Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:29

General

  • Target

    2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe

  • Size

    2.9MB

  • MD5

    a0dee67fdef2682ca3b789a16055794a

  • SHA1

    3fc415f721f82d0e5a877b48ccb0e7ddae51865d

  • SHA256

    56cbfbdad73c3cd640b323eeb8f1acd6fdf1a28548825e991adaa330017c0701

  • SHA512

    bfd2b46507796d3a20b392c0ba3c17b1cbdf0a584fdbfda323721511732f0ecba99b0092b74d473d67d64d01ee4d10ce7c37a331639d370d08d589f6e1747aa9

  • SSDEEP

    49152:cYGZQtX5oSAR5nLNAzvwAeyfvE0Z3R0Tnxn1o2d52GZs3Qx:ZGgX5oSAznLAeKtwnW2d

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 1 IoCs
  • Drops file in Drivers directory 7 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Patched UPX-packed file 1 IoCs

    Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

  • Sets service image path in registry 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 12 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
  • Loads dropped DLL 32 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 23 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 
      2⤵
      • Downloads MZ/PE file
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4348
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1496
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:368
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4912
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2728
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1896
            • C:\Windows\SysWOW64\at.exe
              at 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4072
            • C:\Windows\SysWOW64\at.exe
              at 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4784
            • C:\Windows\SysWOW64\at.exe
              at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:6140
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3692
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4404
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4076
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1468
  • C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Impair Defenses: Safe Mode Boot
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
      "C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3024
    • C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
      "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Modifies registry class
      PID:4468
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000148" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:1924
  • C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
    "C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    PID:3840

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

          Filesize

          4.5MB

          MD5

          f802ae578c7837e45a8bbdca7e957496

          SHA1

          38754970ba2ef287b6fdf79827795b947a9b6b4d

          SHA256

          5582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b

          SHA512

          9b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

          Filesize

          5.4MB

          MD5

          956b145931bec84ebc422b5d1d333c49

          SHA1

          9264cc2ae8c856f84f1d0888f67aea01cdc3e056

          SHA256

          c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3

          SHA512

          fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

          Filesize

          5.2MB

          MD5

          4c02fc118ee5fbba1c2da52ce6119bfc

          SHA1

          22926a9794f3170a5aae320e6facbab675afce44

          SHA256

          953da22be7b4fe3108bbf85cfe7bbd2096bd201715af9c07e79780d6097390bf

          SHA512

          1fe0a0bd83d6855938877ba6ac0d195d58fb20b1b15e00675e3762ed9d73dd6d96e5a1e349eb0c20a7f43c14abb970eb04fb9671eb317699833877024533bd9c

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

          Filesize

          4.1MB

          MD5

          18641c1028572ac38861472767bbd51c

          SHA1

          a23e7b0403799ab88e83d653e17b98b1a9ad2adc

          SHA256

          2630ff28ce0009638f1af8a8a603946b585e985f64fcf159ede3c81c2eba7d90

          SHA512

          cda2372d9a8e09786b30cf27b480c840bf752a149b5cfe9e1c11160447eb0e9ef3d8e67c253c633b6d36d23102d7ed07b5b1c27f87dc06371f1267e50d643501

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

          Filesize

          4.3MB

          MD5

          4fe0bec13b02be1587dcd00e62b14849

          SHA1

          20cce46db5cee5b892e0fd02c44a59b5da2678c3

          SHA256

          154e96500600eee8ec0a011ee95ebb7eaf4b977056a757429c126ad05f8862f3

          SHA512

          e77c63e7f867645d73577b9df6b7442d41160aef5561cf4711e90333bdccc6f08f89d47aa52e43865502b4b8b70d37715eefb0d311a6e14c24d690d21bc71644

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe

          Filesize

          1.8MB

          MD5

          72bd1b6f40191478dd33f24a661742bb

          SHA1

          399df3ef69917c17c144d7b0d872bc69de5e40bf

          SHA256

          3f93f05da696712ae334ff56a45a3b061d6fe051d5ef8f91b6394256e0911501

          SHA512

          a482b84f633b04c099cb0279242e3930c5c2737ad9c4b50685df2b90d7792dc99ee8b8509f2a198471226bb5e1e86b01aab260bfa98d36419ca1e1773797dde9

        • C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

          Filesize

          77B

          MD5

          da37a0675f8db4042827bfc5a513f7a0

          SHA1

          53ae61e6d09fb4b65b4cdc2bbfcf93dfd07ec453

          SHA256

          c5f67a888799faf126103506cab97ddea2f9f8e54b691e75125535c38aedf014

          SHA512

          662281703fa17ae95e6366e049e495dca611dc4981c64d82511fe3c27a520d779cf6fcb420d5767645ca207cb9f23e9256289b1ef4fb00c31146588cd4685f8d

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm

          Filesize

          338KB

          MD5

          b5d7bb1009288931a87af68b7b315ffd

          SHA1

          96b48fa82f148d8aea0e34d2b8924487d0adaa1e

          SHA256

          8f45b0a7e6f33101e8b0d7a605566892db7672c6ae822aa47f84a95cec396025

          SHA512

          0f327f83066ecc0a5010e34e6fdc32b7e4e7ba49342837aa34f3c51d20a97ad8bc1d5b67110d5f384ed32ffb06fc4cb847bef5c2ca48f069db2e6eb8cd97a336

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr

          Filesize

          15.8MB

          MD5

          1ca173b955bc64236405a8eab018507b

          SHA1

          23d8c3bab7a5b55a6aa4cd514d75c96174131199

          SHA256

          4d97e7372042534ffc1fdf8a3417f5f1930c6c737c5d8a4d7d0465669ccae95e

          SHA512

          ed541b59dadf9dc2ce9f39fb570f26a385fc658128758f176fab65a56b877e2862322f7733a7db8befb09039f971bc25c2f102964a3e938e058eb69e6f50a763

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin

          Filesize

          2KB

          MD5

          a9ffdb4a6e4249032d1eca20ca7a174d

          SHA1

          fdf353bd6300444a7190584a0773cbe42e6b18f2

          SHA256

          2197a0fb87f14228f6100c05de73e7940f0694ff87907ff2f91003f388080e02

          SHA512

          8bed00085a9ebec6d529421586008742e891f9476d4e13aaf9f142e361dde40b3a4859451c7c0bb34b568c12ce9a230c069821f0179f586c3e1e34e4762be3eb

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

          Filesize

          47KB

          MD5

          adcf3768de3ced374f37524b669a2983

          SHA1

          f2c9ed19ed2bfe462e2ea751f0e3fdfafbfb24f1

          SHA256

          80a81756db89a5274e70dc77c56ee75e17edf784730bad9882417f77d97bdef5

          SHA512

          5156a3b93bf26c0b99497ba60b01da9ee32505b818656ea1402fffe9761be4a125521f81b75b52373384b16a8ffb12e204e6bd1d7d5f017fb70268a5a1afcf48

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

          Filesize

          924B

          MD5

          a7f97e1377f641b12d1b29c052062896

          SHA1

          00b8ef096016fd55665acce0b5d25c5f8ecca760

          SHA256

          764f84fcd82ad19345dd32ce61e3a1038c3c82711c03443786d078d28ab48206

          SHA512

          1a44b0417bef5b5682ea03539ee392b11d7f3ff14c43ca747e0db28077268adebbf311fa3bbcebf636851419eec3cceafe66caa375e83828efa9eed31266963f

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

          Filesize

          39KB

          MD5

          10f23e7c8c791b91c86cd966d67b7bc7

          SHA1

          3f596093b2bc33f7a2554818f8e41adbbd101961

          SHA256

          008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc

          SHA512

          2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

          Filesize

          23KB

          MD5

          aef4eca7ee01bb1a146751c4d0510d2d

          SHA1

          5cf2273da41147126e5e1eabd3182f19304eea25

          SHA256

          9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f

          SHA512

          d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

          Filesize

          514B

          MD5

          85b0cf7df419bd539783a86919e14586

          SHA1

          68220d878aceab06e3c658c7ea7f0e17b31143bd

          SHA256

          c5999473ab9908b3171f2b81ea2dbac8a67a92811ac802b10e7835b43f56e9c7

          SHA512

          3dc2cbd734aa3c862f088c37f68e80225bda887800b772722df764c96477070c0072d50f162eb2af7a490704b8012aac8b56e7b0c6dfc311ddebef73dc933070

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

          Filesize

          24B

          MD5

          546d9e30eadad8b22f5b3ffa875144bf

          SHA1

          3b323ffef009bfe0662c2bd30bb06af6dfc68e4d

          SHA256

          6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f

          SHA512

          3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

          Filesize

          24B

          MD5

          2f7423ca7c6a0f1339980f3c8c7de9f8

          SHA1

          102c77faa28885354cfe6725d987bc23bc7108ba

          SHA256

          850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55

          SHA512

          e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

          Filesize

          11.0MB

          MD5

          681a09a6a4a528c1639aa6dfce1c9e4a

          SHA1

          cb8dd795d65a3efc1f66deb5673251e43587d61b

          SHA256

          ea2a9cc06731fa32906a81fc7a119b8dc26e696981efad2fff0375944232ca3f

          SHA512

          ea47cc41dd13b7e393ee30a042caaef5c87c501cb65562b3a751d546644938a65e1b414b2dbf28a1d857e2527a8dd767d3c96bea3355af69235a1d3855d44c46

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

          Filesize

          528KB

          MD5

          84f51389e5b8e95d2abf9d15cf3a0ab8

          SHA1

          fdb7eeef0ce8319fabf28c4f30bd0326fc3cc3c6

          SHA256

          06d464efc2e566d30e12ce2d4da8322a49248d01f28af60ebca045532b085eb0

          SHA512

          b8035a97bac079760e0c5b001bb2929399ae70b4e01af33e7207ba58f07852cfee83c4ad0806297e7c4d21b94df2b5966b48464eb2b2aca416031b9d21a8f3d6

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

          Filesize

          147KB

          MD5

          db6950896d34a4553ede476d79a09448

          SHA1

          3367531763ced75326abde3bda664cfa507cd8bc

          SHA256

          c6ef88ea9a9297096eca5cefbb97d4481ad01c7df770b75df0168bf49b2bc1ff

          SHA512

          51043b7aedbfccba04f1357f0686fcd7146348c3ae070f3ef751ae5121decd61e995f80d7d7a594c61f62c07ce7523e6e77975d9259cb9a437044a257249912e

        • C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

          Filesize

          13.6MB

          MD5

          b25d8479040596f57468287936582123

          SHA1

          0330a9cc5f5236d063987d77be8dc442ccb2f7ad

          SHA256

          504e8d9f7ffc80c127c981d85fabe665203c83959c9a7c38d24e32ec51faa256

          SHA512

          d33889832b205820cda855ab2872c96161c3038252a59a1cbb96b0cc681cf7914e33bfe25435552a8142e582b606c3aa9231e713ab9699892b90c4bec6025dd1

        • C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.cat

          Filesize

          10KB

          MD5

          8abff1fbf08d70c1681a9b20384dbbf9

          SHA1

          c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6

          SHA256

          9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658

          SHA512

          37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

        • C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.sys

          Filesize

          107KB

          MD5

          83d4fba999eb8b34047c38fabef60243

          SHA1

          25731b57e9968282610f337bc6d769aa26af4938

          SHA256

          6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c

          SHA512

          47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

        • C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

          Filesize

          8.7MB

          MD5

          cea3222bd01165e983f7079c4dd88b11

          SHA1

          4f1a0e4f43fa822f7d84a8d12605f410fd61dcf0

          SHA256

          4d3204dd695b8a7e32a4e123b79d3470088ccaa3bddaa187c2661445ca852344

          SHA512

          7636d76ba03b57f41622cb2fce955e9e36e95f4e945e83d5a2c0adc3c77b4ab06e7ee3a414a216b8a221ee5384152fafbdb47d7a770c3e8327b421ab28377f98

        • C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe

          Filesize

          2.7MB

          MD5

          e04e61828c9fffcee59cd90ef155c90f

          SHA1

          7a97b65f11d2b3f30d8e2dde4c44bdf16f3d3b24

          SHA256

          05d4d87f43646f7ca2e50520d8850e8808748a508c2761838d5fb92d66d6ce35

          SHA512

          04792b998628cde88bc2601534678e55b2d6fde290496e5af08a2955a992ca3bb767bd025dca4373abc55141de8d270f62f628e51c887de54035bbee10379ce9

        • C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

          Filesize

          290KB

          MD5

          dd6dd8549da8656353bb1607d2437145

          SHA1

          7f7c6100b96a1338fa8886b5c8494d1bfd9b7732

          SHA256

          134562d62b06ed114fe77c734e08f0f03d240f05c4cc2d67ba72bd1bc3e002c3

          SHA512

          16ccef60efbedd0dd6dbb1b09257aa2292b6f782f9e6468ed1ee421cbbfa3eb35aff1c3cefd269c766ed12fc9da191bf7608467b17614767f49255da90cdbd2d

        • C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

          Filesize

          621B

          MD5

          723e0bcfa2d56e35ee4bb7efeaaa0e57

          SHA1

          18fa0804cdc85113ea2ad0294f16d68fd730283e

          SHA256

          2fcc42dd8a92c175ba6314eef28ab3cfab4f1fe97c93f6df29d2e487bca74d3d

          SHA512

          3093921d4bda96bc7d0d189801999179943361ba4a11abdc050b423c6b110784d6dd81857b250f3197f861e9672d46c35585a4fedf35f6f42815d8b2bb6da9d6

        • C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

          Filesize

          654B

          MD5

          9e064f5bdefbbfa2f7e6a6df44b61ca2

          SHA1

          9c4246593c76d3bf3338042114f0b58a58f167f4

          SHA256

          80736521498a7b2fa447c5e53024ad67d35e51528d6a67e640fd297d7018700f

          SHA512

          bb288471b304d38c9779187c2bc3bdd3e9df89ee7a84b8c11e66a305006050bff9b5fb49a158c1f7fc0b06d6fed06bae1881e2e7ba85d78b6aa028794f2aadf1

        • C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

          Filesize

          10B

          MD5

          dd9e5ad0bf4fcc3a6a54dee68453b54d

          SHA1

          0cb1e0af514131751bfc7fac435155f9dff322ab

          SHA256

          bdf09cf1cd65ca0e49aac6c0c3a101ca98ccaeba0886718ef7dd9fadd476bcd1

          SHA512

          dcd0bd9294c868545226ad944034482db0d30863993d5567bbc45f298597ae4a912c8950e32086e0f192a13c15fcb7c02a2d13acb2d0bd0cf54c83d88126fbc1

        • C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe

          Filesize

          2.2MB

          MD5

          b39ba8b6310037ba2384ff6a46c282f1

          SHA1

          d3a136aab0d951f65b579d22334f4dabbebdb4a4

          SHA256

          3ecbcb6c57af4456111f5f104b8fb8a317cdb0f16e98412249f7a2d62bca584d

          SHA512

          a8b98f47c30503029f2dc80398dacd5f8fc07db562d04c56b8c7902bebf11517223350c41850b81aca770ebc9e68fc365921bd6cce34b57b2c945f1c51b538b7

        • C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

          Filesize

          3.1MB

          MD5

          7e257a703c71e24c343a029ae5462458

          SHA1

          59360bef90281831f4e4c2a0377c2deba3690ef7

          SHA256

          1d99a50c34a350c4da87cbb4d74e7f958aa378d404f1b156963a32dd8848f3b1

          SHA512

          6fee254fe7f052de9c6989ebf46d0e17cabc00e23ac801af88e1f068242fbac6a85ccf429ee0f2d014978c0b80201715fff2a520cd6d962d9bd63e582b027543

        • C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dll

          Filesize

          2.8MB

          MD5

          2bbf63f1dab335f5caf431dbd4f38494

          SHA1

          90f1d818ac8a4881bf770c1ff474f35cdaa4fcd0

          SHA256

          f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364

          SHA512

          ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5

        • C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf

          Filesize

          1KB

          MD5

          5d1917024b228efbeab3c696e663873e

          SHA1

          cec5e88c2481d323ec366c18024d61a117f01b21

          SHA256

          4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8

          SHA512

          14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

        • C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

          Filesize

          113KB

          MD5

          2ccb84bed084f27ca22bdd1e170a6851

          SHA1

          16608b35c136813bb565fe9c916cb7b01f0b20af

          SHA256

          a538caf4ac94708ddb4240d38b1b99914ca3e82283f0d8a2290be28fc05eaccb

          SHA512

          0fd66d241bdebd0052f4972e85b42639e3c5a40affe23170b84bc4068dff8e84446898a77ebf7cc0bef97454abb788faccce508a68bc5e717980ef26d8436986

        • C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

          Filesize

          9B

          MD5

          089674299e14e4a57284d0f224498db3

          SHA1

          3217e5d9238ac9011f83619d434ea5ae611b8a58

          SHA256

          a3da44d4652bf4cffe1208095ec1b7297017889721c2a84cc70304a64d88212f

          SHA512

          bbfa2b57807319a3dafc8ec199489dacb9b3344e36cde442d769972dfdb65109b1978e51b998ead9f97a471bc21766668608b1c4368922a03ac704571d9a6aeb

        • C:\Program Files\Malwarebytes\Anti-Malware\version.dat

          Filesize

          47B

          MD5

          1b661eb6ef7f2ed00bb8b85a493f8593

          SHA1

          67e5a8f851420d5c220199c66b413cafbce1382e

          SHA256

          f8ef01707aa49f3425055264a08bc03c85103c108ce23189f8efb31e16954c3d

          SHA512

          ab1673a8a48a3f0b20a0f960c15be8d33795cd33959be3f438af953ff93255959b3a65bae931f07648aa22665c162bd05050d373a78d3f4b1333e8188096daff

        • C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

          Filesize

          47KB

          MD5

          c4878e5b54b30c43c494d0ebcfc2875d

          SHA1

          55a265142cd7df776d2698387b3dfd5b27993d26

          SHA256

          d55c21abd9676655a9790497e083a59412f57b99cb5455e264fa712ca4084698

          SHA512

          f1e7aea1eea84d12aeeb6d58e0d2b465a5e7788cf2551f292cf3e76c0e00352e26db9331bb0a17663998d97c7a641f6161bdc646f3eab079d577439a8c2c9b16

        • C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

          Filesize

          66KB

          MD5

          16c6471ab62bec6102973a9dfa41a0d0

          SHA1

          ec0fcb839529396f528dff53512cddeebb52a2be

          SHA256

          4dae04fb9557cffd45b6c7e4c4a8f14ea4c3010e5115af6ba3e66eafb90e94c9

          SHA512

          fa1c9e74c01c732733234690189fd676c8655f29af922e213cbc350d81bb81f28c237b653ae01e26ed71b6772d44ee813c31ab521c5adb202f423d55bd5633b0

        • C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

          Filesize

          66KB

          MD5

          fd9476772ca7ad2ccbfbb27b33083eb2

          SHA1

          2d5ddfe31e8bbe9e9f601447ef14a6347237b4d2

          SHA256

          35bf13a8f01302bf521fe2cfaf1786bae5c44f8909140ff64a527559449db421

          SHA512

          6510610fed52939f3d2525c7a90e024918a87482073ac9acb1aeff3580151c39c109ae90eeefb95d41ec3f0201df882af1e541c5da3d851c0f923c946ccb0030

        • C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

          Filesize

          878B

          MD5

          cb4e372ab584b4be7b55978e422e5a10

          SHA1

          12069b7760dcbc425fdc9f39bb58124141e720ff

          SHA256

          d667dc7245a25dbb48bef3e3af8def97232fb133539be4dfdbdc6d3b476d5fbb

          SHA512

          69f78adfa34d712395ff38a3ec2595637c87fa1221e55b045d1f7f67d5ff03023c6f2203260955d834e667388405912d347f0b20f88e91749c1c33d3cd776646

        • C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

          Filesize

          847B

          MD5

          daec07eee92cd8ed82122929ab9a4b45

          SHA1

          fabd4837e7e3db14fd87a40176bd7c97ff64c4c8

          SHA256

          d3405dc7862d98f6bdf05a5cd9914cc311941a15b973eaab15ce977ed1b0ad06

          SHA512

          e1046cefe53570748e5f5e9d6f330a2962a64ed2f9756d4c7e93daeea958825ee179d16dac58015496e4a322ec1441f7e1dda91dfc630342b0b6b2d610d7ac4f

        • C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

          Filesize

          883B

          MD5

          d81450f08d4cb6d67d4f5ec8fed5ad03

          SHA1

          1602e0622b3c8abf26539902038a6e9fd1e074bb

          SHA256

          1ec97014399e8a33de2511e3b482a2f72cfaa2e2b96c923f6bd4393129ab04bd

          SHA512

          e794bd4f5eef3d411405eb5172e91c5f8edffca305c5be2853e45604e8f16b983a3067420adad981adf0d93332589f390586d34182bebe13a3f5331cb6e239a9

        • C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

          Filesize

          11KB

          MD5

          e9926f69be5aa6e9211327ab2f44cc6c

          SHA1

          cbcfebc4fafd723a9b74460d7eeff4b4d8589cbc

          SHA256

          9129881a11eca4801182d98186b7a33741414e509e2b51582d4516a3ab658d49

          SHA512

          8fcd5977101e084d1999e67508800fb8d1f21cde5a18c568a7d14c465bf84fadd9e4e3ab4f764d98eb0624a768660df1d02622a92fe325efd7b047d622790c12

        • C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

          Filesize

          12KB

          MD5

          7779526c6da36db4dfaa7e171fea0097

          SHA1

          02ca5e5c8dfd1e20477c26e5ee1b79e4da7c1bd6

          SHA256

          2a3289bbf89033a0a860a8728b79308e1052a997647d332210e21ad26f3444b5

          SHA512

          ef80ed485221adec6009f793c9313e26be8477b8a7dbad294e46166ecee653c6e44a7f34d85a1410ea608adeb1d5764a55e8ed2b05f6c38eb54423f90a1358ab

        • C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

          Filesize

          12KB

          MD5

          7468516a73907477fc728ae748e0313f

          SHA1

          302ea0f66b04aa18960aa79099271581518c48f0

          SHA256

          3db96d284905bdb8c61e87a6e38d9cb89f9224807ec7fdfdfcdefaad392b8c99

          SHA512

          ea1e1ef1ca9121ccfcdd0f5e34240110d1ec06e7dbe596ee29c810d4de87d17b8b1c09dea9fd1e3eada83d600b4d91eaaffaa24fceb3da5f6e14786e4d5e868c

        • C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

          Filesize

          2KB

          MD5

          694d8fc549e28114738fe7074a8c3b9b

          SHA1

          129642bb804881368278105ec4aeb325307286ed

          SHA256

          ca595eb82e71ed0121b9f49838e65fce673de31bcc2743ec7ba7bfe3ea00a2f5

          SHA512

          a0762f123b6f80047375976eab8439cc2705aae3d148d66e29ad44ad8af3aa03ce465f668d80b4edfbf0398b7d66574c93a895bf7083e36cf10410524b86b46f

        • C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

          Filesize

          814B

          MD5

          9e174cad52de997e75aaf2ca3cc83673

          SHA1

          3fccc32311f2b974f685955dd612d53ff7cf2efa

          SHA256

          78d76d5dd7aee6ffb96796af2543623687df5abc487e1e0d8f38a1418505bacb

          SHA512

          67ed105d3b508ff9c9b26a4c5b2922fbd384f569e7425dc8fbac62f7afbbb80741026939bcfb9d853dea17b88038cc546bb89fed8a6664992bc20c691625ede4

        • C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

          Filesize

          1KB

          MD5

          c967527e4c5222f742c2162b9d0e2110

          SHA1

          c6ed14eb4d4cba870080a93c34cf24744f9111eb

          SHA256

          abe95ee60344cc7263c1c4e7847cb793d93c2be87a201d0ae2a42ef53c6fb973

          SHA512

          5c7795e3e3dbedce5a55d66c874fcea9a288defbc68ac8b1638ac859c75332dcbf8d06b80baec68bc629c626fd05d08360feede9e8e49c7f7734d70981ced209

        • C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

          Filesize

          2KB

          MD5

          0ea3367b702c160c8e2b3fe2b0a39136

          SHA1

          e7f6441bf691cdfcaac5df069f4bc59e215be213

          SHA256

          7cdfbda1a365bc7c6464068daa9e18a9c13853cb3ab504e4baf493bf619f2444

          SHA512

          a5ed284ee82755e488b9c618674b820b77f76e52f8b9a8d3197128099ae453503c9a00aa187aa67a02c5310f0ef537739322e87e63659afe761461c46e515fa3

        • C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

          Filesize

          4KB

          MD5

          a57d601fc9b58888e728d8a4aa151146

          SHA1

          35c40d132500ae56cd6139c1f30481a0220499f7

          SHA256

          2cb2831bbd366cadc6438bbe5de3750f94e005aa854a7f7b18d405acbb0e3c1f

          SHA512

          21ddbe55e310f5c691d488a9e2137cb21c9afa88267d6f34cf0a23291ec03595b07ff0de1f3a863093638e6617cd8888789427f5c726bd77315223998d50931a

        • C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json.bak

          Filesize

          11KB

          MD5

          11e6a5d3b44cfcbcc472ef94dbd29c82

          SHA1

          ffccd159ac59d2847960d18dd514c46f5804caa6

          SHA256

          7db0a213c1ad9d036527ada6bacb74c182db1dec4b110d2c7c7ae4bd2d44cbf7

          SHA512

          552c2b46ffcd741597e02e24d17bf179e2b1f7e833649a4e705854b196c0d7b30c0094992d611c0abc57a3b94e78885fa680264443c9cd16055fc13a0110a4e6

        • C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

          Filesize

          1KB

          MD5

          97e408e1cbb2e2536f7e98a23e63f7e8

          SHA1

          250330fc852aefbd5d77bc00d85a81c976e27975

          SHA256

          be35c842b6982fccfe4b709ced7f5727256324a111fe8c17302c27de75c421a1

          SHA512

          f7b482bdc4495542fe92f5d8fd5e1f0a3e28e729bf695a5425a269bfbf630734f9cd67ce8e401e28bf56dd9029463d2dbc23ba3f2feefe8ae707029f2d98f78e

        • C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

          Filesize

          1KB

          MD5

          8c7cc24e2913e3f76fd88385d58dc222

          SHA1

          4d36a4c5fa71954fce369a9308ff8559ad0e52b0

          SHA256

          571df769e1e4bf4b9d350778b0b27b36c101272068f2ed67fc5510c664c53d01

          SHA512

          6299e25def1af160fca10f14a9afcd6d3f50d0a0c95ea28bf1238e8cba31e471458a3bea19345bce2744fac3f4c52f7e204d301c7b4cae111e2af19c061b672d

        • C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

          Filesize

          1KB

          MD5

          634f4353f1943ad5e226cb52067fe206

          SHA1

          40a16741cc445b91540ff0c3b2a0a1224e51347f

          SHA256

          2fdf4ca9a1e69aeb706e8d2aae88efe5f014cc9a9f74c628e331183ed4c3c6b8

          SHA512

          4954bb3505839ffe475cba157da43ad8cd7fb5b72f75fea0588434aa35e243cac15e967fb7aa0793d0a1be4f6987f7ee017e2e6213e8cb948c8c4e0b9e5dd0fe

        • C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

          Filesize

          1KB

          MD5

          c26911781d46794e1ed80f692d3c693b

          SHA1

          cef3eb292e2be7075c47bbf8ae04773a736cb3e4

          SHA256

          9351986f8318e49d65e2d928ecc32ac880b0836f55fc1b74a4bce418ec910ee7

          SHA512

          0fa7cec573a7f3fe60c2b0bccb06e9216378b8c43b734448b91b2f012eadb18364a2ef7ed30a3b88b882f5967f109cf9e877f05d5b49925648e15da83d29c09b

        • C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

          Filesize

          1KB

          MD5

          57d979b4f244bff9e7f1ed3776c6cf49

          SHA1

          34847f33b60da9a2fe223d84f29316a6f9196da6

          SHA256

          767da1498f8a605123b19e1e149c064b90d1744cd83064f1548fcfc86b060a0b

          SHA512

          e3ede827f48d7c4b6043016e2475815ab927f57686eff044ba5d58840aae1c4daca073e1c9728908565da7c8c92cf9dcaf5415a6aaeaa2ddfc6ef28ba1aca69b

        • C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

          Filesize

          1KB

          MD5

          480ddf63df80a714a9d5b1f194e53237

          SHA1

          0bff440b4b71b155e23dbaf2f14c5498ba5439ca

          SHA256

          d9e09e7597a05b92e168ce519d867371ded3bb79eac1180d600ce38d5b87eb6d

          SHA512

          940cc9985049ed49d999b2b4519c13bbb0b0134c95e029aa37832308e9b703559e608d4e82b5971cec5fa54c3ab5e5024658f86f2f27c0368f4c4a6c31a1d0cc

        • C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

          Filesize

          1KB

          MD5

          db490b7358f997b59b4780a9b0acf77e

          SHA1

          24d86a892e647817710d9a705dd71bc4939fb193

          SHA256

          ee1f3f35388edad2a4ef061413706e9ad424de4f78bf75b4bf4dd78462b5f6f1

          SHA512

          43d799a9a3f8d59bd484197ab3ba1ca8310ce3ea65503f01f45e9581a9e58862703a7a0997f8992c0a722283f6e5c5159ae95db4a84e86787480dff97e9dc15f

        • C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

          Filesize

          1KB

          MD5

          80fe648f8d0426c0e1092aae27669a61

          SHA1

          022a7e7048099bbe3e92b36698e317639c174a14

          SHA256

          e1c43c0f947a0c36878153df5b73f979762a7919bbed7aa479b34024b6a5b561

          SHA512

          d5364eb2de26389ef6a5cac2ee3c17efaf5e09629d9a03241faf42960901d6d9914c91fa6f5d5df6d16c68deb2c9fe374427858160b43520f4c7afec0dcb4b39

        • C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json

          Filesize

          125B

          MD5

          8bd92ae7673306c405348c76c9f87169

          SHA1

          27a42cbd093f5759ebdc4449d86ed7937ae691b6

          SHA256

          56c49a2b2d578bd09f9d59cff5f1dbd12aeac8892da610f81ddd90e948cba235

          SHA512

          b55900e104d57f5374ba484d6b9342253f9db62a359561d37f2a03665a68492418b88146500efb91903cab4e9262d54fe250aac00e17dffb66670656b51339fd

        • C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

          Filesize

          524KB

          MD5

          e14add458f6c9aebafc5d67c6442227e

          SHA1

          7d6b714a10edd22715c1d2732a6beebd867eba60

          SHA256

          e9fdb8ffb30ebc20601e1a67fb6139e1bc6a8805a206982c834bb354f4b8a427

          SHA512

          05363fd136a196f7203b37e55104f24918684450507f94f13e6265a9b1384c2d9a069ccee98b81477b33b6414129c83d6ed48ca757242aef7a4e34f16e42ae98

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 

          Filesize

          2.7MB

          MD5

          09e0e68fc7650ca68899739080709f91

          SHA1

          a665ac359ef3f782b78484a71a266e50a71567ad

          SHA256

          bf83bce7085b016b5dbd65308c92efa9b87b17da561f490a1a17ef96c3d93dac

          SHA512

          88697e3c474c75cfe7d46e8e092f826e2cc9149d797d0fda250fdeb66b9a8926ece65c13a7880acbf3e410c003181340a60dda1133a90dcd5f6a2b47a6afa3ff

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          207KB

          MD5

          88680f0ae5515151acd5cb1f79537dbf

          SHA1

          461f7bd2b7fc53679caec0ca4d41ab16c30e6993

          SHA256

          02220f99ce7aaaece96779e9133b9748209a9b71c60d935146f5600472e66382

          SHA512

          e2e4958023ea5d7d71da6899b81eba62233cbb2a55b9a0035066e2f56493a3040c1b3bd320b7c7aa621c47efd43319d7a7b62be888b19c6d6ac2e92fcc78217f

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          5f5a7bf8f7c5fc3f96de05ea62d0c179

          SHA1

          fb1cbab6e4c4f8b69f4bebea1bd85804c47a6a77

          SHA256

          ce37db723ad5bcad37e0b2d3b654345ba972e5aa32088a32b02b06c7b07a4851

          SHA512

          e6f9c2eb2d1e80d81461bb5a08687ec2e27ec4fca4a98f5f98ddc1efe9e7f718f23dfe77c2649af856ccee3c43ce0f4b37b885dce96edcd35a4798832d59c628

        • C:\Windows\System32\CatRoot2\dberr.txt

          Filesize

          34KB

          MD5

          e2a012bc2dfc6c4fd195615fb750b94d

          SHA1

          a8d0ce74fd9dfbf7f6c477f01fc34e362f278946

          SHA256

          7d52a99781296d931d7f9105abe84e300676d318f644cfeea1ffd21e1cb17c6a

          SHA512

          74c9dc4468f268c691a3713cc439fd7d880df0d39cbc1afdcd9743d726a1975b9b872a3731d3c5b46fff941cdd96b8d9b26b3d1940d83c038fadb9968a5b86a0

        • C:\Windows\System32\drivers\mbamswissarmy.sys

          Filesize

          237KB

          MD5

          9d1296e9af8ad4ce9b8f161bbe2185f9

          SHA1

          8f2fa73c857cb53bfe5d35281be06bf11a45efaa

          SHA256

          59232d92bc9488780dd4350e502c652b3c15d7c19ecda5fdc863968518cc0002

          SHA512

          65517117dc05e9469cf4935cb8b8e727074fcc3d72c0a771976c4e8f9f1273df6497e058472872aab31051ec088cb31a9d38307149606c33dd93268e9df3646a

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          d99d26f5cabc1429e9693ee199872e54

          SHA1

          b18da72f0866b41381ef83103b36850085812e12

          SHA256

          81815fda5159002e28fe2a355a40effe4329475fdefb5cf58c6e6a87f39951e0

          SHA512

          df021f987d4bce17d63e6e7994a2e0c46388f32b1046aba9b29cd8b03ff998a1ef5aacb75841eceb6f3054600621080411f24f9b6b37af1d3b77613939b4204e

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          9df980a505e697d4453708d3e7a04bd2

          SHA1

          641cfeb1b7d4780b8aa680827028d156b9fc06c9

          SHA256

          d08b657e0a74997fd3a7e054d3ff1709d023d86b0578d5df0f02a3cde454a90a

          SHA512

          558ffa14fb7be4b24d28b94b25985299b310a2030bb38349d8986acaf5e690fc1eada1e1939fe3e62cff395fd6991f2854f22d3d77992d617e2734ac087b1d0a

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          2f221ebeb9e819427cf2262ae11b2af4

          SHA1

          ae16fcea846d7b7f5273a6f327b4c8b27030488b

          SHA256

          6eff743b82a54c0c28011b3aaef4b7a2c2c407383dd168ec8d1c9f2c4899fb7a

          SHA512

          3b13bef6a6a4e5e8638641191a9f231ba4c84ff631596f95372645951728629014f93b89397bfcc938659ca0da2db14fc0b318625722003abb3636751fbac6b3

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\7z.dll

          Filesize

          1.6MB

          MD5

          3430e2544637cebf8ba1f509ed5a27b1

          SHA1

          7e5bd7af223436081601413fb501b8bd20b67a1e

          SHA256

          bb01c6fbb29590d6d144a9038c2a7736d6925a6dbd31889538af033e03e4f5fa

          SHA512

          91c4eb3d341a8b30594ee4c08a638c3fb7f3a05248b459bcf07ca9f4c2a185959313a68741bdcec1d76014009875fa7cbfa47217fb45d57df3b9b1c580bc889d

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json

          Filesize

          372B

          MD5

          d94cf983fba9ab1bb8a6cb3ad4a48f50

          SHA1

          04855d8b7a76b7ec74633043ef9986d4500ca63c

          SHA256

          1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

          SHA512

          09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\ctlrpkg\mbae64.sys

          Filesize

          154KB

          MD5

          95515708f41a7e283d6725506f56f6f2

          SHA1

          9afc20a19db3d2a75b6915d8d9af602c5218735e

          SHA256

          321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6

          SHA512

          d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\dbclspkg\MBAMCoreV5.dll

          Filesize

          6.7MB

          MD5

          c16030d6a427a8c1ff51deec1725b6d6

          SHA1

          69c46a5500d8b963d23e712bef3e7c3cae6c1b12

          SHA256

          64c704b0d0e778a571d676ba4826d41335ecbb6512b76a2dd3d68902aaf649c0

          SHA512

          b0710cf55e8882ca351f6d393e5ce5d6593100381d40250804796f578888295b0c9d4fb8efb549fff7ab3c8d3c4e297a30a7c8a03d18b6218e319ce29fc0563a

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll

          Filesize

          1.3MB

          MD5

          3050af9152d6bb255c4b6753821bc32c

          SHA1

          7a20c030a6473422607661ffa996e34a245b3e2d

          SHA256

          97468531d7009e36c338b47fb19e0c6bf210f013610f413c852a4cc27e84b514

          SHA512

          ad07c4b0bb995e80a1718d74992afdeb6c2c4f217e72f361691e2d04dae9be9cd8e55b50fd7172d73755b02b6105c00a3b67534ba9469d92f9e0fbaab8e8f1a9

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\MBAMService.exe

          Filesize

          9.0MB

          MD5

          37fd3c1e1db85f1460b2296524d979e2

          SHA1

          15dfc1a959d98c3456590854b61e791cddf45465

          SHA256

          093d53cd63edf10deb32976355026342ac15e40aaa736f8539a64604e4e4f3e9

          SHA512

          0023c2b06204557a32627837e5ded4813483b75a137cd682d1ea38d47a59494ae9d2336daa59eeef6b201878e66cfe96ef114ef4057c48fe4d7a6e2172838ab0

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.cat

          Filesize

          11KB

          MD5

          bd4ceae54af081d6b1dd91ff584c5d61

          SHA1

          5ade462d66e042da58bb1447d1b31f1aad901b68

          SHA256

          64416d564725416c6869ea951878a2734b1f6940b11f7961a897c45f0d8c6625

          SHA512

          37e7abd312f694ee2c8ea54ecf50ed12c16684f1007c61d9a6d1d01cba958be511c5e4e11cd7393a5cd57349fda1c552bebca42962137e0d11695c195761ebb0

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.inf

          Filesize

          2KB

          MD5

          5d8c05cc4f9b4304d57ea10b87f2dcf0

          SHA1

          2cabe3d39aa5ec16c54c7818284a2ee235d2ddbd

          SHA256

          e26c2d3347e5f077da92713c9df3cd3eae438fb7e29810bd5c3afe567d2d3125

          SHA512

          55bff23fee9852f229246b71721b3659c916079787935d400a97641449dfda752fc8fbf36f9ea3dc4028f05daeb9006a99660284a61aa5d5a466af0ee966c738

        • C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.sys

          Filesize

          21KB

          MD5

          8da81aa1f6b89ce1d2e216e3ea351c59

          SHA1

          4baf79cbade9a5584630a540e6368d547579fb12

          SHA256

          ded569e249e590314d095f740c6b8934a5a797e4f3edbe0f78eac9d333f12a2a

          SHA512

          6d611bbd9d480ef2defd745fd06c4ab86e181267cf689d9d0e124edbaf22fd30fbe2310879cc7bb6dde5bae72c4feea1d329cdecfbf101d95634f85dd0769119

        • memory/3840-3204-0x000001F85C6D0000-0x000001F85C942000-memory.dmp

          Filesize

          2.4MB

        • memory/3840-3903-0x000001F85C6D0000-0x000001F85C942000-memory.dmp

          Filesize

          2.4MB