Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe
-
Size
2.9MB
-
MD5
a0dee67fdef2682ca3b789a16055794a
-
SHA1
3fc415f721f82d0e5a877b48ccb0e7ddae51865d
-
SHA256
56cbfbdad73c3cd640b323eeb8f1acd6fdf1a28548825e991adaa330017c0701
-
SHA512
bfd2b46507796d3a20b392c0ba3c17b1cbdf0a584fdbfda323721511732f0ecba99b0092b74d473d67d64d01ee4d10ce7c37a331639d370d08d589f6e1747aa9
-
SSDEEP
49152:cYGZQtX5oSAR5nLNAzvwAeyfvE0Z3R0Tnxn1o2d52GZs3Qx:ZGgX5oSAznLAeKtwnW2d
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x00090000000240e8-8.dat family_mofksys behavioral1/files/0x0008000000024222-15.dat family_mofksys behavioral1/files/0x0008000000024224-24.dat family_mofksys behavioral1/files/0x0008000000024226-32.dat family_mofksys behavioral1/files/0x0009000000024225-49.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 36 4348 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Drops file in Drivers directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\mbamswissarmy.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\MbamChameleon.sys MBAMService.exe File opened for modification C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Windows\system32\drivers\mbae64.sys MBAMInstallerService.exe File created C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
resource yara_rule behavioral1/files/0x0007000000024305-2383.dat patched_upx -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys" MBAMService.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBAMService.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 12 IoCs
pid Process 4348 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 1496 icsys.icn.exe 368 explorer.exe 4912 spoolsv.exe 2728 svchost.exe 1896 spoolsv.exe 1468 svchost.exe 4404 explorer.exe 2220 MBAMInstallerService.exe 3024 MBVpnTunnelService.exe 4468 MBAMService.exe 3840 MBAMService.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService MBAMInstallerService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service" MBAMInstallerService.exe -
Loads dropped DLL 32 IoCs
pid Process 2220 MBAMInstallerService.exe 2220 MBAMInstallerService.exe 2220 MBAMInstallerService.exe 3024 MBVpnTunnelService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 3840 MBAMService.exe 2220 MBAMInstallerService.exe 2220 MBAMInstallerService.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: MBAMService.exe File opened (read-only) \??\A: MBAMInstallerService.exe File opened (read-only) \??\H: MBAMInstallerService.exe File opened (read-only) \??\K: MBAMInstallerService.exe File opened (read-only) \??\M: MBAMService.exe File opened (read-only) \??\U: MBAMService.exe File opened (read-only) \??\X: MBAMService.exe File opened (read-only) \??\N: MBAMInstallerService.exe File opened (read-only) \??\O: MBAMInstallerService.exe File opened (read-only) \??\T: MBAMInstallerService.exe File opened (read-only) \??\S: MBAMService.exe File opened (read-only) \??\T: MBAMService.exe File opened (read-only) \??\B: MBAMInstallerService.exe File opened (read-only) \??\G: MBAMInstallerService.exe File opened (read-only) \??\J: MBAMInstallerService.exe File opened (read-only) \??\Q: MBAMInstallerService.exe File opened (read-only) \??\L: MBAMService.exe File opened (read-only) \??\Q: MBAMService.exe File opened (read-only) \??\R: MBAMService.exe File opened (read-only) \??\L: MBAMInstallerService.exe File opened (read-only) \??\P: MBAMInstallerService.exe File opened (read-only) \??\W: MBAMInstallerService.exe File opened (read-only) \??\G: MBAMService.exe File opened (read-only) \??\K: MBAMService.exe File opened (read-only) \??\O: MBAMService.exe File opened (read-only) \??\Y: MBAMService.exe File opened (read-only) \??\E: MBAMInstallerService.exe File opened (read-only) \??\I: MBAMInstallerService.exe File opened (read-only) \??\H: MBAMService.exe File opened (read-only) \??\I: MBAMService.exe File opened (read-only) \??\V: MBAMService.exe File opened (read-only) \??\M: MBAMInstallerService.exe File opened (read-only) \??\V: MBAMInstallerService.exe File opened (read-only) \??\Z: MBAMInstallerService.exe File opened (read-only) \??\B: MBAMService.exe File opened (read-only) \??\E: MBAMService.exe File opened (read-only) \??\J: MBAMService.exe File opened (read-only) \??\N: MBAMService.exe File opened (read-only) \??\P: MBAMService.exe File opened (read-only) \??\Z: MBAMService.exe File opened (read-only) \??\R: MBAMInstallerService.exe File opened (read-only) \??\U: MBAMInstallerService.exe File opened (read-only) \??\A: MBAMService.exe File opened (read-only) \??\S: MBAMInstallerService.exe File opened (read-only) \??\X: MBAMInstallerService.exe File opened (read-only) \??\Y: MBAMInstallerService.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\mbtun.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CAF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CC0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\mbtun.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_81bff1eb756435c6\rndiscmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CC0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MBVpnTunnelService.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Diagnostics.TraceSource.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.AccessControl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\PresentationCore.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\RTPControllerImpl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbae64.sys MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyInjection.Abstractions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\25f56c21-e767-4dd5-895a-72f60b0c1110 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.Claims.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.Cryptography.Encoding.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Microsoft.VisualBasic.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework-SystemCore.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-timezone-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Collections.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Data.Sqlite.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\System.Windows.Forms.Design.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.FileSystem.Watcher.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Private.CoreLib.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-heap-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Data.Common.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Net.HttpListener.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\cs\UIAutomationTypes.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\version.dat MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Theme.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Drawing.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Input.Manipulations.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\UIAutomationProvider.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.Serialization.Json.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\UIAutomationTypes.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Private.Xml.Linq.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-file-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\UIAutomationTypes.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbamelam.sys MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\QRCoder.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.tmf MBAMService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-file-l1-2-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.Pipes.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.Emit.ILGeneration.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.XPath.XDocument.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Microsoft.WindowsDesktop.App.deps.json MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Forms.Primitives.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\System.Windows.Forms.Design.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\d8eddce0-cd7b-4238-8e64-bfa6c5f6598f 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-processthreads-l1-1-1.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Diagnostics.Tracing.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Globalization.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Accessibility.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\pt-BR\PresentationFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Style.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Design.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-convert-l1-1-0.dll MBAMInstallerService.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification C:\Windows\INF\setupapi.dev.log MBVpnTunnelService.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MBAMService.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMInstallerService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000" MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000" MBAMService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MBAMService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0 MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\ProgID MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E149FEF9-F1DC-4894-8A8E-AA53F6807EFD}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5091804-600E-4226-BF28-80ABFDF4AFAB}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DB6AD16-564C-451A-A173-0F31A62B7A4D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C30B7D9-82A1-4068-8A5B-F4C7D5EF75A3}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2846D47E-9B85-4836-B883-6A7B493E2D6A}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\ = "PoliciesControllerCOMLib" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F73DD6-F2A4-40F8-9109-67F6BB8D3704}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB30855D-36DF-41BD-9EEE-03BA7E8E70B7} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32065E5-189E-4C5F-AA59-32A158BAF5B7}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A153977-1A37-4EF7-9226-9E128FA51AE1}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79D77750-02E0-4451-A7BB-524ACD93DD93}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EB774AC-23B7-4F52-A9F2-708D194F0C86}\ = "_IArwControllerEventsV5" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D829C1D7-B423-43AB-A4F8-598382EB0716}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}" MBAMService.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DBD14E9A-A1B3-4B5A-8A4A-0E4EB25FAA54}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7968A0D1-5C9E-4F28-8C2F-E215BC7DF146} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB586AB4-56F2-4EFA-9756-EE9A399B44DE} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A0F9375-1809-45ED-AFE0-92852B971139} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94E6A9DF-4AAB-48E7-8A94-65CA2481D1F6}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\ = "ICleanControllerEventsV5" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEBAD4E-3BAF-44F0-9150-BCCCC3801CF9}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.MWACController\CurVer\ = "MB.MWACController.1" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55D0C28B-2BF3-4230-B48D-DB2C2D7BF6F8}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC2F8F62-D471-4AD5-B346-9F214FE941A7}\ = "IPoliciesControllerV2" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController\CurVer\ = "MB.RTPController.1" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}\1.0\FLAGS MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2C9E279-3E50-44F0-8C3B-606A303BA1D1}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C292FC1E-6930-404E-B7C6-2CBDA9CCF54B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\ = "IScanControllerEventsV2" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D81C2A20-D03D-40D4-A371-A499633A2AD3}\ = "_ICleanControllerEventsV3" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}\ = "IRTPController" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CB653AC-F9CF-4277-BFB1-C0ED1C650F56}\ = "IRTPControllerV11" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34544A67-823A-484D-8E18-371AFEAEC02E}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9185897A-76F4-4083-A02C-5FFC2A51F6D4}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDF63EDA-B622-44E2-8053-8877E33BB49A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEB52C40-FE75-4478-9040-66B25435CE72}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\ = "IRTPControllerV15" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{620A01DD-16D2-4A83-B02C-E29BE38B3029}\TypeLib MBAMService.exe -
Modifies system certificate store 2 TTPs 23 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 MBAMInstallerService.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc stream HTTP User-Agent header 77 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4348 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 4348 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 1496 icsys.icn.exe 1496 icsys.icn.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe 2728 svchost.exe 2728 svchost.exe 368 explorer.exe 368 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 368 explorer.exe 2728 svchost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe Token: SeDebugPrivilege 2220 MBAMInstallerService.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4348 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 1496 icsys.icn.exe 1496 icsys.icn.exe 368 explorer.exe 368 explorer.exe 4912 spoolsv.exe 4912 spoolsv.exe 2728 svchost.exe 2728 svchost.exe 1896 spoolsv.exe 1896 spoolsv.exe 368 explorer.exe 368 explorer.exe 1468 svchost.exe 1468 svchost.exe 4404 explorer.exe 4404 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4348 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 2244 wrote to memory of 4348 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 2244 wrote to memory of 4348 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 2244 wrote to memory of 1496 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 90 PID 2244 wrote to memory of 1496 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 90 PID 2244 wrote to memory of 1496 2244 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 90 PID 1496 wrote to memory of 368 1496 icsys.icn.exe 92 PID 1496 wrote to memory of 368 1496 icsys.icn.exe 92 PID 1496 wrote to memory of 368 1496 icsys.icn.exe 92 PID 368 wrote to memory of 4912 368 explorer.exe 94 PID 368 wrote to memory of 4912 368 explorer.exe 94 PID 368 wrote to memory of 4912 368 explorer.exe 94 PID 4912 wrote to memory of 2728 4912 spoolsv.exe 95 PID 4912 wrote to memory of 2728 4912 spoolsv.exe 95 PID 4912 wrote to memory of 2728 4912 spoolsv.exe 95 PID 2728 wrote to memory of 1896 2728 svchost.exe 96 PID 2728 wrote to memory of 1896 2728 svchost.exe 96 PID 2728 wrote to memory of 1896 2728 svchost.exe 96 PID 2728 wrote to memory of 4072 2728 svchost.exe 101 PID 2728 wrote to memory of 4072 2728 svchost.exe 101 PID 2728 wrote to memory of 4072 2728 svchost.exe 101 PID 4076 wrote to memory of 1468 4076 cmd.exe 103 PID 4076 wrote to memory of 1468 4076 cmd.exe 103 PID 4076 wrote to memory of 1468 4076 cmd.exe 103 PID 3692 wrote to memory of 4404 3692 cmd.exe 104 PID 3692 wrote to memory of 4404 3692 cmd.exe 104 PID 3692 wrote to memory of 4404 3692 cmd.exe 104 PID 2220 wrote to memory of 3024 2220 MBAMInstallerService.exe 123 PID 2220 wrote to memory of 3024 2220 MBAMInstallerService.exe 123 PID 2200 wrote to memory of 1924 2200 svchost.exe 126 PID 2200 wrote to memory of 1924 2200 svchost.exe 126 PID 2220 wrote to memory of 4468 2220 MBAMInstallerService.exe 127 PID 2220 wrote to memory of 4468 2220 MBAMInstallerService.exe 127 PID 2728 wrote to memory of 4784 2728 svchost.exe 129 PID 2728 wrote to memory of 4784 2728 svchost.exe 129 PID 2728 wrote to memory of 4784 2728 svchost.exe 129 PID 2728 wrote to memory of 6140 2728 svchost.exe 133 PID 2728 wrote to memory of 6140 2728 svchost.exe 133 PID 2728 wrote to memory of 6140 2728 svchost.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe2⤵
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4348
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Windows\SysWOW64\at.exeat 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Windows\SysWOW64\at.exeat 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Windows\SysWOW64\at.exeat 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:6140
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1468
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:3024
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies registry class
PID:4468
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000148" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1924
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:3840
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5f802ae578c7837e45a8bbdca7e957496
SHA138754970ba2ef287b6fdf79827795b947a9b6b4d
SHA2565582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b
SHA5129b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395
-
Filesize
5.4MB
MD5956b145931bec84ebc422b5d1d333c49
SHA19264cc2ae8c856f84f1d0888f67aea01cdc3e056
SHA256c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3
SHA512fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c
-
Filesize
5.2MB
MD54c02fc118ee5fbba1c2da52ce6119bfc
SHA122926a9794f3170a5aae320e6facbab675afce44
SHA256953da22be7b4fe3108bbf85cfe7bbd2096bd201715af9c07e79780d6097390bf
SHA5121fe0a0bd83d6855938877ba6ac0d195d58fb20b1b15e00675e3762ed9d73dd6d96e5a1e349eb0c20a7f43c14abb970eb04fb9671eb317699833877024533bd9c
-
Filesize
4.1MB
MD518641c1028572ac38861472767bbd51c
SHA1a23e7b0403799ab88e83d653e17b98b1a9ad2adc
SHA2562630ff28ce0009638f1af8a8a603946b585e985f64fcf159ede3c81c2eba7d90
SHA512cda2372d9a8e09786b30cf27b480c840bf752a149b5cfe9e1c11160447eb0e9ef3d8e67c253c633b6d36d23102d7ed07b5b1c27f87dc06371f1267e50d643501
-
Filesize
4.3MB
MD54fe0bec13b02be1587dcd00e62b14849
SHA120cce46db5cee5b892e0fd02c44a59b5da2678c3
SHA256154e96500600eee8ec0a011ee95ebb7eaf4b977056a757429c126ad05f8862f3
SHA512e77c63e7f867645d73577b9df6b7442d41160aef5561cf4711e90333bdccc6f08f89d47aa52e43865502b4b8b70d37715eefb0d311a6e14c24d690d21bc71644
-
Filesize
1.8MB
MD572bd1b6f40191478dd33f24a661742bb
SHA1399df3ef69917c17c144d7b0d872bc69de5e40bf
SHA2563f93f05da696712ae334ff56a45a3b061d6fe051d5ef8f91b6394256e0911501
SHA512a482b84f633b04c099cb0279242e3930c5c2737ad9c4b50685df2b90d7792dc99ee8b8509f2a198471226bb5e1e86b01aab260bfa98d36419ca1e1773797dde9
-
Filesize
77B
MD5da37a0675f8db4042827bfc5a513f7a0
SHA153ae61e6d09fb4b65b4cdc2bbfcf93dfd07ec453
SHA256c5f67a888799faf126103506cab97ddea2f9f8e54b691e75125535c38aedf014
SHA512662281703fa17ae95e6366e049e495dca611dc4981c64d82511fe3c27a520d779cf6fcb420d5767645ca207cb9f23e9256289b1ef4fb00c31146588cd4685f8d
-
Filesize
338KB
MD5b5d7bb1009288931a87af68b7b315ffd
SHA196b48fa82f148d8aea0e34d2b8924487d0adaa1e
SHA2568f45b0a7e6f33101e8b0d7a605566892db7672c6ae822aa47f84a95cec396025
SHA5120f327f83066ecc0a5010e34e6fdc32b7e4e7ba49342837aa34f3c51d20a97ad8bc1d5b67110d5f384ed32ffb06fc4cb847bef5c2ca48f069db2e6eb8cd97a336
-
Filesize
15.8MB
MD51ca173b955bc64236405a8eab018507b
SHA123d8c3bab7a5b55a6aa4cd514d75c96174131199
SHA2564d97e7372042534ffc1fdf8a3417f5f1930c6c737c5d8a4d7d0465669ccae95e
SHA512ed541b59dadf9dc2ce9f39fb570f26a385fc658128758f176fab65a56b877e2862322f7733a7db8befb09039f971bc25c2f102964a3e938e058eb69e6f50a763
-
Filesize
2KB
MD5a9ffdb4a6e4249032d1eca20ca7a174d
SHA1fdf353bd6300444a7190584a0773cbe42e6b18f2
SHA2562197a0fb87f14228f6100c05de73e7940f0694ff87907ff2f91003f388080e02
SHA5128bed00085a9ebec6d529421586008742e891f9476d4e13aaf9f142e361dde40b3a4859451c7c0bb34b568c12ce9a230c069821f0179f586c3e1e34e4762be3eb
-
Filesize
47KB
MD5adcf3768de3ced374f37524b669a2983
SHA1f2c9ed19ed2bfe462e2ea751f0e3fdfafbfb24f1
SHA25680a81756db89a5274e70dc77c56ee75e17edf784730bad9882417f77d97bdef5
SHA5125156a3b93bf26c0b99497ba60b01da9ee32505b818656ea1402fffe9761be4a125521f81b75b52373384b16a8ffb12e204e6bd1d7d5f017fb70268a5a1afcf48
-
Filesize
924B
MD5a7f97e1377f641b12d1b29c052062896
SHA100b8ef096016fd55665acce0b5d25c5f8ecca760
SHA256764f84fcd82ad19345dd32ce61e3a1038c3c82711c03443786d078d28ab48206
SHA5121a44b0417bef5b5682ea03539ee392b11d7f3ff14c43ca747e0db28077268adebbf311fa3bbcebf636851419eec3cceafe66caa375e83828efa9eed31266963f
-
Filesize
39KB
MD510f23e7c8c791b91c86cd966d67b7bc7
SHA13f596093b2bc33f7a2554818f8e41adbbd101961
SHA256008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc
SHA5122d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118
-
Filesize
23KB
MD5aef4eca7ee01bb1a146751c4d0510d2d
SHA15cf2273da41147126e5e1eabd3182f19304eea25
SHA2569e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f
SHA512d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db
-
Filesize
514B
MD585b0cf7df419bd539783a86919e14586
SHA168220d878aceab06e3c658c7ea7f0e17b31143bd
SHA256c5999473ab9908b3171f2b81ea2dbac8a67a92811ac802b10e7835b43f56e9c7
SHA5123dc2cbd734aa3c862f088c37f68e80225bda887800b772722df764c96477070c0072d50f162eb2af7a490704b8012aac8b56e7b0c6dfc311ddebef73dc933070
-
Filesize
24B
MD5546d9e30eadad8b22f5b3ffa875144bf
SHA13b323ffef009bfe0662c2bd30bb06af6dfc68e4d
SHA2566089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f
SHA5123478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec
-
Filesize
24B
MD52f7423ca7c6a0f1339980f3c8c7de9f8
SHA1102c77faa28885354cfe6725d987bc23bc7108ba
SHA256850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55
SHA512e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69
-
Filesize
11.0MB
MD5681a09a6a4a528c1639aa6dfce1c9e4a
SHA1cb8dd795d65a3efc1f66deb5673251e43587d61b
SHA256ea2a9cc06731fa32906a81fc7a119b8dc26e696981efad2fff0375944232ca3f
SHA512ea47cc41dd13b7e393ee30a042caaef5c87c501cb65562b3a751d546644938a65e1b414b2dbf28a1d857e2527a8dd767d3c96bea3355af69235a1d3855d44c46
-
Filesize
528KB
MD584f51389e5b8e95d2abf9d15cf3a0ab8
SHA1fdb7eeef0ce8319fabf28c4f30bd0326fc3cc3c6
SHA25606d464efc2e566d30e12ce2d4da8322a49248d01f28af60ebca045532b085eb0
SHA512b8035a97bac079760e0c5b001bb2929399ae70b4e01af33e7207ba58f07852cfee83c4ad0806297e7c4d21b94df2b5966b48464eb2b2aca416031b9d21a8f3d6
-
Filesize
147KB
MD5db6950896d34a4553ede476d79a09448
SHA13367531763ced75326abde3bda664cfa507cd8bc
SHA256c6ef88ea9a9297096eca5cefbb97d4481ad01c7df770b75df0168bf49b2bc1ff
SHA51251043b7aedbfccba04f1357f0686fcd7146348c3ae070f3ef751ae5121decd61e995f80d7d7a594c61f62c07ce7523e6e77975d9259cb9a437044a257249912e
-
Filesize
13.6MB
MD5b25d8479040596f57468287936582123
SHA10330a9cc5f5236d063987d77be8dc442ccb2f7ad
SHA256504e8d9f7ffc80c127c981d85fabe665203c83959c9a7c38d24e32ec51faa256
SHA512d33889832b205820cda855ab2872c96161c3038252a59a1cbb96b0cc681cf7914e33bfe25435552a8142e582b606c3aa9231e713ab9699892b90c4bec6025dd1
-
Filesize
10KB
MD58abff1fbf08d70c1681a9b20384dbbf9
SHA1c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6
SHA2569ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658
SHA51237998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f
-
Filesize
107KB
MD583d4fba999eb8b34047c38fabef60243
SHA125731b57e9968282610f337bc6d769aa26af4938
SHA2566903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c
SHA51247faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e
-
Filesize
8.7MB
MD5cea3222bd01165e983f7079c4dd88b11
SHA14f1a0e4f43fa822f7d84a8d12605f410fd61dcf0
SHA2564d3204dd695b8a7e32a4e123b79d3470088ccaa3bddaa187c2661445ca852344
SHA5127636d76ba03b57f41622cb2fce955e9e36e95f4e945e83d5a2c0adc3c77b4ab06e7ee3a414a216b8a221ee5384152fafbdb47d7a770c3e8327b421ab28377f98
-
Filesize
2.7MB
MD5e04e61828c9fffcee59cd90ef155c90f
SHA17a97b65f11d2b3f30d8e2dde4c44bdf16f3d3b24
SHA25605d4d87f43646f7ca2e50520d8850e8808748a508c2761838d5fb92d66d6ce35
SHA51204792b998628cde88bc2601534678e55b2d6fde290496e5af08a2955a992ca3bb767bd025dca4373abc55141de8d270f62f628e51c887de54035bbee10379ce9
-
Filesize
290KB
MD5dd6dd8549da8656353bb1607d2437145
SHA17f7c6100b96a1338fa8886b5c8494d1bfd9b7732
SHA256134562d62b06ed114fe77c734e08f0f03d240f05c4cc2d67ba72bd1bc3e002c3
SHA51216ccef60efbedd0dd6dbb1b09257aa2292b6f782f9e6468ed1ee421cbbfa3eb35aff1c3cefd269c766ed12fc9da191bf7608467b17614767f49255da90cdbd2d
-
Filesize
621B
MD5723e0bcfa2d56e35ee4bb7efeaaa0e57
SHA118fa0804cdc85113ea2ad0294f16d68fd730283e
SHA2562fcc42dd8a92c175ba6314eef28ab3cfab4f1fe97c93f6df29d2e487bca74d3d
SHA5123093921d4bda96bc7d0d189801999179943361ba4a11abdc050b423c6b110784d6dd81857b250f3197f861e9672d46c35585a4fedf35f6f42815d8b2bb6da9d6
-
Filesize
654B
MD59e064f5bdefbbfa2f7e6a6df44b61ca2
SHA19c4246593c76d3bf3338042114f0b58a58f167f4
SHA25680736521498a7b2fa447c5e53024ad67d35e51528d6a67e640fd297d7018700f
SHA512bb288471b304d38c9779187c2bc3bdd3e9df89ee7a84b8c11e66a305006050bff9b5fb49a158c1f7fc0b06d6fed06bae1881e2e7ba85d78b6aa028794f2aadf1
-
Filesize
10B
MD5dd9e5ad0bf4fcc3a6a54dee68453b54d
SHA10cb1e0af514131751bfc7fac435155f9dff322ab
SHA256bdf09cf1cd65ca0e49aac6c0c3a101ca98ccaeba0886718ef7dd9fadd476bcd1
SHA512dcd0bd9294c868545226ad944034482db0d30863993d5567bbc45f298597ae4a912c8950e32086e0f192a13c15fcb7c02a2d13acb2d0bd0cf54c83d88126fbc1
-
Filesize
2.2MB
MD5b39ba8b6310037ba2384ff6a46c282f1
SHA1d3a136aab0d951f65b579d22334f4dabbebdb4a4
SHA2563ecbcb6c57af4456111f5f104b8fb8a317cdb0f16e98412249f7a2d62bca584d
SHA512a8b98f47c30503029f2dc80398dacd5f8fc07db562d04c56b8c7902bebf11517223350c41850b81aca770ebc9e68fc365921bd6cce34b57b2c945f1c51b538b7
-
Filesize
3.1MB
MD57e257a703c71e24c343a029ae5462458
SHA159360bef90281831f4e4c2a0377c2deba3690ef7
SHA2561d99a50c34a350c4da87cbb4d74e7f958aa378d404f1b156963a32dd8848f3b1
SHA5126fee254fe7f052de9c6989ebf46d0e17cabc00e23ac801af88e1f068242fbac6a85ccf429ee0f2d014978c0b80201715fff2a520cd6d962d9bd63e582b027543
-
Filesize
2.8MB
MD52bbf63f1dab335f5caf431dbd4f38494
SHA190f1d818ac8a4881bf770c1ff474f35cdaa4fcd0
SHA256f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364
SHA512ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5
-
Filesize
1KB
MD55d1917024b228efbeab3c696e663873e
SHA1cec5e88c2481d323ec366c18024d61a117f01b21
SHA2564a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8
SHA51214b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a
-
Filesize
113KB
MD52ccb84bed084f27ca22bdd1e170a6851
SHA116608b35c136813bb565fe9c916cb7b01f0b20af
SHA256a538caf4ac94708ddb4240d38b1b99914ca3e82283f0d8a2290be28fc05eaccb
SHA5120fd66d241bdebd0052f4972e85b42639e3c5a40affe23170b84bc4068dff8e84446898a77ebf7cc0bef97454abb788faccce508a68bc5e717980ef26d8436986
-
Filesize
9B
MD5089674299e14e4a57284d0f224498db3
SHA13217e5d9238ac9011f83619d434ea5ae611b8a58
SHA256a3da44d4652bf4cffe1208095ec1b7297017889721c2a84cc70304a64d88212f
SHA512bbfa2b57807319a3dafc8ec199489dacb9b3344e36cde442d769972dfdb65109b1978e51b998ead9f97a471bc21766668608b1c4368922a03ac704571d9a6aeb
-
Filesize
47B
MD51b661eb6ef7f2ed00bb8b85a493f8593
SHA167e5a8f851420d5c220199c66b413cafbce1382e
SHA256f8ef01707aa49f3425055264a08bc03c85103c108ce23189f8efb31e16954c3d
SHA512ab1673a8a48a3f0b20a0f960c15be8d33795cd33959be3f438af953ff93255959b3a65bae931f07648aa22665c162bd05050d373a78d3f4b1333e8188096daff
-
Filesize
47KB
MD5c4878e5b54b30c43c494d0ebcfc2875d
SHA155a265142cd7df776d2698387b3dfd5b27993d26
SHA256d55c21abd9676655a9790497e083a59412f57b99cb5455e264fa712ca4084698
SHA512f1e7aea1eea84d12aeeb6d58e0d2b465a5e7788cf2551f292cf3e76c0e00352e26db9331bb0a17663998d97c7a641f6161bdc646f3eab079d577439a8c2c9b16
-
Filesize
66KB
MD516c6471ab62bec6102973a9dfa41a0d0
SHA1ec0fcb839529396f528dff53512cddeebb52a2be
SHA2564dae04fb9557cffd45b6c7e4c4a8f14ea4c3010e5115af6ba3e66eafb90e94c9
SHA512fa1c9e74c01c732733234690189fd676c8655f29af922e213cbc350d81bb81f28c237b653ae01e26ed71b6772d44ee813c31ab521c5adb202f423d55bd5633b0
-
Filesize
66KB
MD5fd9476772ca7ad2ccbfbb27b33083eb2
SHA12d5ddfe31e8bbe9e9f601447ef14a6347237b4d2
SHA25635bf13a8f01302bf521fe2cfaf1786bae5c44f8909140ff64a527559449db421
SHA5126510610fed52939f3d2525c7a90e024918a87482073ac9acb1aeff3580151c39c109ae90eeefb95d41ec3f0201df882af1e541c5da3d851c0f923c946ccb0030
-
Filesize
878B
MD5cb4e372ab584b4be7b55978e422e5a10
SHA112069b7760dcbc425fdc9f39bb58124141e720ff
SHA256d667dc7245a25dbb48bef3e3af8def97232fb133539be4dfdbdc6d3b476d5fbb
SHA51269f78adfa34d712395ff38a3ec2595637c87fa1221e55b045d1f7f67d5ff03023c6f2203260955d834e667388405912d347f0b20f88e91749c1c33d3cd776646
-
Filesize
847B
MD5daec07eee92cd8ed82122929ab9a4b45
SHA1fabd4837e7e3db14fd87a40176bd7c97ff64c4c8
SHA256d3405dc7862d98f6bdf05a5cd9914cc311941a15b973eaab15ce977ed1b0ad06
SHA512e1046cefe53570748e5f5e9d6f330a2962a64ed2f9756d4c7e93daeea958825ee179d16dac58015496e4a322ec1441f7e1dda91dfc630342b0b6b2d610d7ac4f
-
Filesize
883B
MD5d81450f08d4cb6d67d4f5ec8fed5ad03
SHA11602e0622b3c8abf26539902038a6e9fd1e074bb
SHA2561ec97014399e8a33de2511e3b482a2f72cfaa2e2b96c923f6bd4393129ab04bd
SHA512e794bd4f5eef3d411405eb5172e91c5f8edffca305c5be2853e45604e8f16b983a3067420adad981adf0d93332589f390586d34182bebe13a3f5331cb6e239a9
-
Filesize
11KB
MD5e9926f69be5aa6e9211327ab2f44cc6c
SHA1cbcfebc4fafd723a9b74460d7eeff4b4d8589cbc
SHA2569129881a11eca4801182d98186b7a33741414e509e2b51582d4516a3ab658d49
SHA5128fcd5977101e084d1999e67508800fb8d1f21cde5a18c568a7d14c465bf84fadd9e4e3ab4f764d98eb0624a768660df1d02622a92fe325efd7b047d622790c12
-
Filesize
12KB
MD57779526c6da36db4dfaa7e171fea0097
SHA102ca5e5c8dfd1e20477c26e5ee1b79e4da7c1bd6
SHA2562a3289bbf89033a0a860a8728b79308e1052a997647d332210e21ad26f3444b5
SHA512ef80ed485221adec6009f793c9313e26be8477b8a7dbad294e46166ecee653c6e44a7f34d85a1410ea608adeb1d5764a55e8ed2b05f6c38eb54423f90a1358ab
-
Filesize
12KB
MD57468516a73907477fc728ae748e0313f
SHA1302ea0f66b04aa18960aa79099271581518c48f0
SHA2563db96d284905bdb8c61e87a6e38d9cb89f9224807ec7fdfdfcdefaad392b8c99
SHA512ea1e1ef1ca9121ccfcdd0f5e34240110d1ec06e7dbe596ee29c810d4de87d17b8b1c09dea9fd1e3eada83d600b4d91eaaffaa24fceb3da5f6e14786e4d5e868c
-
Filesize
2KB
MD5694d8fc549e28114738fe7074a8c3b9b
SHA1129642bb804881368278105ec4aeb325307286ed
SHA256ca595eb82e71ed0121b9f49838e65fce673de31bcc2743ec7ba7bfe3ea00a2f5
SHA512a0762f123b6f80047375976eab8439cc2705aae3d148d66e29ad44ad8af3aa03ce465f668d80b4edfbf0398b7d66574c93a895bf7083e36cf10410524b86b46f
-
Filesize
814B
MD59e174cad52de997e75aaf2ca3cc83673
SHA13fccc32311f2b974f685955dd612d53ff7cf2efa
SHA25678d76d5dd7aee6ffb96796af2543623687df5abc487e1e0d8f38a1418505bacb
SHA51267ed105d3b508ff9c9b26a4c5b2922fbd384f569e7425dc8fbac62f7afbbb80741026939bcfb9d853dea17b88038cc546bb89fed8a6664992bc20c691625ede4
-
Filesize
1KB
MD5c967527e4c5222f742c2162b9d0e2110
SHA1c6ed14eb4d4cba870080a93c34cf24744f9111eb
SHA256abe95ee60344cc7263c1c4e7847cb793d93c2be87a201d0ae2a42ef53c6fb973
SHA5125c7795e3e3dbedce5a55d66c874fcea9a288defbc68ac8b1638ac859c75332dcbf8d06b80baec68bc629c626fd05d08360feede9e8e49c7f7734d70981ced209
-
Filesize
2KB
MD50ea3367b702c160c8e2b3fe2b0a39136
SHA1e7f6441bf691cdfcaac5df069f4bc59e215be213
SHA2567cdfbda1a365bc7c6464068daa9e18a9c13853cb3ab504e4baf493bf619f2444
SHA512a5ed284ee82755e488b9c618674b820b77f76e52f8b9a8d3197128099ae453503c9a00aa187aa67a02c5310f0ef537739322e87e63659afe761461c46e515fa3
-
Filesize
4KB
MD5a57d601fc9b58888e728d8a4aa151146
SHA135c40d132500ae56cd6139c1f30481a0220499f7
SHA2562cb2831bbd366cadc6438bbe5de3750f94e005aa854a7f7b18d405acbb0e3c1f
SHA51221ddbe55e310f5c691d488a9e2137cb21c9afa88267d6f34cf0a23291ec03595b07ff0de1f3a863093638e6617cd8888789427f5c726bd77315223998d50931a
-
Filesize
11KB
MD511e6a5d3b44cfcbcc472ef94dbd29c82
SHA1ffccd159ac59d2847960d18dd514c46f5804caa6
SHA2567db0a213c1ad9d036527ada6bacb74c182db1dec4b110d2c7c7ae4bd2d44cbf7
SHA512552c2b46ffcd741597e02e24d17bf179e2b1f7e833649a4e705854b196c0d7b30c0094992d611c0abc57a3b94e78885fa680264443c9cd16055fc13a0110a4e6
-
Filesize
1KB
MD597e408e1cbb2e2536f7e98a23e63f7e8
SHA1250330fc852aefbd5d77bc00d85a81c976e27975
SHA256be35c842b6982fccfe4b709ced7f5727256324a111fe8c17302c27de75c421a1
SHA512f7b482bdc4495542fe92f5d8fd5e1f0a3e28e729bf695a5425a269bfbf630734f9cd67ce8e401e28bf56dd9029463d2dbc23ba3f2feefe8ae707029f2d98f78e
-
Filesize
1KB
MD58c7cc24e2913e3f76fd88385d58dc222
SHA14d36a4c5fa71954fce369a9308ff8559ad0e52b0
SHA256571df769e1e4bf4b9d350778b0b27b36c101272068f2ed67fc5510c664c53d01
SHA5126299e25def1af160fca10f14a9afcd6d3f50d0a0c95ea28bf1238e8cba31e471458a3bea19345bce2744fac3f4c52f7e204d301c7b4cae111e2af19c061b672d
-
Filesize
1KB
MD5634f4353f1943ad5e226cb52067fe206
SHA140a16741cc445b91540ff0c3b2a0a1224e51347f
SHA2562fdf4ca9a1e69aeb706e8d2aae88efe5f014cc9a9f74c628e331183ed4c3c6b8
SHA5124954bb3505839ffe475cba157da43ad8cd7fb5b72f75fea0588434aa35e243cac15e967fb7aa0793d0a1be4f6987f7ee017e2e6213e8cb948c8c4e0b9e5dd0fe
-
Filesize
1KB
MD5c26911781d46794e1ed80f692d3c693b
SHA1cef3eb292e2be7075c47bbf8ae04773a736cb3e4
SHA2569351986f8318e49d65e2d928ecc32ac880b0836f55fc1b74a4bce418ec910ee7
SHA5120fa7cec573a7f3fe60c2b0bccb06e9216378b8c43b734448b91b2f012eadb18364a2ef7ed30a3b88b882f5967f109cf9e877f05d5b49925648e15da83d29c09b
-
Filesize
1KB
MD557d979b4f244bff9e7f1ed3776c6cf49
SHA134847f33b60da9a2fe223d84f29316a6f9196da6
SHA256767da1498f8a605123b19e1e149c064b90d1744cd83064f1548fcfc86b060a0b
SHA512e3ede827f48d7c4b6043016e2475815ab927f57686eff044ba5d58840aae1c4daca073e1c9728908565da7c8c92cf9dcaf5415a6aaeaa2ddfc6ef28ba1aca69b
-
Filesize
1KB
MD5480ddf63df80a714a9d5b1f194e53237
SHA10bff440b4b71b155e23dbaf2f14c5498ba5439ca
SHA256d9e09e7597a05b92e168ce519d867371ded3bb79eac1180d600ce38d5b87eb6d
SHA512940cc9985049ed49d999b2b4519c13bbb0b0134c95e029aa37832308e9b703559e608d4e82b5971cec5fa54c3ab5e5024658f86f2f27c0368f4c4a6c31a1d0cc
-
Filesize
1KB
MD5db490b7358f997b59b4780a9b0acf77e
SHA124d86a892e647817710d9a705dd71bc4939fb193
SHA256ee1f3f35388edad2a4ef061413706e9ad424de4f78bf75b4bf4dd78462b5f6f1
SHA51243d799a9a3f8d59bd484197ab3ba1ca8310ce3ea65503f01f45e9581a9e58862703a7a0997f8992c0a722283f6e5c5159ae95db4a84e86787480dff97e9dc15f
-
Filesize
1KB
MD580fe648f8d0426c0e1092aae27669a61
SHA1022a7e7048099bbe3e92b36698e317639c174a14
SHA256e1c43c0f947a0c36878153df5b73f979762a7919bbed7aa479b34024b6a5b561
SHA512d5364eb2de26389ef6a5cac2ee3c17efaf5e09629d9a03241faf42960901d6d9914c91fa6f5d5df6d16c68deb2c9fe374427858160b43520f4c7afec0dcb4b39
-
Filesize
125B
MD58bd92ae7673306c405348c76c9f87169
SHA127a42cbd093f5759ebdc4449d86ed7937ae691b6
SHA25656c49a2b2d578bd09f9d59cff5f1dbd12aeac8892da610f81ddd90e948cba235
SHA512b55900e104d57f5374ba484d6b9342253f9db62a359561d37f2a03665a68492418b88146500efb91903cab4e9262d54fe250aac00e17dffb66670656b51339fd
-
Filesize
524KB
MD5e14add458f6c9aebafc5d67c6442227e
SHA17d6b714a10edd22715c1d2732a6beebd867eba60
SHA256e9fdb8ffb30ebc20601e1a67fb6139e1bc6a8805a206982c834bb354f4b8a427
SHA51205363fd136a196f7203b37e55104f24918684450507f94f13e6265a9b1384c2d9a069ccee98b81477b33b6414129c83d6ed48ca757242aef7a4e34f16e42ae98
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe
Filesize2.7MB
MD509e0e68fc7650ca68899739080709f91
SHA1a665ac359ef3f782b78484a71a266e50a71567ad
SHA256bf83bce7085b016b5dbd65308c92efa9b87b17da561f490a1a17ef96c3d93dac
SHA51288697e3c474c75cfe7d46e8e092f826e2cc9149d797d0fda250fdeb66b9a8926ece65c13a7880acbf3e410c003181340a60dda1133a90dcd5f6a2b47a6afa3ff
-
Filesize
207KB
MD588680f0ae5515151acd5cb1f79537dbf
SHA1461f7bd2b7fc53679caec0ca4d41ab16c30e6993
SHA25602220f99ce7aaaece96779e9133b9748209a9b71c60d935146f5600472e66382
SHA512e2e4958023ea5d7d71da6899b81eba62233cbb2a55b9a0035066e2f56493a3040c1b3bd320b7c7aa621c47efd43319d7a7b62be888b19c6d6ac2e92fcc78217f
-
Filesize
206KB
MD55f5a7bf8f7c5fc3f96de05ea62d0c179
SHA1fb1cbab6e4c4f8b69f4bebea1bd85804c47a6a77
SHA256ce37db723ad5bcad37e0b2d3b654345ba972e5aa32088a32b02b06c7b07a4851
SHA512e6f9c2eb2d1e80d81461bb5a08687ec2e27ec4fca4a98f5f98ddc1efe9e7f718f23dfe77c2649af856ccee3c43ce0f4b37b885dce96edcd35a4798832d59c628
-
Filesize
34KB
MD5e2a012bc2dfc6c4fd195615fb750b94d
SHA1a8d0ce74fd9dfbf7f6c477f01fc34e362f278946
SHA2567d52a99781296d931d7f9105abe84e300676d318f644cfeea1ffd21e1cb17c6a
SHA51274c9dc4468f268c691a3713cc439fd7d880df0d39cbc1afdcd9743d726a1975b9b872a3731d3c5b46fff941cdd96b8d9b26b3d1940d83c038fadb9968a5b86a0
-
Filesize
237KB
MD59d1296e9af8ad4ce9b8f161bbe2185f9
SHA18f2fa73c857cb53bfe5d35281be06bf11a45efaa
SHA25659232d92bc9488780dd4350e502c652b3c15d7c19ecda5fdc863968518cc0002
SHA51265517117dc05e9469cf4935cb8b8e727074fcc3d72c0a771976c4e8f9f1273df6497e058472872aab31051ec088cb31a9d38307149606c33dd93268e9df3646a
-
Filesize
206KB
MD5d99d26f5cabc1429e9693ee199872e54
SHA1b18da72f0866b41381ef83103b36850085812e12
SHA25681815fda5159002e28fe2a355a40effe4329475fdefb5cf58c6e6a87f39951e0
SHA512df021f987d4bce17d63e6e7994a2e0c46388f32b1046aba9b29cd8b03ff998a1ef5aacb75841eceb6f3054600621080411f24f9b6b37af1d3b77613939b4204e
-
Filesize
206KB
MD59df980a505e697d4453708d3e7a04bd2
SHA1641cfeb1b7d4780b8aa680827028d156b9fc06c9
SHA256d08b657e0a74997fd3a7e054d3ff1709d023d86b0578d5df0f02a3cde454a90a
SHA512558ffa14fb7be4b24d28b94b25985299b310a2030bb38349d8986acaf5e690fc1eada1e1939fe3e62cff395fd6991f2854f22d3d77992d617e2734ac087b1d0a
-
Filesize
206KB
MD52f221ebeb9e819427cf2262ae11b2af4
SHA1ae16fcea846d7b7f5273a6f327b4c8b27030488b
SHA2566eff743b82a54c0c28011b3aaef4b7a2c2c407383dd168ec8d1c9f2c4899fb7a
SHA5123b13bef6a6a4e5e8638641191a9f231ba4c84ff631596f95372645951728629014f93b89397bfcc938659ca0da2db14fc0b318625722003abb3636751fbac6b3
-
Filesize
1.6MB
MD53430e2544637cebf8ba1f509ed5a27b1
SHA17e5bd7af223436081601413fb501b8bd20b67a1e
SHA256bb01c6fbb29590d6d144a9038c2a7736d6925a6dbd31889538af033e03e4f5fa
SHA51291c4eb3d341a8b30594ee4c08a638c3fb7f3a05248b459bcf07ca9f4c2a185959313a68741bdcec1d76014009875fa7cbfa47217fb45d57df3b9b1c580bc889d
-
C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json
Filesize372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
Filesize
154KB
MD595515708f41a7e283d6725506f56f6f2
SHA19afc20a19db3d2a75b6915d8d9af602c5218735e
SHA256321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6
SHA512d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08
-
Filesize
6.7MB
MD5c16030d6a427a8c1ff51deec1725b6d6
SHA169c46a5500d8b963d23e712bef3e7c3cae6c1b12
SHA25664c704b0d0e778a571d676ba4826d41335ecbb6512b76a2dd3d68902aaf649c0
SHA512b0710cf55e8882ca351f6d393e5ce5d6593100381d40250804796f578888295b0c9d4fb8efb549fff7ab3c8d3c4e297a30a7c8a03d18b6218e319ce29fc0563a
-
C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll
Filesize1.3MB
MD53050af9152d6bb255c4b6753821bc32c
SHA17a20c030a6473422607661ffa996e34a245b3e2d
SHA25697468531d7009e36c338b47fb19e0c6bf210f013610f413c852a4cc27e84b514
SHA512ad07c4b0bb995e80a1718d74992afdeb6c2c4f217e72f361691e2d04dae9be9cd8e55b50fd7172d73755b02b6105c00a3b67534ba9469d92f9e0fbaab8e8f1a9
-
Filesize
9.0MB
MD537fd3c1e1db85f1460b2296524d979e2
SHA115dfc1a959d98c3456590854b61e791cddf45465
SHA256093d53cd63edf10deb32976355026342ac15e40aaa736f8539a64604e4e4f3e9
SHA5120023c2b06204557a32627837e5ded4813483b75a137cd682d1ea38d47a59494ae9d2336daa59eeef6b201878e66cfe96ef114ef4057c48fe4d7a6e2172838ab0
-
Filesize
11KB
MD5bd4ceae54af081d6b1dd91ff584c5d61
SHA15ade462d66e042da58bb1447d1b31f1aad901b68
SHA25664416d564725416c6869ea951878a2734b1f6940b11f7961a897c45f0d8c6625
SHA51237e7abd312f694ee2c8ea54ecf50ed12c16684f1007c61d9a6d1d01cba958be511c5e4e11cd7393a5cd57349fda1c552bebca42962137e0d11695c195761ebb0
-
Filesize
2KB
MD55d8c05cc4f9b4304d57ea10b87f2dcf0
SHA12cabe3d39aa5ec16c54c7818284a2ee235d2ddbd
SHA256e26c2d3347e5f077da92713c9df3cd3eae438fb7e29810bd5c3afe567d2d3125
SHA51255bff23fee9852f229246b71721b3659c916079787935d400a97641449dfda752fc8fbf36f9ea3dc4028f05daeb9006a99660284a61aa5d5a466af0ee966c738
-
Filesize
21KB
MD58da81aa1f6b89ce1d2e216e3ea351c59
SHA14baf79cbade9a5584630a540e6368d547579fb12
SHA256ded569e249e590314d095f740c6b8934a5a797e4f3edbe0f78eac9d333f12a2a
SHA5126d611bbd9d480ef2defd745fd06c4ab86e181267cf689d9d0e124edbaf22fd30fbe2310879cc7bb6dde5bae72c4feea1d329cdecfbf101d95634f85dd0769119