesize
3KB

MD5
97a469e97297d76d828cf95fcfc4737a

SHA1
8dc79dc4870dca8d906559ce5379be90195c427a

SHA256
bdc631149a49abed7a94adafa17139be3001fa559e352e25930a62510f650f8e

SHA512
12eb24ced54fb4e37bf6d76a0922bb1d2c32a0b9a65eb3c9bd89e8e1e682d7ba3bb02f2a65cd5b1c76bf446e0fd805ef0171eecd2b28982bab7db60072842990

Download Submit
C:\Windows\Temp\MBInstallTemp\migrate\config\ArwControllerConfig.json

Filesize
243B

MD5
f1c83343fa0aed68ec9c112fe0ec7253

SHA1
ffa7806f37d2eee45d1bd0a5b29e58116c53df75

SHA256
2bd88ae411b3defea2c688c86d214945fe4db56693e9a96323e24db8dd895899

SHA512
9565d4f61a0bac206998d8d17f64b80b01afdc21e093e5779b25ccdcbb1eaba49f2c6ab4383ffcd7d473f5710c4caf49b66fb05f599c2f4071f9f54daf3896a4

Download Submit
C:\Windows\Temp\is-O3PLG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Windows\Temp\mbst-clean-results.txt

Filesize
30KB

MD5
c0a1a164b589d1a72cb96604da58e792

SHA1
0d94bfe7e468b5ebcf8de0eb2165dc85d1e9b62d

SHA256
6d565ef29d880f8f47b446fa6963692dffe5d270680f39ec94356ba955ee3132

SHA512
6b564b4bb7441a3e9b0723602466d566180414417a1dd57201db2be66a36af3d3af4b004e7cfdab42203edfd8df8e9afce554824d58628eceedd4ebc88497b66

Download Submit
memory/1920-528-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1920-530-0x0000000002D30000-0x0000000002D45000-memory.dmp

Filesize
84KB

Download
memory/1920-46-0x0000000002D30000-0x0000000002D45000-memory.dmp

Filesize
84KB

Download
memory/4596-527-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4596-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4596-33-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/5104-598-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-591-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/5104-590-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-631-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-644-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5104-643-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5104-642-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-641-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-640-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-639-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-638-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-637-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-636-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-635-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-634-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-633-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-632-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-630-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-629-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-628-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-627-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-626-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-625-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/5104-624-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-623-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-622-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-621-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-620-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-619-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-618-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-617-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-616-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-615-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-614-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-613-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-612-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-611-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-610-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5104-609-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-608-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-607-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-606-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-605-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-604-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-592-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/5104-593-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/5104-594-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/5104-595-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-596-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-597-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-599-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-600-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5104-601-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-602-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-603-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/5104-586-0x00000000031A0000-0x00000000039A0000-memory.dmp

Filesize
8.0MB

Download
memory/5104-587-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads