wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Analysis

max time kernel
1049s
max time network
1038s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	MBAMService.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5784 created 3316	5784	MBSetup.exe	53

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
5820	MBAMService.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9E11.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9E28.tmp	WannaCry.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 49 IoCs

pid	Process
1132	taskdl.exe
976	@[email protected]
1320	@[email protected]
3148	taskhsvc.exe
5612	taskdl.exe
5636	taskse.exe
5644	@[email protected]
4712	taskdl.exe
5564	taskse.exe
5576	@[email protected]
5776	@[email protected]
5760	taskse.exe
6032	taskdl.exe
2776	@[email protected]
3544	taskse.exe
4760	taskdl.exe
5784	MBSetup.exe
2224	MBAMInstallerService.exe
2656	taskse.exe
5920	@[email protected]
5500	taskdl.exe
132	MBVpnTunnelService.exe
3116	MBAMService.exe
5820	MBAMService.exe
7084	Malwarebytes.exe
7164	Malwarebytes.exe
4844	Malwarebytes.exe
5496	@[email protected]
4588	taskse.exe
4904	taskdl.exe
5268	mbupdatrV5.exe
6160	ig.exe
5176	taskse.exe
5980	@[email protected]
6032	taskdl.exe
4140	taskse.exe
6560	@[email protected]
6564	taskdl.exe
4744	taskse.exe
2384	@[email protected]
7048	taskdl.exe
2216	ig.exe
5456	ig.exe
4832	ig.exe
896	ig.exe
2500	ig.exe
5660	ig.exe
6068	ig.exe
2896	ig.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService	MBAMInstallerService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service"	MBAMInstallerService.exe

Loads dropped DLL 64 IoCs

pid	Process
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
132	MBVpnTunnelService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
2224	MBAMInstallerService.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2656	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fpoeqxjgeleu832 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\W:	MBAMService.exe
File opened (read-only)	\??\B:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMService.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	MBAMInstallerService.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\T:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMService.exe
File opened (read-only)	\??\E:	MBAMInstallerService.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	MBAMService.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\Y:	MBAMService.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 2 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages = 73006300650063006c00690000000000	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f00300000000000	MBAMService.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{06432323-82f1-b64f-b92b-ec4bfe3fefb0}\SETC27.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_f1efe88b4f90c639\netax88772.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC	MBAMService.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_badb18141de40629\netbxnda.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_3aba8686305c0121\msdri.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_3aa3e69e968123a7\wceisvista.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_7aeb3e6bfcb2f0f1\netmlx5.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_49825a4c00258135\kdnic.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_bfb9fd6f3a078899\netvwifimp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwlan64.inf_amd64_71c84e1405061462\qcwlan64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_2518575b045d267b\wnetvsc.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_6686e5d9c8b063ef\usbncm.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2E01D413E600DA01958BFB19A6EF6010	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_532c2a6259a26a38\netvchannel.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtcx21x64.inf_amd64_d2a498d51a4f7bec\rtcx21x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14	MBAMService.exe
File opened for modification	C:\Windows\System32\dfm5rj.exe	MBAMService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{06432323-82f1-b64f-b92b-ec4bfe3fefb0}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnd0a.inf_amd64_777881a2c4c0272c\netbxnd0a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\201DA8C72BE195AF55036D85719C6480	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21EA03E12A6F9D076B6BC3318EA9363E_6EF0095DA824AE045AE9FC5B645DF095	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\229169D96B9C20761B929D428962A0A2_FC65190A8D1232A1711F16F9F20C5149	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_a8bb8a6e92764769\netax88179_178a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF	MBVpnTunnelService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Malwarebytes\Logs\MBAMSI.alt1.lock	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_10CFC0D4C45D2E76B7EA49C8C22BEDFE	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A334956C3F99BD182BF4859935BADE72_FACA7E02B2152427A5B3C5BC1AC9CE92	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_1e173acb8f2f340f\net1ic64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MBAMService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_E35D496D1CD0B884BEBCAFED0FE61600	MBAMService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF	MBVpnTunnelService.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Core.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Reflection.Primitives.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Runtime.CompilerServices.Unsafe.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\pt-BR\System.Xaml.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\ru\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\System.Security.Cryptography.Xml.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\CleanControllerImpl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\api-ms-win-crt-time-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\Microsoft.WindowsDesktop.App.runtimeconfig.json	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\tr\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\createdump.exe	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Runtime.Serialization.Formatters.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\cs\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\es\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\ja\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\ko\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\tr\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\zh-Hant\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.IO.Pipes.AccessControl.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Reflection.Emit.Lightweight.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\cs\PresentationFramework.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\ko\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\api-ms-win-crt-process-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\fr\WindowsFormsIntegration.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\System.Configuration.ConfigurationManager.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Reflection.Metadata.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\fr\System.Windows.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\pl\System.Windows.Forms.Design.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\PresentationCore.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Theme.Light.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\api-ms-win-core-file-l1-2-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\mscordbi.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Collections.Specialized.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Diagnostics.Process.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Diagnostics.TraceSource.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Net.NameResolution.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Net.Quic.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Runtime.Extensions.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Security.Cryptography.X509Certificates.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\it\UIAutomationClient.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\pt-BR\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\tr\System.Windows.Forms.Design.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\96b535db-32be-440f-87db-1d05dba5cbf9	MBSetup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\api-ms-win-core-handle-l1-1-0.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\tr\System.Windows.Forms.Primitives.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbae.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\it\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\PenImc_cor3.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\pl\System.Windows.Input.Manipulations.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\pl\UIAutomationClientSideProviders.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\ru\PresentationCore.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\SelfProtectionSdk.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Memory.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.ObjectModel.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\ucrtbase.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\de\Microsoft.VisualBasic.Forms.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\System.Net.WebClient.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\cs\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.33\Microsoft.VisualBasic.Forms.dll	MBAMInstallerService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.tmf	MBAMService.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.33\api-ms-win-crt-locale-l1-1-0.dll	MBAMInstallerService.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\SystemTemp\Tmp5773.tmp	MBAMService.exe
File opened for modification	C:\Windows\SystemTemp\Tmp6242.tmp	MBAMService.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MBVpnTunnelService.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MBAMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\16.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMInstallerService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.TelemetryController\CurVer	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFA1689-38D3-4AE9-B1E8-B039EB7AD988}\ = "ICloudController"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{560EB17C-4365-4DFC-A855-F99B223F02AF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62A3C5F3-503F-4205-A044-5EA683BEDABE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F14F58B-B908-4644-830F-5ACF8542D27F}\ = "IUpdateControllerV2"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA1D4FDD-C9C8-4575-A2A1-4179C3A3473D}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{960F2BB5-E954-45C5-97DF-A770D9D8C24B}\ = "IScanParametersV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE77988C-B530-4686-8294-F7AB429DFD0C}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC4D9C86-78F2-435F-8355-5328509E04F1}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97EB7268-0D7B-43F6-9C11-337287F960DF}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{473BC184-760C-4255-A118-E8064C4EC595}\ = "_ISPControllerEvents"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7995CBA9-83E0-4F28-A50B-DFDE85EBCCD1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2058A31F-5F59-4452-9204-03F588252FFC}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49F6AC60-2104-42C6-8F71-B3916D5AA732}\1.0\ = "MWACControllerCOMLib"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9D47FCC-ECEC-453C-9936-2CD0F16A8696}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\ = "IScanControllerV3"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F967173-2B83-4B7F-A633-074B06FD0C64}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97EB7268-0D7B-43F6-9C11-337287F960DF}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2870643-0645-41F9-BCCB-F5969386162C}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46AEAC9A-C091-4B63-926C-37CFBD9D244F}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F14F58B-B908-4644-830F-5ACF8542D27F}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4163399F-AB08-4E5E-BE28-6B9440393AD3}\ = "IMWACControllerV13"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C731375E-3199-4C88-8326-9F81D3224DAD}\1.0\HELPDIR	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E298372C-5B10-42B4-B44C-7B85EA0722A3}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E46A48DF-07CC-4C7F-89BB-145CF0DFC60A}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014D0CF7-ACC9-4004-B999-7BDBAAD274B7}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014D0CF7-ACC9-4004-B999-7BDBAAD274B7}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{115D004C-CC20-4945-BCC8-FE5043DD42D0}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\ProxyStubClsid32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200}\TypeLib\ = "{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CE18DD5-2BD7-4844-B9AD-DF6A995750A1}	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E777BB2-8526-437A-BBE2-42647DE2EC86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1BDE8B0-F598-4334-9991-ECC7442EEAA6}\ = "ILicenseControllerV9"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9704115C-F54E-4D64-8554-0CAF8BF33B1B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F275D775-3A22-4C5A-B9AD-6FE8008304D0}\ = "_IMWACControllerEventsV4"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62A3C5F3-503F-4205-A044-5EA683BEDABE}\ = "IMWACControllerEventsV7"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090D2E82-C71B-414E-AF6A-6681A92FF2B3}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99E6F3FE-333C-462C-8C39-BC27DCA4A80E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17A7CC72-3288-442A-ABE8-F8E049B3BE83}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36F3C7D7-BCB1-4359-AB71-0CB816FE3D38}\TypeLib\ = "{59DBD1B8-A7BD-4322-998F-41B0D2516FA0}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBA4A79D-9F4E-4E7A-AC00-49ECE23C20B6}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD010FD4-ED27-4B3A-836C-D09269FF3811}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36BABBB6-6184-44EC-8109-76CBF522C9EF}\ = "_IScanControllerEventsV13"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE351550-6C4E-4662-AD87-FEB0707F6C62}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F245DA-55E7-451E-BDF3-4EE44637DFF1}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8258E71-3A7A-4D9D-85BB-C7999F95B7E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\Programmable	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABC1D1AF-23ED-4483-BDA4-90BCC21DFBDB}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}\1.0\0	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F275D775-3A22-4C5A-B9AD-6FE8008304D0}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71AC94F2-D545-438F-9156-C231B7D94A56}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE351550-6C4E-4662-AD87-FEB0707F6C62}\ = "ILicenseControllerV16"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E46A48DF-07CC-4C7F-89BB-145CF0DFC60A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5724	reg.exe

Modifies system certificate store 2 TTPs 37 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D772DA0874059418FCDAACE3F4FF2AC964A852FF\Blob = 030000000100000014000000d772da0874059418fcdaace3f4ff2ac964a852ff140000000100000014000000246593980801e84ed4d64cea6455e1c0fafbcfb3040000000100000010000000fe9ab1791f2f2a2a01fce48d6b2a093c0f000000010000003000000054de7e1f5b9b2c1834c8e4fedef7bec89e6e7117ef761a80d1bccec1d63888d0d4ad1b6c5c6a4ea556436ddd29aaf904190000000100000010000000ce4cfdd3ed415f0993c3c8bd5428ecbb5c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf200000000100000048060000308206443082042ca0030201020211009e02b0e94aceb2109ca1e9836be0c2db300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3231303532353030303030305a170d3336303532343233353935395a304f310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312630240603550403131d5365637469676f2052534120436f6465205369676e696e672043412032308201a2300d06092a864886f70d01010105000382018f003082018a0282018100bb7bff8fbf4b2d43b6f1661c00ff8d9d2a7840c4234c4349a709395a45510b16fdee6031f53470e363075bec932a725a16385216091d2f53efa83eec3aa07ba25348802d95959b14ddb213f617c13b2612049cde3d4c4a3d33c30c26256f3d6e0f9503b18433c690499ef9e636778f006324606f5d61e44d1b0df783548cbc4f8a7c20f42a20aa61a02d902877d351569c94cca6f421cad8be289a4a1e5486c3f6ec6c6ac10e69d339b273758ff0abf75b77391ea30672e23287f97fc61413e468911d33a9c7b3302db6a9c581ef21848aba96ec110364e5dfbaa9c18d4e7e2cdffbc380c1a8296a321225fa20451c29f5549adf8ae067f1310f0a11c63170afbc803b177ec3f23626be3c37cf37b85d795497b8bbc37f76056a359f8213194f2af37dc9b988166a4c38d82b61e5615b571a0ec7fd7bb76b0a42401ff30fe0ec70ba6a79571889c71df7309f430a0715067245a3575ebfa3ed584c62197566c21b0175a6560d1461b5765bf137b4040503c1c4a3ff5dcaf49dbae72f16f6b67b0203010001a382015f3082015b301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414246593980801e84ed4d64cea6455e1c0fafbcfb3300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010055d1f2be5bc5485740e5ecd9faeffd6b92fca8754779e9cfc23d14f9a109e565b9ad9fbc4ef29da2e735cccfa2392b472bc0e0ba36902366d1126488d95751add00f6f5f8a90cf1bb17a6956fac2400a85bfe1bae0cd72337817684ef2eb0276135b8529532e1d3caf14b46c0333f437a1ed90453ff573bca9925017ebfe39ca4640eafba3b4179b585ac5004f6cd30cc05f6f867781a63d2516f62fa249f093bed557723cb3c8d21b129930221003f64a89e0928fa8c338600f2156d4ebab5733a777dd27e591539e2f671f4bc38bf4656392ce9512561e1daee2ed8074beec4dfeecc717d79493974c464cc54662e53b9d1a08c0630ad519cc0ab089cc8b2e084578d969ec7d0db7cf86a12ec3e0860e3709e44bc50c73c8f628dc9ed5959a235771ce406d9d5bea1bc3b2492444f41004caeda6925f54d6097b3ab992d310111499b6ce40ffe5c6a3776635adec33a03bc8c69e3ea19985587cb1a85a38e62e53ac7ffd133beb57d46dfdf21ce2f78cb42ef6d754ef23ed29b10ccb1f9a3cd82f9e0d66499f508786a0f1f9ca1cb01dc3f14c9efcd3a64feef466b642d170b95b948385bbd44479771188b1a071eafa4bf0ff8708cd8a8866ba87405c9488d8ad0a0742f7bee4cb993791318d9a6810fe9a03bc150226b79e70bd19804cecf00280fbff4ca2b76ebfe3d8e4dcf7c8856b986ed21371dceecac9ae317e7b05	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D772DA0874059418FCDAACE3F4FF2AC964A852FF	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:Zone.Identifier:$DATA	MBAMInstallerService.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 887080.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier	msedge.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:SmartScreen:$DATA	MBAMInstallerService.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
3148	taskhsvc.exe
2408	msedge.exe
2408	msedge.exe
4488	msedge.exe
4488	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
5460	msedge.exe
5460	msedge.exe
1908	msedge.exe
1908	msedge.exe
5784	MBSetup.exe
5784	MBSetup.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
2224	MBAMInstallerService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe
5820	MBAMService.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3796	WMIC.exe
Token: SeSecurityPrivilege	3796	WMIC.exe
Token: SeTakeOwnershipPrivilege	3796	WMIC.exe
Token: SeLoadDriverPrivilege	3796	WMIC.exe
Token: SeSystemProfilePrivilege	3796	WMIC.exe
Token: SeSystemtimePrivilege	3796	WMIC.exe
Token: SeProfSingleProcessPrivilege	3796	WMIC.exe
Token: SeIncBasePriorityPrivilege	3796	WMIC.exe
Token: SeCreatePagefilePrivilege	3796	WMIC.exe
Token: SeBackupPrivilege	3796	WMIC.exe
Token: SeRestorePrivilege	3796	WMIC.exe
Token: SeShutdownPrivilege	3796	WMIC.exe
Token: SeDebugPrivilege	3796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3796	WMIC.exe
Token: SeRemoteShutdownPrivilege	3796	WMIC.exe
Token: SeUndockPrivilege	3796	WMIC.exe
Token: SeManageVolumePrivilege	3796	WMIC.exe
Token: 33	3796	WMIC.exe
Token: 34	3796	WMIC.exe
Token: 35	3796	WMIC.exe
Token: 36	3796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3796	WMIC.exe
Token: SeSecurityPrivilege	3796	WMIC.exe
Token: SeTakeOwnershipPrivilege	3796	WMIC.exe
Token: SeLoadDriverPrivilege	3796	WMIC.exe
Token: SeSystemProfilePrivilege	3796	WMIC.exe
Token: SeSystemtimePrivilege	3796	WMIC.exe
Token: SeProfSingleProcessPrivilege	3796	WMIC.exe
Token: SeIncBasePriorityPrivilege	3796	WMIC.exe
Token: SeCreatePagefilePrivilege	3796	WMIC.exe
Token: SeBackupPrivilege	3796	WMIC.exe
Token: SeRestorePrivilege	3796	WMIC.exe
Token: SeShutdownPrivilege	3796	WMIC.exe
Token: SeDebugPrivilege	3796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3796	WMIC.exe
Token: SeRemoteShutdownPrivilege	3796	WMIC.exe
Token: SeUndockPrivilege	3796	WMIC.exe
Token: SeManageVolumePrivilege	3796	WMIC.exe
Token: 33	3796	WMIC.exe
Token: 34	3796	WMIC.exe
Token: 35	3796	WMIC.exe
Token: 36	3796	WMIC.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeDebugPrivilege	2744	firefox.exe
Token: SeDebugPrivilege	2744	firefox.exe
Token: SeTcbPrivilege	5636	taskse.exe
Token: SeTcbPrivilege	5636	taskse.exe
Token: SeTcbPrivilege	5564	taskse.exe
Token: SeTcbPrivilege	5564	taskse.exe
Token: SeTcbPrivilege	5760	taskse.exe
Token: SeTcbPrivilege	5760	taskse.exe
Token: SeTcbPrivilege	3544	taskse.exe
Token: SeTcbPrivilege	3544	taskse.exe
Token: SeTcbPrivilege	2656	taskse.exe
Token: SeTcbPrivilege	2656	taskse.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe
Token: SeDebugPrivilege	2224	MBAMInstallerService.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
2744	firefox.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
7084	Malwarebytes.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
976	@[email protected]
976	@[email protected]
1320	@[email protected]
1320	@[email protected]
2744	firefox.exe
5644	@[email protected]
5644	@[email protected]
5576	@[email protected]
5776	@[email protected]
2776	@[email protected]
5784	MBSetup.exe
5920	@[email protected]
5496	@[email protected]
5980	@[email protected]
6560	@[email protected]
2384	@[email protected]
4484	explorer.exe
2020	SearchHost.exe
3968	StartMenuExperienceHost.exe
4484	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1536	4780	WannaCry.exe	78
PID 4780 wrote to memory of 1536	4780	WannaCry.exe	78
PID 4780 wrote to memory of 1536	4780	WannaCry.exe	78
PID 4780 wrote to memory of 2656	4780	WannaCry.exe	79
PID 4780 wrote to memory of 2656	4780	WannaCry.exe	79
PID 4780 wrote to memory of 2656	4780	WannaCry.exe	79
PID 4780 wrote to memory of 1132	4780	WannaCry.exe	82
PID 4780 wrote to memory of 1132	4780	WannaCry.exe	82
PID 4780 wrote to memory of 1132	4780	WannaCry.exe	82
PID 4780 wrote to memory of 3696	4780	WannaCry.exe	83
PID 4780 wrote to memory of 3696	4780	WannaCry.exe	83
PID 4780 wrote to memory of 3696	4780	WannaCry.exe	83
PID 3696 wrote to memory of 1120	3696	cmd.exe	85
PID 3696 wrote to memory of 1120	3696	cmd.exe	85
PID 3696 wrote to memory of 1120	3696	cmd.exe	85
PID 4780 wrote to memory of 1976	4780	WannaCry.exe	86
PID 4780 wrote to memory of 1976	4780	WannaCry.exe	86
PID 4780 wrote to memory of 1976	4780	WannaCry.exe	86
PID 4780 wrote to memory of 976	4780	WannaCry.exe	89
PID 4780 wrote to memory of 976	4780	WannaCry.exe	89
PID 4780 wrote to memory of 976	4780	WannaCry.exe	89
PID 4780 wrote to memory of 3792	4780	WannaCry.exe	90
PID 4780 wrote to memory of 3792	4780	WannaCry.exe	90
PID 4780 wrote to memory of 3792	4780	WannaCry.exe	90
PID 3792 wrote to memory of 1320	3792	cmd.exe	92
PID 3792 wrote to memory of 1320	3792	cmd.exe	92
PID 3792 wrote to memory of 1320	3792	cmd.exe	92
PID 976 wrote to memory of 3148	976	@[email protected]	94
PID 976 wrote to memory of 3148	976	@[email protected]	94
PID 976 wrote to memory of 3148	976	@[email protected]	94
PID 4488 wrote to memory of 348	4488	msedge.exe	99
PID 4488 wrote to memory of 348	4488	msedge.exe	99
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100
PID 4488 wrote to memory of 944	4488	msedge.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe
1536	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
  "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1536
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 169821734230304.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5612
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5644
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fpoeqxjgeleu832" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5652
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fpoeqxjgeleu832" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5724
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5564
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5576
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5760
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5920
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5500
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5496
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4904
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:5176
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5980
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6560
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6564
- - C:\Users\Admin\AppData\Local\Temp\taskse.exe
    taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:7048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff04f73cb8,0x7fff04f73cc8,0x7fff04f73cd8
    3⤵
    PID:348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
    3⤵
    PID:1872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
    3⤵
    PID:1472
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:5944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
    3⤵
    PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
    3⤵
    PID:5920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:3708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6824 /prefetch:8
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1908
- - C:\Users\Admin\Downloads\MBSetup.exe
    "C:\Users\Admin\Downloads\MBSetup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,15786335190025471025,5536363683521901452,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5904 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5160
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5fc5899-cbbd-4a53-b759-e9827014439d} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" gpu
      4⤵
      PID:3552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63dfde1a-a757-4821-b252-e2138397bc64} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" socket
      4⤵
      Checks processor information in registry
      PID:2704
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 1072 -prefMapHandle 2716 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f737355-f667-4a04-9ac0-e9988ba7e463} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:3632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 2908 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cb24ed7-e0a1-4287-8c20-107affe00ea7} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:1164
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4700 -prefMapHandle 4668 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ed5acc4-1085-4178-821c-f4da085d927f} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" utility
      4⤵
      Checks processor information in registry
      PID:5604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4bde852-a626-41a9-8519-565e44a77d26} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:4996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5328 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d69b97d6-86e8-4468-9148-56046837f03d} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:1952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {435f8c32-ddc9-4b8f-a853-46a3c4a37fbf} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:4308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -childID 6 -isForBrowser -prefsHandle 2708 -prefMapHandle 3416 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8130ea94-d5a6-427f-93e9-81b55a2b9b18} 2744 "\\.\pipe\gecko-crash-server-pipe.2744" tab
      4⤵
      PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7fff04f73cb8,0x7fff04f73cc8,0x7fff04f73cd8
    3⤵
    PID:5832
- C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
  2⤵
  - Executes dropped EXE
  PID:7164
- - C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe"
    3⤵
    - Executes dropped EXE
    PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
- C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:132
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies registry class
  PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2328
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000144" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5524

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5820
- C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:7084
- C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe
  "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5268
- C:\Users\Admin\AppData\LocalLow\IGDump\sec\ig.exe
  ig.exe secure
  2⤵
  - Executes dropped EXE
  PID:6160
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:5456
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:896
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:5660
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:6068
- C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe
  ig.exe reseed
  2⤵
  - Executes dropped EXE
  PID:2896

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:744

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4484

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe

Filesize
2.9MB

MD5
46f875f1fe3d6063b390e3a170c90e50

SHA1
62b901749a6e3964040f9af5ddb9a684936f6c30

SHA256
1cf9d3512efffaa2290c105ac8b7534026604067c9b533e7b7df2e017569a4ec

SHA512
fdfb348061158f8133380e9a94215f4bfc0f6ce643a129d623cb8034c49144f1489de56cd076da645478506d9fbddc7590fe3d643622210084b15fdf0d16b557

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

Filesize
291KB

MD5
83e78af5bb3005795455bf25cd655119

SHA1
cfb1c565eaf3f22eeb4d7de4e45750d02c0890e9

SHA256
9146792296dbfa654c1e074cb4859516f8679c1db4e94833ffc6933491811ae2

SHA512
39942d8245599e64f591c1fb09bebc0838f2be7b94e8311d23f24db1673567eb684bb08bd7a88e9682eb0e5da4bcb24fe20a236760da32846753835daff82efc

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
621B

MD5
a005980584a88e0ea77864b7053299a5

SHA1
6ffd4ce2093abe4c306d0359c5f30de85c1a57e6

SHA256
37400258d85f54c4b71292227bc00e8419e0490fdc78508ea504b42753bde5e0

SHA512
7e4f18c891845047111f349f54905d43047fb0b9610ca607d31e86c900c3d783bb2c4241ef4d18a80684e3937e852157258f8e36a3e90f077327f07fed014a9d

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

Filesize
654B

MD5
94950c501cec47c4367cf0fae335fe73

SHA1
a511eeabf398cd266f0707fde050447363864137

SHA256
43701582e1a6c5a9364719cddc6180f4a9982789ae65049c772a7f7a541d4278

SHA512
be100a47f269715b67c865a247cd35b0d254f0ed333bb458648fae2d3b8f0fb80287fcdac6f448d05211f870b1147e63727cd70b0145d2991449ed80dff13ea9

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

Filesize
8B

MD5
c50446d6a2722752a12d3f19be21b5e8

SHA1
f6e44ba69d2407a35aa80dce0ddfabc9408025db

SHA256
761d4e0c1e1cb64f179997fc9fd263864bb325d4c1f3f4575d80191c824c752f

SHA512
41842f4bfa84e2864bebff7da2d6515e5ab733ebd0d6230468873b0b01087c68cc5ef8f9912c94fb8b3a30729edc6bfc34a3648c3e465b877e989d409ef309af

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe

Filesize
2.2MB

MD5
b39ba8b6310037ba2384ff6a46c282f1

SHA1
d3a136aab0d951f65b579d22334f4dabbebdb4a4

SHA256
3ecbcb6c57af4456111f5f104b8fb8a317cdb0f16e98412249f7a2d62bca584d

SHA512
a8b98f47c30503029f2dc80398dacd5f8fc07db562d04c56b8c7902bebf11517223350c41850b81aca770ebc9e68fc365921bd6cce34b57b2c945f1c51b538b7

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbamsi64.dll

Filesize
3.0MB

MD5
552132510df12c64a89517369f07d50c

SHA1
f91981f5b5cdef2bdc53d9a715a47d7e56053d6f

SHA256
3bfc8b26e3a44d2444837b2125fb5c94eb9901faf3d49a8a5de1e2089a6b50b1

SHA512
c30a893fa36a056db5ecdb765bcc0fc41adb02696b22a30130737d8b1a9d020b30bc651d45c63ff73b621459eca3668aa51e4a71b01b00a499bffa941cd36930

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf

Filesize
1KB

MD5
5d1917024b228efbeab3c696e663873e

SHA1
cec5e88c2481d323ec366c18024d61a117f01b21

SHA256
4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8

SHA512
14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.cat

Filesize
10KB

MD5
ddb20ff5524a3a22a0eb1f3e863991a7

SHA1
260fbc1f268d426d46f3629e250c2afd0518ed24

SHA256
5fc1d0838af2d7f4030e160f6a548b10bf5ca03ea60ec55a09a9adbbb056639a

SHA512
7c6970e35395663f97e96d5bf7639a082e111fa368f22000d649da7a9c81c285ee84b6cf63a4fccb0990e5586e70e1b9efc15cf5e4d40946736ca51ec256e953

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.inf

Filesize
2KB

MD5
d87c2f68057611e687bdb8cc6ebea5b8

SHA1
27b1311d3b199e4c22772fa1b7ea556805775d37

SHA256
ff93773f55bf4a6a0242adf82276a8c95c0b244b9bc05e515c4e810c81a960e8

SHA512
4aa65b8911d8a2a0f9ef0ee6e934b94db0a9ad4c2ec543b5edcf21486be43f6ab1fda6617ea2cbb85eff230628c9fa8e7649da915d6de695803b28e55bef5819

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys

Filesize
233KB

MD5
246a1d7980f7d45c2456574ec3f32cbe

SHA1
c5fad4598c3698fdaa4aa42a74fb8fa170ffe413

SHA256
45948a1715f0420c66a22518a1a45a0f20463b342ce05d36c18b8c53b4d78147

SHA512
265e6da7c9eede8ea61f204b3524893cf9bd1ed11b338eb95c4a841428927cccbed02b7d8757a4153ce02863e8be830ea744981f800351b1e383e71ddaad36ad

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

Filesize
9B

MD5
516aab6c475d299cd0616174d51c4103

SHA1
0792fe0fd54c067b19848d0a7e65a539ecec6cb4

SHA256
602d871efd8408a79f8b37e764a2a9884331324bbf602aefff9661a32f010611

SHA512
7d144e10bfdc10ac46baf5e8bba893a9d4e420dbabc7d98e5da38638923b30e4ec7bb918b03d48cdd45e15224ba677b646751548f351e586a27ed57b6a87a846

Download Submit
C:\Program Files\Malwarebytes\Anti-Malware\version.dat

Filesize
47B

MD5
b633d57b1d5fce57c37afb46ac037b23

SHA1
cbadcf74f258b171351b50dfc5ec932ec1a5b6b9

SHA256
6de7d05edbfd7f3f8c4464f77f80758599556760c9a3a0eb043eff9b730f2def

SHA512
8e08df6e2ce5c7a7bf2ea7db2a5d6632275831f7ed8f03d6e95f180611ac6c61c39f106a16910478343ba6c2caab1833a47d6ce1b49e43f08fa8ec4710c0ef9c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\3c8b9afe-ba8e-11ef-bb12-6e43ea74cdf0.quar

Filesize
1KB

MD5
ce6f1e37915a3080b7c7b9e2c4c4c1eb

SHA1
5e7c2682afc778f244ea0d163d55c3cead1c3c24

SHA256
7658c84876ecb1db1f456b66d08b506b2cdd4b8792b5380f6065d9e382e64f18

SHA512
64ccb773c4f85f6fd5e713bc4026a5bfb4e4fd74b335788099ec62f73779ae50e6eda29438bb3690ddd495cc6f0cc83148ee40cdcb3e585a089d6ab82fbfcff4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\Quarantine\3df6c3be-ba8e-11ef-9502-6e43ea74cdf0.quar

Filesize
240KB

MD5
799b9c7f1342355ab5199e4cd0ed193f

SHA1
24186c916582edc952dffb43954550c8055dc2a1

SHA256
f2036993f75be6ebbc74eff5626590b6a54b384a858ddea8e1321fed53d42022

SHA512
22b3f975ed2a54fefb7a4b43928426a7d2a443eb3cccefa5e882fe3208cabcf23f5e5c9c6fd4d0f46014f9959968c57aa0eb9132d5baeb095e8d227746f7764b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\ScanResults\1723f432-ba8e-11ef-8b3e-6e43ea74cdf0.json

Filesize
139KB

MD5
1f46f2d545a4977043bb325bde889183

SHA1
8d1964ac975de1a3c16a3e94ed2331360a45d298

SHA256
a587db1932f2a6c0f204ab40b27da6df7000b490471dfa618dd7c21b03830a7d

SHA512
1073cb3545cca8451b624b3f6dffecf9952743c8c89f876acddb848a12fc557a824369ab78063e9f8414782d92fd76d4f13d6f5233bdb7cf23cb12ebe3ec42af

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
1KB

MD5
f7e10d8aac256bf24a87d8cd139a70d4

SHA1
15415aaab47cc1d34495f58342f7f69620394f10

SHA256
caba0505288225fe3362a0b1bb4e0fec1f37b19e7841198a51f4c1690fe29a6a

SHA512
dbf63ed23a40bec3efdda67d981ddd7b7451c5899cafb0d7e27661a219d3a3708f84f6deb03fd62e8dc63dfce3ba5f2213019f3e59cf7d508f88067b1ac31c12

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
47KB

MD5
35662524d4d2393c34d6a98c67868ef4

SHA1
7d16181e5e271a9f4abbb02625e4209a2f18a4ac

SHA256
9213033fda39ee4d52113939f575df72ba8cb97bd27fe0b4513fa641c2db23a8

SHA512
5aa2ddb5902201b7e7da9150a3a16b28def0bcc46e69a29c06b1365f7aa7ef6ab479a787d29953ed05af2d788e492c39dc5b57f3a491918d1bb5ead08af19487

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
b2466cf494b896fcbf0446025edb1bb5

SHA1
f4790317d55b6836496f5bf3d0907a2e55392291

SHA256
3511a78ca7bb06c37c6d74d2b9c38f23c521bec7b924216b72256963488a1afb

SHA512
0cd2ee995b3eedb7294ec4cd18f98de61e230abb051ca12bd643f33dcd12ddb91231fb4322cfa5dd5b47cabfff199729f8666bc0d122e8b4633e009b5d658f49

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

Filesize
66KB

MD5
433b1a6acbbb8e41e083f20450227050

SHA1
7cc7296f69a667f32a4ab1b614c7c748e35b4ea8

SHA256
bea04f605db06866b36e687fb3cd368d000e541944b483bd37e1ad9426e77ec0

SHA512
9a247b78c238aae3f1b768f9bc511da9cb85b811182c5e78d15c9867ec093080505ad9b1010c5f504f4700c381b10583eed483a7014dfecdb4eaaf341eea4d36

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

Filesize
607B

MD5
860910209933fd5dcef4a1cc2b65f4b6

SHA1
a95a7c875bf62edcb6170f52b0b64f43bbb292d2

SHA256
e7fc9c279181cbc3ddf0acb17d50d627ef6f82d34cf7f37b035b6daaa048821f

SHA512
364e8726d1142e4c09090176330609401f624ecedf53ef4f383515de5b57de99ee3ce284aa1cb3c85e5a8cd48f86de1c7a412e5b9c4ad46c66e29ef38de767e6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
847B

MD5
8c72501d3f02955a7223df4f1a9d8a58

SHA1
ef8d5f2af389245ac75685240b211e12afa434a3

SHA256
c31679ad09c838d84235dc3b367e44d90c99728c1bed48019d7d7919fa1e6700

SHA512
ed1d137bf38595deb284a3cc10229c9fd916d079b680ccfe7a3d33223ea4585bc6b20025db73d474e6fbe266de2d4d85640f8932ce5c841e2270b7c5c041bbb2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

Filesize
846B

MD5
be326ce4ab3facd17e8f5090cfb976e8

SHA1
291c8f377c7e90de284af472642789d5d365a30e

SHA256
31f4a47312646069f252166f9540edc95c8ecc035ef42dc0b840b826c3ff6ddd

SHA512
eea0430c25cb90047d693f585e51d9436cb24d04b67cc6b975d9c131677904c087824b82f9d5ff7f3f3d5ff1a7209b3bbc5cb2cfaa803bd2261095793f66450d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
827B

MD5
526b9086b864ab026995132d63f3b3eb

SHA1
047fa5b373953af1bb0b29a5b996889f3228dd6b

SHA256
f7cdac45efdcb44f23dd316c79ab53a3d0e30fbce9d6c25fe0f6dce99347f82f

SHA512
577253bcc0fdbe8cad889c06a694d60b60daf616e401a207d08acea2d88380b7b042ec864c49b208693fafb8b4aaaafe379a8c4a5227fd8d909cf543f3f37336

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
bf93b30bc7d00d0b1bfc3c2f270f2e52

SHA1
95fce17ffa68e6b288c9a82a76f150878b712035

SHA256
b63d134704d7a3656d62545ef3b5c018bf0b78bc8806794ec538be9bc1cbc848

SHA512
965b0400046b0a8d6be5500ae8a21c088a91cb17960316cfa0fee9258fd2022a3cb1dd843c486649d85d4377cfa98c7620b08a5915abf574bf44b50a1a060730

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
2KB

MD5
8b1f3faaa7502f189257b8876d887c60

SHA1
d20687c2b73f6b4456132554acce08fb6eb11ada

SHA256
ab18b5ae4f5f70127685dc7c70f19a220ff818ade8107eaaf63b7175340a211c

SHA512
a5c835c38347f0e70969d7b7334ae080a8d45948ddd1b77509c8b4117bcbe54468d2e1a74fbc1fca0603926854a82cc3dfdbce7f4235a2d08db884295b2457ed

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
4KB

MD5
058c1d2e8541b64d5acce797348f4988

SHA1
e36140357b40a66e670e0722f2b3780eef623367

SHA256
b5854c97f9a3c3ff638bf97e51937dd213c996a4e924929c13e2d783d6d3175d

SHA512
30c5e39780c5a08d0d5ea6a800e02a9ac420a07aa9fb8b957998b92c9b9dd19a835ab41d4d7043ad2d214d799c8d82c182f3a57dc3e3f8546024af04cecb90d8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
9KB

MD5
cf345342a2d86792c4ea8b2ee0628e87

SHA1
40265057184d0bced44a2e6730e07ce7443cb4df

SHA256
1a20889326e95cd2a426453821d6e97b94c9a21e9690d11cc7570e90d21372d0

SHA512
b35db673e96db3eba0917756a24e06db06d94ca4c300ed13085f3f1771a10297e929b3c0e7a2cf92a1a8f05a7dc282d367f1e644e2c057b64895e83cc88a45b1

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
12KB

MD5
4d0fc61d330d700f13b344589ee65d75

SHA1
ccf405bf24c9683802eccfecbcb8ba7d4b36b11b

SHA256
7b9302885d44bd331b29652648c6491097789612cc403dcb4f26ba9f885555ce

SHA512
595f9fc160308dcb5429007ae0f1bf27a36eb311182fe4160411c511417ebeb177159fd0cf532c97c1e18f8ef41c0dc7d1d4ae6284823864f79c0452c789c731

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
13KB

MD5
767ed3b16c2cbe82b204849333187430

SHA1
69d414548b2abd7a7b82734e6ac5345763a250b3

SHA256
8f5cea5f61f2946fa9ab96d282082afa1ad0005b228d4cb393953a49145d7bbc

SHA512
0b86a67cd70f86cdd759daf9cdfd1c5360fe4e5a051dc5a24d64366b8066a161727a451cbc0f2137c2cfdc1395e7ed3b85d47bcff5342deb5378b66f81d3eee8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
15KB

MD5
12452e15ddbeaf053047689ef985ae5e

SHA1
64dbc180980b3b534c94bbf95a33467d3e4e1b66

SHA256
c425cb742975c5ba7a7ad0b209ec6d48e6ebe7cdc2ea8cd082b7c3476420ffa8

SHA512
1195edf88d03f0d1dee93bac4638c6bbcbbb2332f18632b89ca0058a198416a8b863e7d5aaa23d4e0167883ac7d4b8e85fa383315834e1cd4a042d3ecf80a8b8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
16KB

MD5
b3e2703f7d8b4256761554f7ccf5e718

SHA1
b81270c0cde35a6f330ec048f96f6735c39f6d35

SHA256
f5909fabfb90b2410757633ae1a9d913f409926615a442051118bbc47f034a56

SHA512
ef88854afd861d60ab08792ebd8343cae951160130fc7047a31eb0c98fc3bf88ca0da56dc0d54a9a3091e215d1a9fd625873ce7004fa36ebec16ce9673086b0e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
17KB

MD5
b39af5531f1ff0a2459fb41047f467fc

SHA1
a420dcb434321b3c52138c03f75cc2a8192e8520

SHA256
ccebbed97ac779397828e48c68b30e7324aee9b62ce97ad5384cab4bb8a580b5

SHA512
fa2d5a2ac381ed196d284ce15f5208a74a2b79276f293b12aa40daa196749d420f7147fe718c03c3e3f51f568b40710ecd6a84dcd1d660f54db28a3f4c494287

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
17KB

MD5
fc5209e40226d1533632babc4b4ce6cf

SHA1
53b7327462ed6502c3e35fd9e4946e298938e131

SHA256
51b2c739eac89d3cfef8721f6fd8ba14e70228dd361f93ff1db5f78511d4062d

SHA512
68166ae701269b47ef1cb437cf833dbc08bcd9c99fa8d9c6e8e1ea85736db00383d9a47a93cd9c7f62527f01902aad5a7303443b03a5c6767441eed67e4dac5a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
1KB

MD5
500411db30ef4649d4c74bad20d74820

SHA1
7ee5b3614a1e6f3684706f8f5fa44da1ebb5d93c

SHA256
af5c6a14de751c139bbcffbbf7a9977effe9041ab943279991bc0eca657b3644

SHA512
2e0df14889f9867da8b5b804a64d4043546756b68ef01d43a1e5091e19f7325a7b2c37f53d9522d087f33a17e87334b5052132e1906255c17212c9acd081443d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

Filesize
2KB

MD5
5bd61e93fae723266a8d03478f7e9136

SHA1
b56411803d1a6f07557a699a17287075ddcc423b

SHA256
ccca28116bf35084d8999e8fad77eba30c778d385c26fa979d9682430589a0bc

SHA512
91e2fcc83ae71f36b20f660fa9e99c1e755dd2da6d1f1fea7207a2f286600b398c16255762ecabfdddc548e1e78d180cff88b79cd2d8e0eb3287aea8dc3151e8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
11KB

MD5
2b7f27548f40e6e51a3894e2a74a8318

SHA1
61a074fc770394295a66d7ca61c4fa2499e48f1a

SHA256
3c94764ef9341c534e577cb001768b07c83c458be5063b9fe8050d005b46c120

SHA512
dd54f5c0ba46a5a13636eb8636f8c21d8ec09818b00fb1bc52759bb4a27a413158cd5022245eecdb72000a97c9babb5f34543b37f5c14a8e0f0715472b85083d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
12KB

MD5
193855428974f7e554d09627fef0c580

SHA1
6a8c9fdaddc43887d9a63e28a446c248a361d7b2

SHA256
be7ba39cc688aa915ac22ab1ad70d01fd1e95d5032d315d5112c314f996c36ab

SHA512
6409b80e1317c5557deb6e856e01c4d5f9bb75c7b072cb5931b48841f9290836083de401d6c5c458345c19e2f9062a5b99f328a7f0e11c1cf9ed0531a287265c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

Filesize
12KB

MD5
93ffd8cbb9bd585d4f6518049ec6b133

SHA1
69f6234e1022351dd81a21ca7b449d3ff236618a

SHA256
608e98b8bead9f79e5bab4ed6fd99285f3090bd9acb05c327e2d18186740f01f

SHA512
840ac46a52b89b59816492775449e3fbf7f124178172f6f612ee02807ff13a6d498678320b129be89df5288f6b3cbb262c0a91daa9d56e8bc91aa03a584a3460

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
1KB

MD5
9b4e4b86fb868e0c57f7af35e402fbed

SHA1
e785da28803e3682ba0582c017ef6190cacf512a

SHA256
16fcf5cc11e577a40efbb4ad4cff4ea8f85d9a73b0a80590a9873c1f70e10eac

SHA512
1f0a4f0ec4db464780e7dd9ff26c7a2843a825924929c8c694bbff270b9ef9922e9319a36206e55d26e940ae697deeaaf0a3889ce754325bfe3eb0a9ea46d035

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

Filesize
2KB

MD5
6fb1324f9ae41147e34e309e99994974

SHA1
71acd85fc897deb8448503570eb763783186fbac

SHA256
6c675a91d5d6549c64054b2df12d790b4b89a821d1ecc143200b54f42686dabd

SHA512
b6b9d153bbc071ab14cff001bd7761066b2d5bb9728d1c1c443f3b7ba464a275ecbd8bc63e8d0359ea1b106078dafbd4e7cda413ff7df2298d763c3c49d6b325

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
814B

MD5
6a0e58c899d5de8ad967ad9e0ebc7efb

SHA1
e2447c85a4b21fd98118c76dd130002db21ca333

SHA256
4c802f5999d113ebd25d7523eb87d00f5c937bb25c7e8ab5c47d84bf3a66dcff

SHA512
10be71a65e3fb3276195a8a8a33013446f4ecc02f798c8aeb2145741a2003a4010f349e88a6e68a1a39567227e8025612483768b15502eca2e2b5058b799aa09

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

Filesize
816B

MD5
bde523bbe7bcbf3cc001d0981923a45c

SHA1
ebe22186f4ef0005bbd3a008e5461eae6f25bf8c

SHA256
a1421dcb9df6ae142b3e71d0801e78d542c897ba1acc8ae901d10f5eea5a4850

SHA512
baaf22b8bbe578d4bc9390b6b0e24b5c7cc368b93e711b677f6049460332aba0c5490033ab4871b697eb1099d6cea190fd9cd5fd1a54045a59255a5c9117df64

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
536183bdad057c64ad6e98bfb5c4062b

SHA1
570952b26f72f35844c3d70059fc410280cba626

SHA256
72a46261a58345387340ea53796703c42768f334111220dafe31a94ee588808d

SHA512
fce6ea4fa89dcc3044335a60f583d422989332c06ed76aca0cf9b742e63e5eb72bff1a22fe32a15bda9430e869e5705920cac1655795162034a2a9a02baaf73b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
db5873b474f60e987a0fecfdabb3e27f

SHA1
33caea27525976780dd8b96f6b78f50555b1a82d

SHA256
ff8b2491e84cbbabddf2e0dfec15b22640d3c7c0c9cd2e035a8503c645e03c37

SHA512
673b8909f339625b3438e45c10ca5bfea60a3af295cdee60c6507355b449753123f31ed1062a6b6af48371ea1b506b040cda638743f1a4d1223e26d7ef621281

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
f0509e1e1c7caaff21c6e1eb44d90ddc

SHA1
10e1eac2e10a5c0ae179d6f3946a58bdd0426dbf

SHA256
5060dca78746bcbdc86b1f5d332ae40461ac09f44c563243df64988267635c00

SHA512
44d3af247e4c535731a2a739af887ce95362296d7ae8066d5bb7e05a3594ac2006d2531b3903f8c2379641438055c2503d2844cedfc65b033732326eef3edf48

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
81989c56d308c4002c4a084baa18a3aa

SHA1
c9d3213508c4b2b252ca8127208241724c0c42cc

SHA256
0a2503b909b803c38f1e0b3eccfc27630e4fe948b2eafcefd61cc037ad811409

SHA512
a4838e299f4a9ff41d05522c5dd534ab58b2c656c31921f517fc0e856de6371565cda76dab81a08d72f6566f5ba4dc04040b09a90b9b2231021160e3e128002a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

Filesize
1KB

MD5
7f70fa0c7d545da5af0323aaf9fb6a9d

SHA1
80101925b4d871372498620d66bd10d5c3bab8a5

SHA256
2b5116f0c9b018dee1d2a846a1d807bdc683090db0c6ef14a12b92e56f8c1077

SHA512
62340fd6e9eea44bf0282f7cdef06518150ea0247823ea970962bc70d28a1a23bfd2816521747f5ce09550437b7fef20030cae4c10244bd0f93e50fdcc31518e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
2KB

MD5
713b5b93b7ff7c2679ebaffc179733fe

SHA1
ef5f8ce023841336ecaa80a96b5d915421214cd4

SHA256
f07b281349eb13d010693081445e0901a794f94ac69a53e8f3efa9a1c89221ec

SHA512
bb9b44d253cb3f443c49ea2d4172f5adedc23103fd60b135ef842e36e047f6614a2ec2166b894ca384aa8b1e9f67149f3c2e5f7afcda3d0872e701160b7c60f6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
c9ec5504f6c49573245389bde697fdef

SHA1
8b181fba6e916cee6460926522b101e5a7c6700c

SHA256
bedf84b4a16a1bea17b473524165592f90a997e72a444099b5efdba09b316ff5

SHA512
c7d5d328d64aab1b03f9dc5d1941a53f92571608aa73eda4c50e7131750b356fad608bd018f169fc67ca468f80b7e76b30206172eb3f3372dde43d350c30427c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
869fef35f6bf99347319a49083e407a6

SHA1
8926dfded1edcab146afe82e8f0342b6a18b3f97

SHA256
d491b983e5cbb18698dbbe72fe34d8ee3be74cf4190401ca20ec6917efe5a0c3

SHA512
e2d489a699e0926c675e403e8887e342232026bb3318222a4b78956b713d1306eb5f8cec18d532a7effea6d790361da6ad74c4d6bd0bdb840b02305d1cd8beed

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
1e9c9a961c557ce896da3d2365d6547c

SHA1
b5601212c2c7267ae8649f082d358f72e77152b0

SHA256
3cb600130322a2cc17485f1187f1b72144b2b20e904c0e7a019a663f53eccbce

SHA512
262b4545cab3e5657631f14a73bc25bd330e1cf60151bc549aa4e5ebe93fd3ca50187ae99b57ab3b5bf33ffdd5c0a576988739a50396ee6d8f9f41071ab17ad8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
de4f219a46b54c68d75170db7dbcfdc7

SHA1
6d62c8b75125408cc6d53533338e7ce8d812f8d4

SHA256
ff89bb3ff46ac2e9398bec75b0560583274d528b4fa9316aa7cecf256fcd1299

SHA512
a48c5ee693935647bc9e4a1c990c297a3eb82d6791945f31a640e36e0ef713cb166356a66711ae9d7b06f94e695f3ba0a0d8c2a6af5ccc658fef2c5364c78dbe

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
c6a0c08e15fd256c0213efb78486baab

SHA1
62c11af59ca62de8a680e6bacc5e3a7c9809b639

SHA256
7ca57aa15eb2297574378cbf90be345a2c3764d63061f12b304a8ac5c41f83ed

SHA512
6a7ef46d71dee5cfc3ba0579052d5d100013314982273361a3695c92663994e9d011d1c9ec34a074c579b3f090526e55ad139eb030045a2b93e5f9de427bb135

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
94dc1d9ea3d76cfd5a1f5c1fd8bc1d4c

SHA1
982aa7a78993e44b8e5ea7bf7e85d58e7d235f73

SHA256
fa5a4f974581058dda406d17ed1f0a630b745b8d0f93d96914a1aae99f43b086

SHA512
7273375ccd5c5bad5ab36d9bc5333799ebdfb757b90ffcb9e2c39f98eddccd09a92b3378b21cb49ea55a0075304463eb17f88b3aedd6eb07786f5dfe603092eb

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
94c77365b9650a470a8963e2080dab5e

SHA1
09da2bafdcebd128cee2814ad5229acf2afbd137

SHA256
befd94bfc00f1e251fcd6d12020a718f94877a16b632c9aa7a99f47b199999ef

SHA512
d6b177c711ab616e98839d59cd7a07c2c078e28e0cfca61b99a8aa230d6da229a2ebc5ab65c55dc513657ae3a9498acba01d7c9af2fb4aaaa99892b09c8b36c0

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

Filesize
4KB

MD5
218e77a7b31d9df3120be7ee83e27f33

SHA1
c0206af4df39c45d9daafdb2b2899968f26394d6

SHA256
4b4cd2758eb1d0c4a9c17bfad7cb2c267651fa04ee507b798b5bbfcbf9dd5ccd

SHA512
b520687c2f57a2e660e934dcb9f762d7489ae897b141f57f30b360989f6d14c9a2a586b6dc4565a8861d3bea70e4a8bf1fe6fa563261d9b35dae47595afe38c7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json

Filesize
11KB

MD5
dd41ef19955cb58ed97c3dcbdab23180

SHA1
e8729446adce229ee0355fbdc5cf1a8dbed32a68

SHA256
bf20e1a1254e9e18b9d41855aef5e75004ed67c4035a142d369e91cd6e7e4a15

SHA512
91b88c47bf08cf9020efda9b2e86e9aec6085883db0073961ba1930a8e3f9b96c9fd7b9d6797cf20dad3006aa2fca7acb2e1f564e7ed7b6d88e194daa00fd7c7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
c46ce59dadb9f63be2d777e70bc369d4

SHA1
78c31d3f8377936703bc651c3bbb5bf3ff707a74

SHA256
6413430cdb8b170444d947ed035fdd6503acb5efd107d9d3c42ef0f5cca9a6eb

SHA512
0e28085891d6695d0728645c868b47dfdf8cc2d25cfda749505d591f42e591b90ba68fac287ed5ea17f94b9ce5d8843f820752905e5ee227a20b5ae66710aee2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
438a54052b1c7922de3128168fed96f9

SHA1
af531a46617af64b2c51a465022a98df86d9fa67

SHA256
8d44b7bdac89254a5fb32e974983e2fd67015fb3a672011635dcac0369e3a0b2

SHA512
5514d91cea54de30ed845cf2c79e0c06ade25d67478508ad62a4d0b3f8be19b326f14a3f724d7bd06dc1b927038d2724055c24c26ce1ab98ecbf98cc418ad5f5

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
bc0f949537636d4b6aba5a3185467fef

SHA1
494a26c44268e53dbe5b5678234f2477af1a32f0

SHA256
e68042bc56bd191f691b5c1f60f352f7b383c455a0e4d27bc2620df1e1534ab5

SHA512
b72121cbe07500b6e66132840f3531178a55b43869320bd7c948cfe85b2c9753fb132541c957531713ab985ea811acd8677b237e2e67cd3da0723cc73aff910a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
453ecb9d16ab5d49b665309a2ebc503d

SHA1
04b0fcf1794962325db62600b4d4c80ce4236432

SHA256
b4ef2736f855b71a17e6404ced4a8a35da16e564e1ecd995fe8a518e34b3aa9a

SHA512
e2c2a59a96b847c86e28bf28393b80e512cf65ed0eff1be3b85dedabfca6e15fabef0ede1167a9883fe4c4832316b9f1e1c59faf76296190645ec0d17899f4d8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

Filesize
1KB

MD5
6178cd84f8f6ae4c643de60e440d98b5

SHA1
471529a90ec4d7ccc1635d7c63bdccc82965d5e5

SHA256
5538a1d1434f8de199bb89896bbd003fd78feecd792aac8282f086b14e382589

SHA512
30fa06b8e1260b125b35442fdb934fb18befb751ace580a5b0eea7f03b1e8c9977fa6d8ee9aca7ff71367b7b613e29c1120fb4508e027fa82088333264fb6701

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
843c0f7cee89510682a24cfe21a9bb99

SHA1
c53f73e3784f285e14c79eacdccf73505bd8da7f

SHA256
89c787e4c228d83a481e7877983364320dcca77591c71b7ce2e3216d780e7402

SHA512
a5e5d38731382f3b7bd46c3fe7d84cf55b4abfba64c06f5193e9702bc015d86678d72661de8d15cd2506be6c7eaf7e7101623cfc94f0b8eb9b700a7fc2f5b741

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
39553a868e8d79fb919d5bedc59e6922

SHA1
9c1dd3a9e0aa4d2cedea80781b80c9b092faa804

SHA256
b8409c94dc9874cb4d631b786b1bef0b1b00c8246cb93105aff772e9abb87ceb

SHA512
65dbb824513288f2ddde2a5bb059c210147431e2b339e920910a02bc8c274bc601ef3d4d2635af1d826e67ff216ceefa1d232733eb74a81cf2d929a2d6fe1371

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
e303b78adf40e1310b65049a5a591fef

SHA1
d68fa06e096db24bc755f5304195a61f87d849cc

SHA256
b61fc31e84b2cd26fe6b803ac99d8acb203f5211b3adfa2860d52af239e91c05

SHA512
dfe29f4331e3b552729219e6866323fc2c65cffd4274bd95dbd1c953f6b4f7a071631f40fa921f197df19cf8bc44bb1efb4de2494eb0020629995106061c33c9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
5991ca5c58a3731591f250b0bc640983

SHA1
ed192f102975c53dada68ffe43e9d59682107ef7

SHA256
70620e78745cd49cf4913cdd4a04e2d59f1b8b96115a1c18468c550369444ad4

SHA512
1ba53255af3cd3a8f86846acdf652c531f4f499cbef5b6e96c1a1475ded2c8ad699f9b81da170595b43283cf266d01a0af70ed167f2944c4eaaa0f86079bf971

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
b164da5df76eca97aa8c8440c1dfd2f8

SHA1
4ff459c7d00aa8a04af79bef35b9577e150a8c41

SHA256
8009e982b86f1d3c4b724ddab5fce32ed9dc4c385a23fe67428cb44fd500e324

SHA512
346245b0c4b60927562598aa9eb0a903c7035aceb31cc181bab9a41e0baa19660e08f4a155f0d99c148de18aee0da1c57a955a0de3ada321c9a69141596d0a0e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
4f45777dde4de62e569fa6745a064024

SHA1
6a9a8f25280bc011c86aa062472e25a2ee6f4ecd

SHA256
dacb9bb3842a3b206e0faddf2630993a033d19ae97b305b627381c26957546b5

SHA512
781521457d9d350955b7b275a8f5feb0b6175957689896154aa40fb73aa8d3400eb2face30ebdaf96c70979128a67ced44917cdb61c2517b0a2e81cae735dd0d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

Filesize
1KB

MD5
90a4edde888bc365c9f473d163d2d4ab

SHA1
520caccc68438f443e35a595e54d8f01df24a4fb

SHA256
e05e4c752ba417ac069d80cbb0048662d937f0883fab7872d6f32fc7d584c23e

SHA512
a7a9ad07ba71d3f0ded38f40987d02aad2af6b058f8ea911cdd321b53c91f7b3223432da89b2d2137ed81e94a085521ab42a8f36d6e82e686b22c562e0f343e6

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
718455fbcd065b244565bb782c554ed9

SHA1
993ff14296823d493cbd6dbfa39cb3d72f36412f

SHA256
a931407d10b57d10704b1ef3052ffc603d58e4b7b13caac54544e499dd3da800

SHA512
eceac44c4ef9cb104a1f13bb746e107f767e87058dc4e02e7e0f2a0ebb408f23908217b0c872a42d70170e6c0eb3a1bd6e08d00a8bbb6d05c5325185ba9a7b32

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json.bak

Filesize
1KB

MD5
0f075535baeb50ec2ddd5bed15aa844f

SHA1
932ad51bceb3a8786ce85449c3ce68e71aa861b3

SHA256
13e27d7b4dad473feb93cd2cc4cdabd7b51952426134511ba90cda4b2627db20

SHA512
91e9a4c95382a74924ceed37ac51eb62f9d14bfbc2572554d744bb10fcba83769f6d609daac4b04122e463ea081516a070bb8f8715a37c5cee9a548929fa8757

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

Filesize
1KB

MD5
eb8e7878eb2fff882f6d203717a42626

SHA1
9d35f1d3b157d5c9e6d8779379d75b4090feb846

SHA256
0396c77576a9a75ea8b60907c699eca6f0e43c146b7552e53569415f0c05d337

SHA512
8a0642c72c3687743758338ef61df0a9886137d1077374cf999d9c22f9af5df66b6dcfc56676eba2192f346a627e10805d0a4e5685349524f8848bc22b3d07d4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

Filesize
1KB

MD5
864e258223a8b39fa690ccc20f784d92

SHA1
c0f96fd64a0f7ceb263516a6a57d7f31592fe2cf

SHA256
df8c24ed5a91ed737a83ced6c6b80c24be14123323028511de53cd678ea46081

SHA512
63e347fba10d1938fce2e4f1470c568e4078b9ed3754fc69c8d522f5926a5101342722f4dfa71121be69368db75c34a6e566673003e2c6e241fadecd5a3518ed

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json

Filesize
125B

MD5
ab5b9ee084ecee91b5fe90cfd0fd223b

SHA1
872f4ae75144bae2c88816fec32ccd2509548945

SHA256
f9d0db36ee91b4446e98031cca18beab85098f451e540812ae60ad5a5a17a5a6

SHA512
0a4bd1d3825e854d1d5ecb1851f2d958c85116da51a5d213e813b11b0cbdbd1014af4f361e36252c433caa61593cabbe8362ef24112ec8884bda6cb27dffe71b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D6F.tmp

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\D7B.tmp

Filesize
504KB

MD5
b5d0f85e7c820db76ef2f4535552f03c

SHA1
91eff42f542175a41549bc966e9b249b65743951

SHA256
3d6d6e7a6f4729a7a416165beabda8a281afff082ebb538df29e8f03e1a4741c

SHA512
5246ebeaf84a0486ff5adb2083f60465fc68393d50af05d17f704d08229ce948860018cbe880c40d5700154c3e61fc735c451044f85e03d78568d60de80752f7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DCB.tmp

Filesize
1.8MB

MD5
804b9539f7be4ece92993dc95c8486f5

SHA1
ec3ca8f8d3cd2f68f676ad831f3f736d9c64895c

SHA256
76d0da51c2ed6ce4de34f0f703af564cbefd54766572a36b5a45494a88479e0b

SHA512
146c3b2a0416ac19b29a281e3fc3a9c4c5d6bdfc45444c2619f8f91beb0bdd615b26d5bd73f0537a4158f81b5eb3b9b4605b3e2000425f38eeeb94aa8b1a49f2

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DD0.tmp

Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DDB.tmp

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\dds_tmp\DDD.tmp

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Actions.dll

Filesize
4.5MB

MD5
f802ae578c7837e45a8bbdca7e957496

SHA1
38754970ba2ef287b6fdf79827795b947a9b6b4d

SHA256
5582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b

SHA512
9b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\BrowserSDKDLL.dll

Filesize
5.4MB

MD5
956b145931bec84ebc422b5d1d333c49

SHA1
9264cc2ae8c856f84f1d0888f67aea01cdc3e056

SHA256
c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3

SHA512
fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.nm

Filesize
336KB

MD5
a3193e3f0a95ecac85d6a521cc096358

SHA1
8e6ef8e58344829bcb224dc82ed22ff21f366c21

SHA256
49f9fd1d960eff22acffecc5dc707597e0909a8d31f71404cf2e3a9dee105701

SHA512
2a527c022b6fd3790d26ea54f37950e450db6ced026470ccdc893aa877980413e26e3054355e4e1322ca66a328459a570ef4f237d134350d027434afae6a0133

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\Global.sr

Filesize
20.1MB

MD5
1a3f5edfebf09eb6a99e23b723384f6f

SHA1
ee8f3894771fe6446ad307d631e5ce16c523143b

SHA256
afa6a57c1a5d5abac55f54922fb70f26097440f8181c4622b53500ddeceb74e1

SHA512
48e3743c5b36cee5ea771213b89524c6ecc4dfa3f8136b65f4edc6c1d2e5f401c99b18292d0295d14260318640040d7f2b2c250c52eb55c66b8c34a0804fd7e4

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\cfg.bin

Filesize
935B

MD5
de80d1d2eea188b5d91173ad89c619cd

SHA1
97db4df41d09b4c5cdc50069b896445e91ae0010

SHA256
2b68990875509200b2cf5df9f6bdfcda21516e629cab58951aac3be6a1dd470c

SHA512
7a8f5f83552dbff21be515c66c66f72753305160606c22b9d8a552ab02943a2c4e371d17dce833020d2779c6d9fe184a1e9ef3d1b8285c77aeb17b2bba154b3f

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\clean.mbdb

Filesize
15KB

MD5
5cbbd2c9ee91fd9037e30f10421d1baf

SHA1
846c4a169ec40e9758045a0fde809c6ff65f02f9

SHA256
c2151b1c171374b7fcbc30ce1a1d4bc5ff602383294190a23b7a67277a7be9ba

SHA512
71c435e6634cdb9e6cae187965ef2706fcee4c4b7ecfb06ba53f0fa59666dd568929cbf49c26aac3ff20671f2f54a63302d5fad2f7b5bb7e414f2304660c7ad3

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dbmanifest2.dat

Filesize
924B

MD5
6b5c1f2e1b1cd7934f0d7ec0b194c75c

SHA1
b70559a1022dc8657425648a94cd47b68947c658

SHA256
01039ee8629afa03d9e28cadd4cb8ce6d23afddb1da89da92b22abc5e10025e7

SHA512
501c8cf017f4d8000e768bb6ba53d6c653dfccca8852fb33f18cf45ee01e0717fab0f7bc091c6c5708bb78bf40062e1948726344f187ab81f99785edd21cd97a

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\dynconfig.dat

Filesize
39KB

MD5
10f23e7c8c791b91c86cd966d67b7bc7

SHA1
3f596093b2bc33f7a2554818f8e41adbbd101961

SHA256
008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

SHA512
2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\exclusions.txt

Filesize
23KB

MD5
aef4eca7ee01bb1a146751c4d0510d2d

SHA1
5cf2273da41147126e5e1eabd3182f19304eea25

SHA256
9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

SHA512
d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\ig.exe

Filesize
1.8MB

MD5
e19dd0f3c9d4ce5cb7311c3a1d65962f

SHA1
7123244e7578a3f22daf17bdc882025f3b084baf

SHA256
9f21c48b12f45d2f3b34a3326b237bf673de01b7273c2640ba7920d86b35852d

SHA512
bd32a1cb3a7f0d72021fdea0f483cfa377176a99e0550f037817607f9f88ba89b4c0ec9ef84a7680cdb633c3eed4f82296290df53950747625dba6501c11810b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\mbdigsig2.dat

Filesize
514B

MD5
4f64b3cb0d78bee18202af9ea92d951c

SHA1
89ce5c4853e14fd65708b35e57870e728ba5ea15

SHA256
4551edd2cb7730d0488908dca41085a19850643e82f2eaf9bbb6c1875d38b75f

SHA512
5fd9b711800a5b4ce4909e2e5e4f1006add86f3dea036e2ae995f5861cf370f2dedbb0a72fa1727d2ba2ea69bf02d3143613bc0e75f775f2d47f121b20ff3bd8

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\prot.mbdb

Filesize
24B

MD5
546d9e30eadad8b22f5b3ffa875144bf

SHA1
3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

SHA256
6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

SHA512
3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rdefs.mbdb

Filesize
24B

MD5
2f7423ca7c6a0f1339980f3c8c7de9f8

SHA1
102c77faa28885354cfe6725d987bc23bc7108ba

SHA256
850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

SHA512
e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\rules.mbdb

Filesize
9.9MB

MD5
783d6c7316352b7747ce806829ea4378

SHA1
e1e905cc7dcefaebb98af40464a40a5084d67f22

SHA256
a8d169a5241d04eaf8c5428f3974c262a584429e21379454b6b3197b30341e8e

SHA512
8691b0d486b7c5b2691c190f766c5bda8e50d1bc33a6bc118ec473f1cad1ac44afbbcec579cd68e79b491697fa2b3a40846142d967e372b72a1f376bead7d74e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

Filesize
528KB

MD5
ac9b550ed5d28232779eee526b45c595

SHA1
37f7944a97e5c5800330fc614a0d0eb3aca9f7dd

SHA256
28e9e689f703978bc1f90a15af3c64f78d52f23d70f3e48af304290791ce68b0

SHA512
731e7788f352e1a447b80a1cfc4e068f4c03e4f7583ac10b5c2e5b39299f03bfed16d8ebf84dbc48b4903f8e6d7ed1668ed53a48994d7fd631c64be0408b22a9

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\scan.mbdb

Filesize
649KB

MD5
905bafae8987b02f9f67751697362257

SHA1
dafc0844e2a6945189e7721b2ed02ff64e687732

SHA256
57a812876514223679e47ebe177529c20143d7b7c3a7578e9e8377d193250b1d

SHA512
f098fb58de55e7aecd62d29778092671cbf184c5170f79db49a7c49bd459afa45200a0fdeb758b0331c7e391fd1dd40fc897e4102c5cf0321f79206725706217

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\tids.mbdb

Filesize
153KB

MD5
64ba7648a25e915927b7c666c171289b

SHA1
6066ffbc206f802bfc655ec5ac2b997e6aede9fa

SHA256
d1fff63890d3b95daf678e2c5e378635dd4853c241d25577d54713a391da1dd7

SHA512
2b4b6cf2a6551a5ff4105423d53d7737ae62d141022b8889bb541b133cd38c3f71af8c43523367fc520fc3571e068b427930ba17a3cc54eada7ed10085a71556

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\lkg_db\wprot2.mbdb

Filesize
22.4MB

MD5
90ba37a6f42c73ea39a751be71608568

SHA1
288f7e1f33531d397d542fd746c89e098aa789e2

SHA256
3738b17ff8946bfdaee06da0118fd9f4a6a1232702554a5d9ddfe054a08698db

SHA512
51671dda5cf94eac3959daf28ae6d14010a3bf571aeed5f07f8c9845324021f32b406e6ac7ccb2362217efe88b7c94805c9fcbfc274b49bb02dfffc0642f2678

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\pkgvers.dat

Filesize
75B

MD5
590728ca37800ae31d8e1ab551fef879

SHA1
4f96f188e08375254b70f38be3c6ff9147beb57c

SHA256
03a19d64af36939a757b06ee5c084a0523f2f06832fb470b92fec85ff1e3d0d5

SHA512
ba147d27afec69596f35dde0ea75837926d1083a964eb1baf8ee4f3aae6aa84b789e474289ec9add0da5e3db467678d1751696bed560bea598f584a1a9737180

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\SdkDbUpdatrV5.dll

Filesize
2.6MB

MD5
52c4aa7e428e86445b8e529ef93e8549

SHA1
72508ba29ff3becbbe9668e95efa8748ce69aa3f

SHA256
6050d13b465417dd38cc6e533f391781054d6d04533baed631c4ef4cea9c7f63

SHA512
f30c6902de6128afbaaed58b7d07e1a0a674f0650d02a1b98138892abcab0da36a08baa8ca0aba53f801f91323916e4076bda54d6c2dc44fdad8ab571b4575f7

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\expapply64.dll

Filesize
473KB

MD5
76a6c5124f8e0472dd9d78e5b554715b

SHA1
88ab77c04430441874354508fd79636bb94d8719

SHA256
d23706f8f1c3fa18e909fe028d612d56df7cd4f9ad0c3a2b521cb58e49f3925d

SHA512
35189cc2bf342e9c6e33fd036f19667398ac53c5583c9614db77fb54aadf9ac0d4b96a3e5f41ec7e8e7f3fe745ae71490bdcf0638d7410b12121e7a4312fae9e

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\updatrpkg\mbupdatrV5.exe

Filesize
5.9MB

MD5
ba954a97510bfdf355bf0f44b35c31a1

SHA1
6b800de30ae3c7c36d2740994db5715fee706a44

SHA256
f439cc6281838b952ef468d79f1bf91628ca11258ecc800b33f9e48501232b26

SHA512
832a464304134e3ea7d04c186f032863649bcbbfe53d3b2b00a5c5026a333ef1acc8830e52242944a2cdadd2798a5d25f4e5c41dd1f6fbf18b5d09214fad035b

Download Submit
C:\ProgramData\Malwarebytes\MBAMService\version.dat

Filesize
26B

MD5
c6c694a2fc26e04fc9bbf376a74e1630

SHA1
0a6241c35def8a1a72c39f0b8ceb1ae0db13a718

SHA256
eafec0d1a995c438f8be0ea0850c329538a20123a028c91369867c4cdbc69518

SHA512
9017df7d565905b25402ac8adce5ae8d8f68dcf5c4e9289212ee96c373865f5dc5004fd6d35e73583fa0009dbc2529a41c73e4ea6d322f434d39291073ab30ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
89KB

MD5
13dd4d27ff4df87b0747356741070149

SHA1
965fcc93dd635b250f45af42c8f2b21047bbc907

SHA256
4ed2afc447a95a07b74870f5243f6770c60a7c60752526c679f60c15697cee4a

SHA512
65d6b6cb9b811cb9ef473e453f30b7e1979e80cc8bfa957fd79eea5eb4a1d1fb799ec4f0979a1ce270b74e4d071628065725cfc9f71f8d55042c30848e779a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
55e897d4c8f3229a61ed08f3495f096d

SHA1
52b8d5d10788804bddf76f582bb185168ab5f5bb

SHA256
e843eb1532f4475040a134ff1fabb1dd95ed4e6a6eeb827f9b3b41313b9f6824

SHA512
46ed818ec51905d17b46ee1b7c33423ea6e41d1067225f3982704fef35d0d4efdaa5f4a41565ff0ea8953cdd6c878327aaefe7d1c8c625e6b20186dd446f425a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d0d02fc49d9a09d21f561ae732c7f415

SHA1
b39107d8d2e1bd6469cc4a558c91ccd084600d19

SHA256
d8261488e98a570da7a8d029ab7a9154137325d70b5a54241e443dd13c084f88

SHA512
44231c62450f505bf040656aae97209281498b7e7a117d3b7ef565c4b11d846b83c46c34d71a2e5b5077b12e3a691a4686f72f5d731d833c62ddcbcde7c0a13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9776a66538f12b4f0c521af08a2ff961

SHA1
1fe4bf55f74fea9d1e1b90784fa5afd7cfb77129

SHA256
81f4d30c2c7a894235d382da31b063b7d59125e39f3eacf1e29cf467a9377ebb

SHA512
9d28b8b9cfcb1cb19b175a51aff53d902d63d3c7a49bdc34b9b1615b02b329070b4f413972e2694d2f69335f11b7d04c745768052b47c3e88b7800494bbc0aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
40e468e7ae4397289c984563c0d1b603

SHA1
c7d71469a1b0f2400574ed62381c93b031dd966a

SHA256
6a73bc98ca096be2eb4098f54f6674fd6f9906853081b155dd6a4f3569a6c1ba

SHA512
2a18f62ca40f703e7ff9bb8ef78d754cd6dbe5c346c7d4c0030bae4a79789b983bfb3f97a670e36b53565f38e0dacb23641beba00b66737367561d12651fd162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f64f1826541b7854354034a52216540a

SHA1
989c0913e4d6e00047667464f9b3bb3aaffafec6

SHA256
002ad726f116e6124d244c66d23928592628199d62813833de74a0a41d58a52e

SHA512
9d1970acfb047b51688bdf82c7a7ae9073dd0130110bf6653b59a405892c610ea061f84565e116e60bc4de434981f6a16d5fd92c710fd1da4475db1d7a36a7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
accc9ab3cfcfdc22c2c5aef6be9311be

SHA1
582066f6efc31e594c34375e577af9b8dccc3a78

SHA256
b35a4fbc3c223cd9552f5bcd7b568f3f59a835f8004c914be82e97a15509e86c

SHA512
e5b566aaeb9eafec33059da2388c46f895f6dc77362bb0dfaaf69fad182e6aa3b6dfefaa43cd499161740f78e3a9462783d146a5450bee0b51b907e822e7659d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc89b49038e3e23c74b0797bb6a21e30

SHA1
10f99b39bc2797b615ddb38f8177412d1535d734

SHA256
41d7d9a080869fa0320965c17524f569241a29adda84034f379e50425a68cf60

SHA512
6c7fb32abe3335457df85c70d121b8eb3dd9f5207217d2180f1cb41a1531efe327fa6e41516c9d6c127e89d3de7d6ba8c7d20fd68220ff1e9f0a17f1e8f67dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbd987769a32a205f4d9b67b0139503e

SHA1
c8862d61b537b8a7a4dabe285b618833eeeed58a

SHA256
56a3312ee656df0126c4fb033d65c3252e3c062d68690c34c751bdb0c203ccc9

SHA512
004711a1c6e4cc955bb4629c2d289660dc83e9aa17e6084ddbfd72619d6b1c2d89c5ca06ddd4a43fd321c0fe270e69fa2fd0af4fc607dec59d4340ab9e485870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0b64a75cce69c824e8b3bae1c0bba92e

SHA1
6b745d7be960e392494bee08317a1a82f5a2c3d6

SHA256
242a9c05f82a503068aeb2cc23fce9d6862e07707a309d48b0aebb317818a5a9

SHA512
b96cdf34e18d5ec640f62620cc1aea8d1e3017b26a94de8dccabfccea70be5f4d73efe83268f9be3f7e16289c8dc57530af03f97fcfcff4252e114f7a0a2b274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a456985ebcbdf9dac3dabe981700262

SHA1
193cafd0e0949d5f6a391ff04adb8c58015831c0

SHA256
6fa8807a6725a0a4e94c983895b58df990f7c95e94e9fd67ff1cbbfadc7292ad

SHA512
f8c225511cb1ccbc6a17f8f779e4b6b6974c07e5650f4d85bbf65d0e56da1c578e1eec6c5987d56e6c1ac76012b9d24aab660f8e4775880ba5195246ca2a421f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c6c1a938f1715cc7bd8bac0a40e52af

SHA1
c2da043747e630d8f974fdaf0dc98d84a5b65899

SHA256
716cc98d1462793bea392948dedffcc4988d78a3a2a7d5777e6c23d30fefb6c4

SHA512
e4f8e553a88f472e29564426820765d994ee77d10d6cfb10dd9d6aa8c68d699651800e5baf36b6fbcbcfda94c55531b7471b6f7f7bd4f42601d67e36622d86f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b74924b1fdd0283ca71fe2380e1324f8

SHA1
4e28d33c2bfe2331baa4f0f1cb237d0553b3748a

SHA256
bec0d2230749607729dff8a271820ef86bc44c0a95b7ea37e4b08869324b73cc

SHA512
68c533fb757cee6a958e11d8154563ccce793218554b892e78ecdd4ed9d80ecbfc1e58587c217e61b49f52c34fdecc9e8f22b1a2000076f493f2c8685d4d79dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f455995790d769f6563e134987f82001

SHA1
78d4d61bcdc751119ca6d100f60ae5564e0af2b4

SHA256
f846ec7642b26f929197e2479cbb2513977899c739a68d12f3afaefea189ebb2

SHA512
461b4058eb77e21a531f321976f3599944793e54312c8c4ff21fad6d0ba76bf847636efcf2cdd0c9c8572a1a5a486d64b8dfa9766addb9cdd25d6a4003f73458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba32c56ad02084d6fa19808479f04d3a

SHA1
5e79bfef8ff50bdb99981ff98dbff265f0d2663a

SHA256
3367892a1ff96051d059b997f2459454fe23e44696b5e5f192b9ef133263f5ae

SHA512
d18bdb0c3d012d95689bbb68860e6979aeadc032c50ac0453cd24380ad684bb57a01c33793ca150ac7c100d2cf04c08523d1cb443d19d43f96c8122db6c1df2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
95a5fee768aabd6a36317cedf7afd472

SHA1
601c9ccdf26b9ee0990f34b4ce8a83d0be2edfb1

SHA256
58a87a0cb90460e5b8efad246f9602c1e8c41aa5ada5676aa216de5f005b3606

SHA512
bb8d69b7c609e726813ac689e6590141048aa9f9e2b8deac7227cb55b7a335088fa20eac988aaaacacda00f527e5ec445b4ee6e0c09fdaf26a52c6ba5ad59c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c309a4ee311ca01fd2c7d2e49657ed64

SHA1
d4bc854cca7b70e22b2dc075c5c2e49a54c02515

SHA256
41c864d903e343dc9b437915f2a8836aab148fadbedf1217ffc8bd58e6cc0c0b

SHA512
b1d95388cbb24a22ddfbc9a73daa4306beba2071c8243241e82fdd7cb660f055493fd1d8d638a0c7e2c86ac6b8ca4cd8b59aec70f7fe880d9ced1114995bf415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b527366369b060445fb974ee746f492e

SHA1
9653b445b63f0c669c9cf19eae533200fb2e8a8a

SHA256
136f49d3036b5658c9196a69876c1e9ac97355074d4e0e97bb2b1010bc5f773f

SHA512
e20ae046b9ef8709229e9eb505f98237d4aceea4d7042be84b3de2dcdc3b6dd5cedf39b3a0d29dedc1c08ececf4bdbf93337cdcd75b2cb7d296018c75205e464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
27e5a8fa740e4779b4d444270448c9f6

SHA1
712969cd3eb8cf2920cc357020ee32d416b7b9d7

SHA256
29069bc81fe7dc985451b81f38361df55c060223705ab8db3cf11c61d78bd843

SHA512
64800994b385351f2b8d77378d5701827b1f4629c67b2af27cb267149382df661890c6c86c66292302716dd91560b9ba78e7e73c634cfe0c3df21f9702156605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592bf8.TMP

Filesize
538B

MD5
9b915ff29bc2180fca963df1d72d2420

SHA1
ba78e14968c06dbab532686bcc6046b0702d4ee4

SHA256
cfc897132ce37c4714ed3ec336c61e3d88c72b2624913a0158e665fe5cfedeab

SHA512
ec04345fe1c8eb84e11fed5d369423be97b5673d3c62d030170a2c2925e51af464e281ece2c9b7b8e808a60d079ce38d504baeab9ec704dd8bd79633da2a80c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0dfae4b15792082bc247d3235361af61

SHA1
7184d2f7bdfd1f951d7fdde3350f883acca142e4

SHA256
9e4beaadc88a472fd4e596038969c8c2a23c98c49d443920a0f010e9e066b7e6

SHA512
29cc10ec088f2130e3f0f8bc41c43c4b75c41a07d460661daa57cdfd3c4652d85e40867827c2f7ca0a3eba927efce1300ac646bf3bcb53fc91732a15a90427f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ceadb5c475b923ad0c192164d38639ed

SHA1
a5a2caae4886bb5ef7d60a00f5a410361f230081

SHA256
423d820705ff2e545b16e3207b7fed668cbd473ff41189cc814a23b21d0e0a4d

SHA512
ef209a3334da03b1dbf908c41ba08ff5e250aea6f578e29085babaf4ceec62eec000bafc60a3b261100815041c2aa4206b955caf31a82e6b5c10d279e2c72e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85db8d234235fe42562f30d7b8ff40ee

SHA1
b92af67f1557da2c172b6db61d71e56bd4bd7ac2

SHA256
b5881a671237fee2805549c9801bf5f36abf158117a567305c4aca1067fecc42

SHA512
078ae9eb8ef060122fefb83058aec55687a6039535602a255f2f931c1874087a61bd7aaa43fcc7c33338da306192aebbe0ad7373b50c56ba20f5891c7b4e4eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2d367cd8901a2511dd13b07bd14d1742

SHA1
bb79498cd36b3ea2696ed4ff7938c1593bf870d0

SHA256
2044bdfafe485bf06564528d06646ef0df12ce44c895cfee7db54d09e869c0c1

SHA512
074e3826bfc6684cef7f50d78ac4f75770ebe6c4512b2d1ad2d883e7ace273c6fa830753b5e7a9943fbab472fdfd4083a5a5a0b2e53c17771f0895445437f7fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
8fbf107a762677b18582091fe93a6ec7

SHA1
63642fbbeca7767f0ee64ee1b5f8ef50ac511d18

SHA256
7650e201496ee093b614b62ad7fd20b2b4fe92cb1899eea547e0b1546697149a

SHA512
c52a59cc9d322e65eb1d52403f5a04f9b3c5ac61826dde5469bb242e4c589535969fb3632da89a6aa19211c0848c483328882d7d7af64a0ca058d4df9c806721

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\cache2\entries\DC904F6FE13AF2FDD1A89E5DC2045B0E5EE12A27

Filesize
224KB

MD5
16cdb01050496f62c4f2524a747b8b60

SHA1
97ca494bb15aed6b71618d3c06b0a14d79a79f92

SHA256
54f51085b6b5aace329fa53ae18025e267f484a5664ee82e21cfddb294fc3b3d

SHA512
39e0de4edc96ad8b1931d6feaa1036198884b18894c94563f1f6e5f50dafe2cb1613124f3399a44ed93fbbb026dd051c843eb502e6df1c517df438e367d93cf3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3b1699e6-a7dc-46e9-aa99-9ca6a41e0124.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133787044939645849.txt

Filesize
68KB

MD5
2658a23f4e3910f8f06292cc7a978acd

SHA1
8c2eb744e6f26fa09add15e5bfaccd0990a8ad86

SHA256
312fb7133c86ad66b58aac35748c46082a47dbb8a1b0329fe61e48fcb49a4e66

SHA512
7c422c484ce283f0cbc7cb47241c049338a7ba4126aa68df0e5d7d816d4ef366a296cf8837499cf48c8b0585e669877b6696d0475f3b38b8b94beba210ef783c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt.~tmp

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
5a279ff4b4085bda303940ab541c42e8

SHA1
f6852b19269d31e9c93ce869cf78fcce61269750

SHA256
8b92f2c46f9b8db35914da158249176b3345a6e5dabbeeb1e7a28340f49fda27

SHA512
07677a9c9fc7ba6d1d349ee129b786856e4db5ac617f1c19f4ce7ad8cbfb783128a033306528611389545d03ccc42ab06d95326fef67f0fdee021905a8a5aa95

Download Submit
C:\Users\Admin\AppData\Local\Temp\169821734230304.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
1KB

MD5
0a92e3c497979bd40a72b0e7e07a9c8c

SHA1
f0370aa391557bbaa8621e07d738275409eb0995

SHA256
04ae64a832d9df0ee4b5719ed45c6b8182ed105b65dc867dd3a97005e765e41c

SHA512
5c29f1ad2f18bdda23fd67517536aec47b45ba5effd2c38223bb0b93ae5d58d9e893647a0d94a31aa84e85b13179c3f3229ad6ab20cbec6d1463540cf44565f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
b1079ce2414845b1bdf0759028263a37

SHA1
e23bc19d4dbfcffdba93d4b46baa3457d1a82402

SHA256
456e31f89a4dc12f4f148382917a9027a77f4efb263df93f90acb8ab846e5806

SHA512
359cd7504c3f856bc8c8e2dbc6331c833cfa30b612db469b9cc5073ddff39fbfd7f61e43a62a09097cfadc8955d8096fa61c218cef8e10848c5f8d5b3fce9692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
12KB

MD5
a6d254d5ee13cb70e0839180c40ad4f8

SHA1
78daf4f3cffc3a36cefe976b76cdaa47ef0c8e00

SHA256
64c0da2418dd729987d1c29e7e5ea557087e304a86db9bed7fa82e743d9833b5

SHA512
9dd5cda2a7cb7f256c5a110e189629fece2b0115d26a805d4d34630b8c3a3da8af862682fa47b030091d5e746453b85275147ca4e0bf594c27b70e9b655d3909

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
c3af640ffcea3cf23d6cf42c04fdae22

SHA1
3cbf96bde4c2bd26eb0b68a1130c274bda01d7a0

SHA256
0ec7cda3a59892dace1ad3f84273a475be54b221fdde99706ff612d8a9aa53db

SHA512
9a3fe86997c82e9f7cbc299e1a566b4d00f231e8433bdb85732aeae22548e362fff0d9556e90682b4f94326fe5a27c8b432d9323e4918ba5cd7fab47c378890b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
8505f4c2ae6b4987bb44a5e140a0dbb0

SHA1
3411837195798bf7e0105b230dfe14328e1510e1

SHA256
b71457a2d89c74db54e013241b8c80fae1c63c533c6a70075d51128a9ae676fb

SHA512
64911e682371be97061bd180527801d3313923de4e65cc0a06ecaa6d2af205ef536c613296d754f07ee7be90e4f23cd9d65254c03db153f3b26a221e5fa11763

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\3e1ab774-1bd3-4308-901b-14ba32f5b7a9

Filesize
982B

MD5
2a2dac60089b8b3e3d61869bb320ce13

SHA1
653caad2a55bc3566e5f13ee1e341fad6b9f0f82

SHA256
91fcd270220384a6b9f653e3c7d2c333da10d6226c126e4bcb2679d700d7fde6

SHA512
2ffaa6b9f13fb0a4f79b2d53925ec3c238163cdf70dab38311a5a2ef32a715eda0cb4c3542ba321cfc799b80f85cd075aec8479173ceb52737fbe9d819388145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\bfa3d1aa-5c37-4456-a825-83f6075db62d

Filesize
659B

MD5
f145aff6600735fbcd5b9f9601c06ecb

SHA1
67543922f746308f9a188dc949c7a7981dd50cc0

SHA256
c207bea48e79d3f5ee9577a6ff6eff38ada2d3175d2011daca45518b54faec3a

SHA512
754b079287fc6cb4873232404fb42d63f29517ee65abacb5e456ba363bd15a2c13d3fe94bacd89d63db095e77727e435f5f6f807e1fb185a68968ef9bd2a829a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
10KB

MD5
cee226d890e217f6e38586faa3bb444f

SHA1
494874786cc56e5a9421721092ca214f2c836709

SHA256
c8a6e752f5bc8a88471d807d2bde4e9eb526cb693e85179351e73c56ca69cb62

SHA512
e02fd057c70340a36a6289ac61192153876afdd793a23d24b364a4da368500ad7390f555b86117590a4432f5cff23ded4abc8051dcebc8a8ce2903bb4cb04bfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
19a8475aa23b4d93cef27d2bd3b91a85

SHA1
495ecb7f98837f41c277eec75a7c6486b679df44

SHA256
a8509b8d735c9843360cd1b24a388f048c8a9ee21a225388b3e47d1e4526fc16

SHA512
cc293fbe2c621dcc8352102a4389f671e3df6b7072020fc4699e843e404eac8930b2f9115a58160d57541270f805157fb93f43f8ef18893b94238b3e7983cd51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
25e47011546c8b38abb3941ad51dc2f7

SHA1
6808ee5c334fb4ad348a6816713f027ff2496351

SHA256
2b841a04ba296339b23d1bf4c2d0c82dc86721c929a6373a6d0d1c0f85a33fce

SHA512
2b4d9b7166481f558c08928d84dad6450018ec2ee2c778459b8c0f00186ecd1a8d4b3090bc8066efacdf79fc357b9daca25219dfe8aaf6b1f1c3415a9a4523f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json.tmp

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
7e82c80e1a4fda43819958df2fb643df

SHA1
8b58fb2252056363f812c44335593280d7d7e79c

SHA256
5155e32564309f3471d6dc87e19c7049485d14f767fc29bb19cea88bbf1c52cd

SHA512
b6754afea88ec2182b576213bbad716a43b92ddccf38d5530324cd4fbb6aa780b417fd97b199bf5f07bb8e15d36ed35022ad9405beb31a6b842bb941dc99c16d

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
17.9MB

MD5
2478a935c4ca6130a44536686b2fa311

SHA1
bfd6d888e7060cfb6948b2ccd327034b70e524da

SHA256
be024fab5800947a0a6f1252171383fc571fb50a607250cde5dc3d6b7e6be84d

SHA512
35dc7c7e00ec5ccbd106e9953eaf2e7343d240cdf309381da5652f7602157b91e02c4bdc057191c23bffd513b68396d839928baf256f9bfc82dec1ee92bdada6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 887080.crdownload

Filesize
2.6MB

MD5
73e964d096abeae2a3ede695422fd301

SHA1
c21b85855c2cc928572ba9bbfd07203051b7a074

SHA256
6bd5dd485b558ae2a89fe7b0101c77fff6a64e1019f5d75b6fa53298170e1752

SHA512
008728cb58d7be5740c33c694690ba29f3a9e19b4721a1eb3f8528552d23583532d5dd3662e96142ff349b4e411ca3017b2895dff9f12354eff4c78e22beb376

Download Submit
C:\Windows\System32\DriverStore\Temp\{06432323-82f1-b64f-b92b-ec4bfe3fefb0}\mbtun.cat

Filesize
10KB

MD5
8abff1fbf08d70c1681a9b20384dbbf9

SHA1
c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6

SHA256
9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658

SHA512
37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

Download Submit
C:\Windows\System32\DriverStore\Temp\{06432323-82f1-b64f-b92b-ec4bfe3fefb0}\mbtun.sys

Filesize
107KB

MD5
83d4fba999eb8b34047c38fabef60243

SHA1
25731b57e9968282610f337bc6d769aa26af4938

SHA256
6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c

SHA512
47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
107KB

MD5
45e86c2cce5bc699f6242a66036170bd

SHA1
376fd088c8543e4a0c031a1def5181087856e9d8

SHA256
e2bcba2b3b1ca76dde7d7754be20542afd97ba0a51db1527374dd610d8057895

SHA512
622d0c16f78ef27953f09be808d25e18f1948e03b5b51b50be6a9ca6d203de405120f20e7d29869bb2ecba1d77a3466fcd160ebdd5f2ebbc4452d34c5680124c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_10CFC0D4C45D2E76B7EA49C8C22BEDFE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\System32\drivers\MbamChameleon.sys

Filesize
226KB

MD5
0863c7e1aa4ae619862d21b9b10473ec

SHA1
efe9afac664bc0054f3d5440b34aae96b5e8fe31

SHA256
61fec3b75bb28bdbeb812f956efc634d200de86ef380d0492ca9f2e4a17222bf

SHA512
dd6bd35a30f6d71908ad882845b4dcd7fdeccfd53aa8e1a7dd1ad73a75ea08702c302b5012080fa4162ce898505d00a37187734504abe66ca20faa0e2e407e44

Download Submit
C:\Windows\SystemTemp\Tmp5773.tmp

Filesize
6KB

MD5
ce9a07eb532abf822c084cd5e4bffa89

SHA1
8e419367d2b9d563770feb2f7d2a89d6344b960b

SHA256
9dcec9b57124fcc688ac75a584be198a99992c751064904173119af285b3f962

SHA512
85c4512f4e6d6989e0ba6555664185811a7eb10881230940689ae422b3fefaf9b301cee40048f702ec2b60d69d67e914ec0b837f5de16c8a9c7439e754eb5c71

Download Submit
C:\Windows\SystemTemp\Tmp6242.tmp

Filesize
6KB

MD5
656e563be937851a03e1e0c401d6c4c2

SHA1
93da375e7e01d4e12511c733e6194d9a0492b3d1

SHA256
89327b0ebf21926e7782a2e556717d6d458728ee0d18f261dab8dae3f8c59178

SHA512
1cb2ebade24bfb23789abcdae4d46587fdc2b4eda36a1eea46dd7ba26b0b320758cd8636e54a87f1679803c3d533a3dca61860c56c079986d8693f2a5ebbb990

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\7z.dll

Filesize
1.6MB

MD5
3430e2544637cebf8ba1f509ed5a27b1

SHA1
7e5bd7af223436081601413fb501b8bd20b67a1e

SHA256
bb01c6fbb29590d6d144a9038c2a7736d6925a6dbd31889538af033e03e4f5fa

SHA512
91c4eb3d341a8b30594ee4c08a638c3fb7f3a05248b459bcf07ca9f4c2a185959313a68741bdcec1d76014009875fa7cbfa47217fb45d57df3b9b1c580bc889d

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\ctlrpkg\mbae64.sys

Filesize
154KB

MD5
95515708f41a7e283d6725506f56f6f2

SHA1
9afc20a19db3d2a75b6915d8d9af602c5218735e

SHA256
321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

SHA512
d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\dbclspkg\MBAMCoreV5.dll

Filesize
6.4MB

MD5
79b962f48bed2db54386f4d56a85669e

SHA1
e763be51e1589bbab64492db71c8d5469d247d5c

SHA256
cb097b862f9913eb973c6f16e1e58a339472e6abae29d8573c8f49170d266e8a

SHA512
c45ab55788b2c18e9aa67c9a96b8164c82b05551e8d664b468b549cced20a809257897cdfbbd49f3a4804a4adcc05323f21c61e699173a93dda614e80d226de4

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.33\mscordaccore.dll

Filesize
1.3MB

MD5
0377b6eb6be497cdf761b7e658637263

SHA1
b8a1e82a3cb7ca0642c6b66869ee92ce90465b2a

SHA256
4b7247323c45262bbb77f0ef55c177a2211040fa77d410513a667488bf1bc882

SHA512
ff3f6f6d1535e7aab448590fdbdf60d37e64e00d4081853f201c0103d7b7918f388db5469774f32af211e0990bc103bc9ff3708fa44efd868aa312c76ea65600

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\servicepkg\MBAMService.exe

Filesize
9.0MB

MD5
a91250ee015e44503b78b787bd444558

SHA1
fe2257577e22f4a65115745a6624465258065e8e

SHA256
a43179b449c2bab069cfc055de0a3e9e5f3ba378fe4306c19f2b999325a2c7b2

SHA512
8e321a20d4bda5ad203e3880c0d4ec741b55ebb3c74250f365086dd338b61eafe79d746b53ac786fc2bb9defd21e36fddc1be50e11b89ae8b337568f2c939e36

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\servicepkg\mbamelam.cat

Filesize
10KB

MD5
60608328775d6acf03eaab38407e5b7c

SHA1
9f63644893517286753f63ad6d01bc8bfacf79b1

SHA256
3ed5a1668713ef80c2b5599b599f1434ad6648999f335cf69757ea3183c70c59

SHA512
9f65212121b8a5d1a0625c3baa14ef04a33b091d26f543324333e38dcdb903e02ccc4d009e22c2e85d2f61d954e0b994c2896e52f685003a6ef34758f8a650c7

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\servicepkg\mbamelam.inf

Filesize
2KB

MD5
c481ad4dd1d91860335787aa61177932

SHA1
81633414c5bf5832a8584fb0740bc09596b9b66d

SHA256
793626d240fd8eefc81b78a57c8dfe12ea247889b6f07918e9fd32a7411aa1c3

SHA512
d292e028936412f07264837d4a321ecfa2f5754d4048c8bcf774a0e076e535b361c411301558609d64c71c1ce9b19e6041efa44d201237a7010c553751e1e830

Download Submit
C:\Windows\Temp\MBInstallTempfb3a9b1aba8d11efbed26e43ea74cdf0\servicepkg\mbamelam.sys

Filesize
20KB

MD5
9e77c51e14fa9a323ee1635dc74ecc07

SHA1
a78bde0bd73260ce7af9cdc441af9db54d1637c2

SHA256
b5619d758ae6a65c1663f065e53e6b68a00511e7d7accb3e07ed94bfd0b1ede0

SHA512
a12ccf92bead694f5d3cba7ff7e731a2f862198efc338efc7f33a882fe0eb7499fb3fb533538d0a823e80631a7ca162962fbdfd78e401e3255672910b7140186

Download Submit
memory/3148-2091-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1479-0x0000000073370000-0x00000000733E7000-memory.dmp

Filesize
476KB

Download
memory/3148-2278-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-2471-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3148-1963-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3148-1957-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1895-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1814-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1482-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3148-1476-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1478-0x00000000733F0000-0x000000007340C000-memory.dmp

Filesize
112KB

Download
memory/3148-2465-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1480-0x0000000073340000-0x0000000073362000-memory.dmp

Filesize
136KB

Download
memory/3148-1481-0x00000000732B0000-0x0000000073332000-memory.dmp

Filesize
520KB

Download
memory/3148-1477-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/3148-2490-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1416-0x00000000732B0000-0x0000000073332000-memory.dmp

Filesize
520KB

Download
memory/3148-1417-0x0000000073340000-0x0000000073362000-memory.dmp

Filesize
136KB

Download
memory/3148-1418-0x0000000000200000-0x00000000004FE000-memory.dmp

Filesize
3.0MB

Download
memory/3148-1415-0x0000000073090000-0x00000000732AC000-memory.dmp

Filesize
2.1MB

Download
memory/3148-1414-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/4780-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download