Malware Analysis Report

2025-06-16 05:40

Sample ID 250520-kd25ksem9y
Target 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer
SHA256 56cbfbdad73c3cd640b323eeb8f1acd6fdf1a28548825e991adaa330017c0701
Tags
mofksys defense_evasion discovery persistence privilege_escalation spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56cbfbdad73c3cd640b323eeb8f1acd6fdf1a28548825e991adaa330017c0701

Threat Level: Known bad

The file 2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence privilege_escalation spyware stealer worm

Mofksys family

Modifies WinLogon for persistence

Mofksys

Detects Mofksys worm

Modifies visiblity of hidden/system files in Explorer

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Sets service image path in registry

Downloads MZ/PE file

Modifies RDP port number used by Windows

Patched UPX-packed file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Event Triggered Execution: Component Object Model Hijacking

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:29

Reported

2025-05-20 08:32

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\MbamElam.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File created C:\Windows\system32\DRIVERS\mbamswissarmy.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File created C:\Windows\system32\DRIVERS\MbamChameleon.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Windows\system32\drivers\mbae64.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Windows\system32\DRIVERS\MbamElam.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Modifies RDP port number used by Windows

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service" C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
N/A N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\A: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\H: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\K: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\M: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\U: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\X: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\N: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\O: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\T: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\S: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\T: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\B: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\G: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\J: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\L: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\R: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\L: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\P: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\W: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\G: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\K: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\O: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\E: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\I: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\H: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\I: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\V: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\M: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\V: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\B: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\E: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\J: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\N: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\P: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\R: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\U: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\A: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File opened (read-only) \??\S: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\X: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\mbtun.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CAF.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CC0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\mbtun.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_81bff1eb756435c6\rndiscmp.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\net8185.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{2199dea4-1663-8042-a91a-414dfab37076}\SET6CC0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\net8192su64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Diagnostics.TraceSource.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.AccessControl.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\PresentationCore.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\RTPControllerImpl.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\mbae64.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\25f56c21-e767-4dd5-895a-72f60b0c1110 \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.Claims.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.Cryptography.Encoding.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Microsoft.VisualBasic.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework-SystemCore.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-timezone-l1-1-0.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Collections.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\ReachFramework.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\PresentationUI.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Actions.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Data.Sqlite.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.Extensions.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\System.Windows.Forms.Design.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.FileSystem.Watcher.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Private.CoreLib.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-heap-l1-1-0.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Data.Common.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Net.HttpListener.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\cs\UIAutomationTypes.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\version.dat C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Theme.Primitives.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Drawing.Primitives.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Input.Manipulations.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\UIAutomationProvider.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.Serialization.Json.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\UIAutomationTypes.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\PresentationUI.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\UIAutomationClientSideProviders.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Private.Xml.Linq.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-file-l1-1-0.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\ReachFramework.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\UIAutomationClientSideProviders.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\UIAutomationTypes.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\mbamelam.sys C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\QRCoder.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.tmf C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-file-l1-2-0.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.Pipes.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.Emit.ILGeneration.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.XPath.XDocument.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\PresentationFramework.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Microsoft.WindowsDesktop.App.deps.json C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Forms.Primitives.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\System.Windows.Forms.Design.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\d8eddce0-cd7b-4238-8e64-bfa6c5f6598f \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-processthreads-l1-1-1.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Diagnostics.Tracing.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Globalization.Extensions.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\Accessibility.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\pt-BR\PresentationFramework.resources.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Style.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Design.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-convert-l1-1-0.dll C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000" C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes\FirstRun = "false" C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false" C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Malwarebytes C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false" C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\ProgID C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00A73BC0-754E-44E1-B190-D59E187A5EA1}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E149FEF9-F1DC-4894-8A8E-AA53F6807EFD}\TypeLib\Version = "1.0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2CCE9B-6446-450F-9C9D-542CD9FA6677}\TypeLib\Version = "1.0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5091804-600E-4226-BF28-80ABFDF4AFAB}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DB6AD16-564C-451A-A173-0F31A62B7A4D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F641DDA1-271F-47C7-90C2-4327665959DF}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C30B7D9-82A1-4068-8A5B-F4C7D5EF75A3}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2846D47E-9B85-4836-B883-6A7B493E2D6A}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}\1.0\ = "PoliciesControllerCOMLib" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F73DD6-F2A4-40F8-9109-67F6BB8D3704}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB30855D-36DF-41BD-9EEE-03BA7E8E70B7} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32065E5-189E-4C5F-AA59-32A158BAF5B7}\TypeLib\Version = "1.0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A153977-1A37-4EF7-9226-9E128FA51AE1}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82AA83E1-EC24-4908-90E5-FAA212B30200} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79D77750-02E0-4451-A7BB-524ACD93DD93}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EB774AC-23B7-4F52-A9F2-708D194F0C86}\ = "_IArwControllerEventsV5" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D829C1D7-B423-43AB-A4F8-598382EB0716}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\ProgID C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DBD14E9A-A1B3-4B5A-8A4A-0E4EB25FAA54}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A574BA8-3535-41F9-AB73-FA93F8A7DC3B}\TypeLib\Version = "1.0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7968A0D1-5C9E-4F28-8C2F-E215BC7DF146} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB586AB4-56F2-4EFA-9756-EE9A399B44DE} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1F7896AD-8886-42CD-8ABD-7A1315A3A5F2} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A0F9375-1809-45ED-AFE0-92852B971139} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94E6A9DF-4AAB-48E7-8A94-65CA2481D1F6}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\ = "ICleanControllerEventsV5" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEBAD4E-3BAF-44F0-9150-BCCCC3801CF9}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.MWACController\CurVer\ = "MB.MWACController.1" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D448EF3-7261-4C0C-909C-6D56043C259D}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55D0C28B-2BF3-4230-B48D-DB2C2D7BF6F8}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC2F8F62-D471-4AD5-B346-9F214FE941A7}\ = "IPoliciesControllerV2" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController\CurVer\ = "MB.RTPController.1" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}\1.0\FLAGS C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76AD4430-9C5C-4FC2-A15F-4E16ACD735AC} C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2C9E279-3E50-44F0-8C3B-606A303BA1D1}\TypeLib\ = "{74630AE8-C170-4A8F-A90A-F42D63EFE1E8}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C292FC1E-6930-404E-B7C6-2CBDA9CCF54B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DAE713-FD88-4ADB-9406-04CB574D543C}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\ = "IScanControllerEventsV2" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D81C2A20-D03D-40D4-A371-A499633A2AD3}\ = "_ICleanControllerEventsV3" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18C5830A-FF78-4172-9DFB-E4016D1C1F31}\ = "IRTPController" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CB653AC-F9CF-4277-BFB1-C0ED1C650F56}\ = "IRTPControllerV11" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34544A67-823A-484D-8E18-371AFEAEC02E}\ProxyStubClsid32 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{571FB9A8-E53B-4740-B125-082207566E5F}\TypeLib\Version = "1.0" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9185897A-76F4-4083-A02C-5FFC2A51F6D4}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDF63EDA-B622-44E2-8053-8877E33BB49A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEB52C40-FE75-4478-9040-66B25435CE72}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\ = "IRTPControllerV15" C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{620A01DD-16D2-4A83-B02C-E29BE38B3029}\TypeLib C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 2244 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 2244 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 2244 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2244 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2244 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1496 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1496 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1496 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 368 wrote to memory of 4912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 368 wrote to memory of 4912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 368 wrote to memory of 4912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4912 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4912 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4912 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2728 wrote to memory of 1896 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 1896 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 1896 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 4072 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 4072 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 4072 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4076 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4076 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4076 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 3692 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3692 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3692 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 2220 wrote to memory of 3024 N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
PID 2220 wrote to memory of 3024 N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
PID 2200 wrote to memory of 1924 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2200 wrote to memory of 1924 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2220 wrote to memory of 4468 N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
PID 2220 wrote to memory of 4468 N/A C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
PID 2728 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 6140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 6140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 6140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe

"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000148" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"

C:\Windows\SysWOW64\at.exe

at 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
DE 88.221.197.193:443 www.bing.com tcp
DE 88.221.197.193:443 www.bing.com tcp
US 8.8.8.8:53 ark.mwbsys.com udp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
GB 3.165.148.93:443 cdn.mwbsys.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
GB 3.165.148.73:443 cdn.mwbsys.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
GB 3.165.148.19:443 cdn.mwbsys.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
GB 3.165.148.19:443 cdn.mwbsys.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 8.8.8.8:53 cdn.mwbsys.com udp
GB 3.165.148.19:443 cdn.mwbsys.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ipv4.am.i.mullvad.net udp
SE 45.83.223.233:443 ipv4.am.i.mullvad.net tcp
US 8.8.8.8:53 holocron.mwbsys.com udp
US 13.216.117.12:443 holocron.mwbsys.com tcp
US 13.216.117.12:443 holocron.mwbsys.com tcp
US 8.8.8.8:53 api2.amplitude.com udp
US 52.43.24.95:443 api2.amplitude.com tcp
US 8.8.8.8:53 ark.mwbsys.com udp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 8.8.8.8:53 www.malwarebytes.com udp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.43.24.95:443 api2.amplitude.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 3.219.43.247:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 8.8.8.8:53 ark.mwbsys.com udp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 52.1.53.213:443 ark.mwbsys.com tcp
US 192.0.66.233:443 www.malwarebytes.com tcp
US 8.8.8.8:53 api2.amplitude.com udp
US 50.112.183.142:443 api2.amplitude.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_a0dee67fdef2682ca3b789a16055794a_amadey_black-basta_darkgate_elex_luca-stealer.exe 

MD5 09e0e68fc7650ca68899739080709f91
SHA1 a665ac359ef3f782b78484a71a266e50a71567ad
SHA256 bf83bce7085b016b5dbd65308c92efa9b87b17da561f490a1a17ef96c3d93dac
SHA512 88697e3c474c75cfe7d46e8e092f826e2cc9149d797d0fda250fdeb66b9a8926ece65c13a7880acbf3e410c003181340a60dda1133a90dcd5f6a2b47a6afa3ff

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 88680f0ae5515151acd5cb1f79537dbf
SHA1 461f7bd2b7fc53679caec0ca4d41ab16c30e6993
SHA256 02220f99ce7aaaece96779e9133b9748209a9b71c60d935146f5600472e66382
SHA512 e2e4958023ea5d7d71da6899b81eba62233cbb2a55b9a0035066e2f56493a3040c1b3bd320b7c7aa621c47efd43319d7a7b62be888b19c6d6ac2e92fcc78217f

C:\Windows\System\explorer.exe

MD5 d99d26f5cabc1429e9693ee199872e54
SHA1 b18da72f0866b41381ef83103b36850085812e12
SHA256 81815fda5159002e28fe2a355a40effe4329475fdefb5cf58c6e6a87f39951e0
SHA512 df021f987d4bce17d63e6e7994a2e0c46388f32b1046aba9b29cd8b03ff998a1ef5aacb75841eceb6f3054600621080411f24f9b6b37af1d3b77613939b4204e

C:\Windows\System\spoolsv.exe

MD5 9df980a505e697d4453708d3e7a04bd2
SHA1 641cfeb1b7d4780b8aa680827028d156b9fc06c9
SHA256 d08b657e0a74997fd3a7e054d3ff1709d023d86b0578d5df0f02a3cde454a90a
SHA512 558ffa14fb7be4b24d28b94b25985299b310a2030bb38349d8986acaf5e690fc1eada1e1939fe3e62cff395fd6991f2854f22d3d77992d617e2734ac087b1d0a

C:\Windows\System\svchost.exe

MD5 2f221ebeb9e819427cf2262ae11b2af4
SHA1 ae16fcea846d7b7f5273a6f327b4c8b27030488b
SHA256 6eff743b82a54c0c28011b3aaef4b7a2c2c407383dd168ec8d1c9f2c4899fb7a
SHA512 3b13bef6a6a4e5e8638641191a9f231ba4c84ff631596f95372645951728629014f93b89397bfcc938659ca0da2db14fc0b318625722003abb3636751fbac6b3

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 5f5a7bf8f7c5fc3f96de05ea62d0c179
SHA1 fb1cbab6e4c4f8b69f4bebea1bd85804c47a6a77
SHA256 ce37db723ad5bcad37e0b2d3b654345ba972e5aa32088a32b02b06c7b07a4851
SHA512 e6f9c2eb2d1e80d81461bb5a08687ec2e27ec4fca4a98f5f98ddc1efe9e7f718f23dfe77c2649af856ccee3c43ce0f4b37b885dce96edcd35a4798832d59c628

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe

MD5 cea3222bd01165e983f7079c4dd88b11
SHA1 4f1a0e4f43fa822f7d84a8d12605f410fd61dcf0
SHA256 4d3204dd695b8a7e32a4e123b79d3470088ccaa3bddaa187c2661445ca852344
SHA512 7636d76ba03b57f41622cb2fce955e9e36e95f4e945e83d5a2c0adc3c77b4ab06e7ee3a414a216b8a221ee5384152fafbdb47d7a770c3e8327b421ab28377f98

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\7z.dll

MD5 3430e2544637cebf8ba1f509ed5a27b1
SHA1 7e5bd7af223436081601413fb501b8bd20b67a1e
SHA256 bb01c6fbb29590d6d144a9038c2a7736d6925a6dbd31889538af033e03e4f5fa
SHA512 91c4eb3d341a8b30594ee4c08a638c3fb7f3a05248b459bcf07ca9f4c2a185959313a68741bdcec1d76014009875fa7cbfa47217fb45d57df3b9b1c580bc889d

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll

MD5 3050af9152d6bb255c4b6753821bc32c
SHA1 7a20c030a6473422607661ffa996e34a245b3e2d
SHA256 97468531d7009e36c338b47fb19e0c6bf210f013610f413c852a4cc27e84b514
SHA512 ad07c4b0bb995e80a1718d74992afdeb6c2c4f217e72f361691e2d04dae9be9cd8e55b50fd7172d73755b02b6105c00a3b67534ba9469d92f9e0fbaab8e8f1a9

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\MBAMService.exe

MD5 37fd3c1e1db85f1460b2296524d979e2
SHA1 15dfc1a959d98c3456590854b61e791cddf45465
SHA256 093d53cd63edf10deb32976355026342ac15e40aaa736f8539a64604e4e4f3e9
SHA512 0023c2b06204557a32627837e5ded4813483b75a137cd682d1ea38d47a59494ae9d2336daa59eeef6b201878e66cfe96ef114ef4057c48fe4d7a6e2172838ab0

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json

MD5 d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA1 04855d8b7a76b7ec74633043ef9986d4500ca63c
SHA256 1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA512 09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\dbclspkg\MBAMCoreV5.dll

MD5 c16030d6a427a8c1ff51deec1725b6d6
SHA1 69c46a5500d8b963d23e712bef3e7c3cae6c1b12
SHA256 64c704b0d0e778a571d676ba4826d41335ecbb6512b76a2dd3d68902aaf649c0
SHA512 b0710cf55e8882ca351f6d393e5ce5d6593100381d40250804796f578888295b0c9d4fb8efb549fff7ab3c8d3c4e297a30a7c8a03d18b6218e319ce29fc0563a

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.sys

MD5 8da81aa1f6b89ce1d2e216e3ea351c59
SHA1 4baf79cbade9a5584630a540e6368d547579fb12
SHA256 ded569e249e590314d095f740c6b8934a5a797e4f3edbe0f78eac9d333f12a2a
SHA512 6d611bbd9d480ef2defd745fd06c4ab86e181267cf689d9d0e124edbaf22fd30fbe2310879cc7bb6dde5bae72c4feea1d329cdecfbf101d95634f85dd0769119

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.inf

MD5 5d8c05cc4f9b4304d57ea10b87f2dcf0
SHA1 2cabe3d39aa5ec16c54c7818284a2ee235d2ddbd
SHA256 e26c2d3347e5f077da92713c9df3cd3eae438fb7e29810bd5c3afe567d2d3125
SHA512 55bff23fee9852f229246b71721b3659c916079787935d400a97641449dfda752fc8fbf36f9ea3dc4028f05daeb9006a99660284a61aa5d5a466af0ee966c738

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\servicepkg\mbamelam.cat

MD5 bd4ceae54af081d6b1dd91ff584c5d61
SHA1 5ade462d66e042da58bb1447d1b31f1aad901b68
SHA256 64416d564725416c6869ea951878a2734b1f6940b11f7961a897c45f0d8c6625
SHA512 37e7abd312f694ee2c8ea54ecf50ed12c16684f1007c61d9a6d1d01cba958be511c5e4e11cd7393a5cd57349fda1c552bebca42962137e0d11695c195761ebb0

C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat

MD5 089674299e14e4a57284d0f224498db3
SHA1 3217e5d9238ac9011f83619d434ea5ae611b8a58
SHA256 a3da44d4652bf4cffe1208095ec1b7297017889721c2a84cc70304a64d88212f
SHA512 bbfa2b57807319a3dafc8ec199489dacb9b3344e36cde442d769972dfdb65109b1978e51b998ead9f97a471bc21766668608b1c4368922a03ac704571d9a6aeb

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe

MD5 dd6dd8549da8656353bb1607d2437145
SHA1 7f7c6100b96a1338fa8886b5c8494d1bfd9b7732
SHA256 134562d62b06ed114fe77c734e08f0f03d240f05c4cc2d67ba72bd1bc3e002c3
SHA512 16ccef60efbedd0dd6dbb1b09257aa2292b6f782f9e6468ed1ee421cbbfa3eb35aff1c3cefd269c766ed12fc9da191bf7608467b17614767f49255da90cdbd2d

C:\Windows\Temp\MBInstallTempad329bc5355411f095117ebfdc71b526\ctlrpkg\mbae64.sys

MD5 95515708f41a7e283d6725506f56f6f2
SHA1 9afc20a19db3d2a75b6915d8d9af602c5218735e
SHA256 321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6
SHA512 d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08

C:\Program Files\Malwarebytes\Anti-Malware\version.dat

MD5 1b661eb6ef7f2ed00bb8b85a493f8593
SHA1 67e5a8f851420d5c220199c66b413cafbce1382e
SHA256 f8ef01707aa49f3425055264a08bc03c85103c108ce23189f8efb31e16954c3d
SHA512 ab1673a8a48a3f0b20a0f960c15be8d33795cd33959be3f438af953ff93255959b3a65bae931f07648aa22665c162bd05050d373a78d3f4b1333e8188096daff

C:\Program Files\Malwarebytes\Anti-Malware\ctlrvers.dat

MD5 dd9e5ad0bf4fcc3a6a54dee68453b54d
SHA1 0cb1e0af514131751bfc7fac435155f9dff322ab
SHA256 bdf09cf1cd65ca0e49aac6c0c3a101ca98ccaeba0886718ef7dd9fadd476bcd1
SHA512 dcd0bd9294c868545226ad944034482db0d30863993d5567bbc45f298597ae4a912c8950e32086e0f192a13c15fcb7c02a2d13acb2d0bd0cf54c83d88126fbc1

C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

MD5 723e0bcfa2d56e35ee4bb7efeaaa0e57
SHA1 18fa0804cdc85113ea2ad0294f16d68fd730283e
SHA256 2fcc42dd8a92c175ba6314eef28ab3cfab4f1fe97c93f6df29d2e487bca74d3d
SHA512 3093921d4bda96bc7d0d189801999179943361ba4a11abdc050b423c6b110784d6dd81857b250f3197f861e9672d46c35585a4fedf35f6f42815d8b2bb6da9d6

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe

MD5 e04e61828c9fffcee59cd90ef155c90f
SHA1 7a97b65f11d2b3f30d8e2dde4c44bdf16f3d3b24
SHA256 05d4d87f43646f7ca2e50520d8850e8808748a508c2761838d5fb92d66d6ce35
SHA512 04792b998628cde88bc2601534678e55b2d6fde290496e5af08a2955a992ca3bb767bd025dca4373abc55141de8d270f62f628e51c887de54035bbee10379ce9

C:\Program Files\Malwarebytes\Anti-Malware\mbtun.dll

MD5 2bbf63f1dab335f5caf431dbd4f38494
SHA1 90f1d818ac8a4881bf770c1ff474f35cdaa4fcd0
SHA256 f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364
SHA512 ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5

C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf

MD5 5d1917024b228efbeab3c696e663873e
SHA1 cec5e88c2481d323ec366c18024d61a117f01b21
SHA256 4a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8
SHA512 14b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a

C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.cat

MD5 8abff1fbf08d70c1681a9b20384dbbf9
SHA1 c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6
SHA256 9ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658
SHA512 37998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f

C:\PROGRA~1\MALWAR~1\ANTI-M~1\mbtun\mbtun.sys

MD5 83d4fba999eb8b34047c38fabef60243
SHA1 25731b57e9968282610f337bc6d769aa26af4938
SHA256 6903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c
SHA512 47faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e

C:\Windows\System32\CatRoot2\dberr.txt

MD5 e2a012bc2dfc6c4fd195615fb750b94d
SHA1 a8d0ce74fd9dfbf7f6c477f01fc34e362f278946
SHA256 7d52a99781296d931d7f9105abe84e300676d318f644cfeea1ffd21e1cb17c6a
SHA512 74c9dc4468f268c691a3713cc439fd7d880df0d39cbc1afdcd9743d726a1975b9b872a3731d3c5b46fff941cdd96b8d9b26b3d1940d83c038fadb9968a5b86a0

C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json.bak

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Malwarebytes\Anti-Malware\offreg.dll

MD5 2ccb84bed084f27ca22bdd1e170a6851
SHA1 16608b35c136813bb565fe9c916cb7b01f0b20af
SHA256 a538caf4ac94708ddb4240d38b1b99914ca3e82283f0d8a2290be28fc05eaccb
SHA512 0fd66d241bdebd0052f4972e85b42639e3c5a40affe23170b84bc4068dff8e84446898a77ebf7cc0bef97454abb788faccce508a68bc5e717980ef26d8436986

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

MD5 18641c1028572ac38861472767bbd51c
SHA1 a23e7b0403799ab88e83d653e17b98b1a9ad2adc
SHA256 2630ff28ce0009638f1af8a8a603946b585e985f64fcf159ede3c81c2eba7d90
SHA512 cda2372d9a8e09786b30cf27b480c840bf752a149b5cfe9e1c11160447eb0e9ef3d8e67c253c633b6d36d23102d7ed07b5b1c27f87dc06371f1267e50d643501

C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll

MD5 7e257a703c71e24c343a029ae5462458
SHA1 59360bef90281831f4e4c2a0377c2deba3690ef7
SHA256 1d99a50c34a350c4da87cbb4d74e7f958aa378d404f1b156963a32dd8848f3b1
SHA512 6fee254fe7f052de9c6989ebf46d0e17cabc00e23ac801af88e1f068242fbac6a85ccf429ee0f2d014978c0b80201715fff2a520cd6d962d9bd63e582b027543

C:\ProgramData\Malwarebytes\MBAMService\config\PoliciesConfig.json

MD5 9e174cad52de997e75aaf2ca3cc83673
SHA1 3fccc32311f2b974f685955dd612d53ff7cf2efa
SHA256 78d76d5dd7aee6ffb96796af2543623687df5abc487e1e0d8f38a1418505bacb
SHA512 67ed105d3b508ff9c9b26a4c5b2922fbd384f569e7425dc8fbac62f7afbbb80741026939bcfb9d853dea17b88038cc546bb89fed8a6664992bc20c691625ede4

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\LicenseControllerImpl.dll

MD5 4c02fc118ee5fbba1c2da52ce6119bfc
SHA1 22926a9794f3170a5aae320e6facbab675afce44
SHA256 953da22be7b4fe3108bbf85cfe7bbd2096bd201715af9c07e79780d6097390bf
SHA512 1fe0a0bd83d6855938877ba6ac0d195d58fb20b1b15e00675e3762ed9d73dd6d96e5a1e349eb0c20a7f43c14abb970eb04fb9671eb317699833877024533bd9c

C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

MD5 e9926f69be5aa6e9211327ab2f44cc6c
SHA1 cbcfebc4fafd723a9b74460d7eeff4b4d8589cbc
SHA256 9129881a11eca4801182d98186b7a33741414e509e2b51582d4516a3ab658d49
SHA512 8fcd5977101e084d1999e67508800fb8d1f21cde5a18c568a7d14c465bf84fadd9e4e3ab4f764d98eb0624a768660df1d02622a92fe325efd7b047d622790c12

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\UpdateControllerImpl.dll

MD5 4fe0bec13b02be1587dcd00e62b14849
SHA1 20cce46db5cee5b892e0fd02c44a59b5da2678c3
SHA256 154e96500600eee8ec0a011ee95ebb7eaf4b977056a757429c126ad05f8862f3
SHA512 e77c63e7f867645d73577b9df6b7442d41160aef5561cf4711e90333bdccc6f08f89d47aa52e43865502b4b8b70d37715eefb0d311a6e14c24d690d21bc71644

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\pkgvers.dat

MD5 da37a0675f8db4042827bfc5a513f7a0
SHA1 53ae61e6d09fb4b65b4cdc2bbfcf93dfd07ec453
SHA256 c5f67a888799faf126103506cab97ddea2f9f8e54b691e75125535c38aedf014
SHA512 662281703fa17ae95e6366e049e495dca611dc4981c64d82511fe3c27a520d779cf6fcb420d5767645ca207cb9f23e9256289b1ef4fb00c31146588cd4685f8d

C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

MD5 c26911781d46794e1ed80f692d3c693b
SHA1 cef3eb292e2be7075c47bbf8ae04773a736cb3e4
SHA256 9351986f8318e49d65e2d928ecc32ac880b0836f55fc1b74a4bce418ec910ee7
SHA512 0fa7cec573a7f3fe60c2b0bccb06e9216378b8c43b734448b91b2f012eadb18364a2ef7ed30a3b88b882f5967f109cf9e877f05d5b49925648e15da83d29c09b

C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

MD5 57d979b4f244bff9e7f1ed3776c6cf49
SHA1 34847f33b60da9a2fe223d84f29316a6f9196da6
SHA256 767da1498f8a605123b19e1e149c064b90d1744cd83064f1548fcfc86b060a0b
SHA512 e3ede827f48d7c4b6043016e2475815ab927f57686eff044ba5d58840aae1c4daca073e1c9728908565da7c8c92cf9dcaf5415a6aaeaa2ddfc6ef28ba1aca69b

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbmanifest2.dat

MD5 a7f97e1377f641b12d1b29c052062896
SHA1 00b8ef096016fd55665acce0b5d25c5f8ecca760
SHA256 764f84fcd82ad19345dd32ce61e3a1038c3c82711c03443786d078d28ab48206
SHA512 1a44b0417bef5b5682ea03539ee392b11d7f3ff14c43ca747e0db28077268adebbf311fa3bbcebf636851419eec3cceafe66caa375e83828efa9eed31266963f

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\mbdigsig2.dat

MD5 85b0cf7df419bd539783a86919e14586
SHA1 68220d878aceab06e3c658c7ea7f0e17b31143bd
SHA256 c5999473ab9908b3171f2b81ea2dbac8a67a92811ac802b10e7835b43f56e9c7
SHA512 3dc2cbd734aa3c862f088c37f68e80225bda887800b772722df764c96477070c0072d50f162eb2af7a490704b8012aac8b56e7b0c6dfc311ddebef73dc933070

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rules.mbdb

MD5 681a09a6a4a528c1639aa6dfce1c9e4a
SHA1 cb8dd795d65a3efc1f66deb5673251e43587d61b
SHA256 ea2a9cc06731fa32906a81fc7a119b8dc26e696981efad2fff0375944232ca3f
SHA512 ea47cc41dd13b7e393ee30a042caaef5c87c501cb65562b3a751d546644938a65e1b414b2dbf28a1d857e2527a8dd767d3c96bea3355af69235a1d3855d44c46

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\rdefs.mbdb

MD5 2f7423ca7c6a0f1339980f3c8c7de9f8
SHA1 102c77faa28885354cfe6725d987bc23bc7108ba
SHA256 850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55
SHA512 e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\prot.mbdb

MD5 546d9e30eadad8b22f5b3ffa875144bf
SHA1 3b323ffef009bfe0662c2bd30bb06af6dfc68e4d
SHA256 6089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f
SHA512 3478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb

MD5 adcf3768de3ced374f37524b669a2983
SHA1 f2c9ed19ed2bfe462e2ea751f0e3fdfafbfb24f1
SHA256 80a81756db89a5274e70dc77c56ee75e17edf784730bad9882417f77d97bdef5
SHA512 5156a3b93bf26c0b99497ba60b01da9ee32505b818656ea1402fffe9761be4a125521f81b75b52373384b16a8ffb12e204e6bd1d7d5f017fb70268a5a1afcf48

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\wprot2.mbdb

MD5 b25d8479040596f57468287936582123
SHA1 0330a9cc5f5236d063987d77be8dc442ccb2f7ad
SHA256 504e8d9f7ffc80c127c981d85fabe665203c83959c9a7c38d24e32ec51faa256
SHA512 d33889832b205820cda855ab2872c96161c3038252a59a1cbb96b0cc681cf7914e33bfe25435552a8142e582b606c3aa9231e713ab9699892b90c4bec6025dd1

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\tids.mbdb

MD5 db6950896d34a4553ede476d79a09448
SHA1 3367531763ced75326abde3bda664cfa507cd8bc
SHA256 c6ef88ea9a9297096eca5cefbb97d4481ad01c7df770b75df0168bf49b2bc1ff
SHA512 51043b7aedbfccba04f1357f0686fcd7146348c3ae070f3ef751ae5121decd61e995f80d7d7a594c61f62c07ce7523e6e77975d9259cb9a437044a257249912e

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.sr

MD5 1ca173b955bc64236405a8eab018507b
SHA1 23d8c3bab7a5b55a6aa4cd514d75c96174131199
SHA256 4d97e7372042534ffc1fdf8a3417f5f1930c6c737c5d8a4d7d0465669ccae95e
SHA512 ed541b59dadf9dc2ce9f39fb570f26a385fc658128758f176fab65a56b877e2862322f7733a7db8befb09039f971bc25c2f102964a3e938e058eb69e6f50a763

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dynconfig.dat

MD5 10f23e7c8c791b91c86cd966d67b7bc7
SHA1 3f596093b2bc33f7a2554818f8e41adbbd101961
SHA256 008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc
SHA512 2d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\exclusions.txt

MD5 aef4eca7ee01bb1a146751c4d0510d2d
SHA1 5cf2273da41147126e5e1eabd3182f19304eea25
SHA256 9e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f
SHA512 d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\scan.mbdb

MD5 84f51389e5b8e95d2abf9d15cf3a0ab8
SHA1 fdb7eeef0ce8319fabf28c4f30bd0326fc3cc3c6
SHA256 06d464efc2e566d30e12ce2d4da8322a49248d01f28af60ebca045532b085eb0
SHA512 b8035a97bac079760e0c5b001bb2929399ae70b4e01af33e7207ba58f07852cfee83c4ad0806297e7c4d21b94df2b5966b48464eb2b2aca416031b9d21a8f3d6

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\Global.nm

MD5 b5d7bb1009288931a87af68b7b315ffd
SHA1 96b48fa82f148d8aea0e34d2b8924487d0adaa1e
SHA256 8f45b0a7e6f33101e8b0d7a605566892db7672c6ae822aa47f84a95cec396025
SHA512 0f327f83066ecc0a5010e34e6fdc32b7e4e7ba49342837aa34f3c51d20a97ad8bc1d5b67110d5f384ed32ffb06fc4cb847bef5c2ca48f069db2e6eb8cd97a336

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\cfg.bin

MD5 a9ffdb4a6e4249032d1eca20ca7a174d
SHA1 fdf353bd6300444a7190584a0773cbe42e6b18f2
SHA256 2197a0fb87f14228f6100c05de73e7940f0694ff87907ff2f91003f388080e02
SHA512 8bed00085a9ebec6d529421586008742e891f9476d4e13aaf9f142e361dde40b3a4859451c7c0bb34b568c12ce9a230c069821f0179f586c3e1e34e4762be3eb

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\Actions.dll

MD5 f802ae578c7837e45a8bbdca7e957496
SHA1 38754970ba2ef287b6fdf79827795b947a9b6b4d
SHA256 5582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b
SHA512 9b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\BrowserSDKDLL.dll

MD5 956b145931bec84ebc422b5d1d333c49
SHA1 9264cc2ae8c856f84f1d0888f67aea01cdc3e056
SHA256 c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3
SHA512 fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c

C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe

MD5 72bd1b6f40191478dd33f24a661742bb
SHA1 399df3ef69917c17c144d7b0d872bc69de5e40bf
SHA256 3f93f05da696712ae334ff56a45a3b061d6fe051d5ef8f91b6394256e0911501
SHA512 a482b84f633b04c099cb0279242e3930c5c2737ad9c4b50685df2b90d7792dc99ee8b8509f2a198471226bb5e1e86b01aab260bfa98d36419ca1e1773797dde9

C:\ProgramData\Malwarebytes\MBAMService\lkg_db\sample.dll

MD5 e14add458f6c9aebafc5d67c6442227e
SHA1 7d6b714a10edd22715c1d2732a6beebd867eba60
SHA256 e9fdb8ffb30ebc20601e1a67fb6139e1bc6a8805a206982c834bb354f4b8a427
SHA512 05363fd136a196f7203b37e55104f24918684450507f94f13e6265a9b1384c2d9a069ccee98b81477b33b6414129c83d6ed48ca757242aef7a4e34f16e42ae98

C:\ProgramData\Malwarebytes\MBAMService\config\CloudConfig.json

MD5 d81450f08d4cb6d67d4f5ec8fed5ad03
SHA1 1602e0622b3c8abf26539902038a6e9fd1e074bb
SHA256 1ec97014399e8a33de2511e3b482a2f72cfaa2e2b96c923f6bd4393129ab04bd
SHA512 e794bd4f5eef3d411405eb5172e91c5f8edffca305c5be2853e45604e8f16b983a3067420adad981adf0d93332589f390586d34182bebe13a3f5331cb6e239a9

C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

MD5 97e408e1cbb2e2536f7e98a23e63f7e8
SHA1 250330fc852aefbd5d77bc00d85a81c976e27975
SHA256 be35c842b6982fccfe4b709ced7f5727256324a111fe8c17302c27de75c421a1
SHA512 f7b482bdc4495542fe92f5d8fd5e1f0a3e28e729bf695a5425a269bfbf630734f9cd67ce8e401e28bf56dd9029463d2dbc23ba3f2feefe8ae707029f2d98f78e

C:\ProgramData\Malwarebytes\MBAMService\config\CleanControllerConfig.json

MD5 daec07eee92cd8ed82122929ab9a4b45
SHA1 fabd4837e7e3db14fd87a40176bd7c97ff64c4c8
SHA256 d3405dc7862d98f6bdf05a5cd9914cc311941a15b973eaab15ce977ed1b0ad06
SHA512 e1046cefe53570748e5f5e9d6f330a2962a64ed2f9756d4c7e93daeea958825ee179d16dac58015496e4a322ec1441f7e1dda91dfc630342b0b6b2d610d7ac4f

C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

MD5 0ea3367b702c160c8e2b3fe2b0a39136
SHA1 e7f6441bf691cdfcaac5df069f4bc59e215be213
SHA256 7cdfbda1a365bc7c6464068daa9e18a9c13853cb3ab504e4baf493bf619f2444
SHA512 a5ed284ee82755e488b9c618674b820b77f76e52f8b9a8d3197128099ae453503c9a00aa187aa67a02c5310f0ef537739322e87e63659afe761461c46e515fa3

C:\Windows\System32\drivers\mbamswissarmy.sys

MD5 9d1296e9af8ad4ce9b8f161bbe2185f9
SHA1 8f2fa73c857cb53bfe5d35281be06bf11a45efaa
SHA256 59232d92bc9488780dd4350e502c652b3c15d7c19ecda5fdc863968518cc0002
SHA512 65517117dc05e9469cf4935cb8b8e727074fcc3d72c0a771976c4e8f9f1273df6497e058472872aab31051ec088cb31a9d38307149606c33dd93268e9df3646a

C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json

MD5 a57d601fc9b58888e728d8a4aa151146
SHA1 35c40d132500ae56cd6139c1f30481a0220499f7
SHA256 2cb2831bbd366cadc6438bbe5de3750f94e005aa854a7f7b18d405acbb0e3c1f
SHA512 21ddbe55e310f5c691d488a9e2137cb21c9afa88267d6f34cf0a23291ec03595b07ff0de1f3a863093638e6617cd8888789427f5c726bd77315223998d50931a

C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

MD5 8c7cc24e2913e3f76fd88385d58dc222
SHA1 4d36a4c5fa71954fce369a9308ff8559ad0e52b0
SHA256 571df769e1e4bf4b9d350778b0b27b36c101272068f2ed67fc5510c664c53d01
SHA512 6299e25def1af160fca10f14a9afcd6d3f50d0a0c95ea28bf1238e8cba31e471458a3bea19345bce2744fac3f4c52f7e204d301c7b4cae111e2af19c061b672d

C:\ProgramData\Malwarebytes\MBAMService\config\RtpConfig.json

MD5 c967527e4c5222f742c2162b9d0e2110
SHA1 c6ed14eb4d4cba870080a93c34cf24744f9111eb
SHA256 abe95ee60344cc7263c1c4e7847cb793d93c2be87a201d0ae2a42ef53c6fb973
SHA512 5c7795e3e3dbedce5a55d66c874fcea9a288defbc68ac8b1638ac859c75332dcbf8d06b80baec68bc629c626fd05d08360feede9e8e49c7f7734d70981ced209

C:\ProgramData\Malwarebytes\MBAMService\config\MwacControllerConfig.json

MD5 694d8fc549e28114738fe7074a8c3b9b
SHA1 129642bb804881368278105ec4aeb325307286ed
SHA256 ca595eb82e71ed0121b9f49838e65fce673de31bcc2743ec7ba7bfe3ea00a2f5
SHA512 a0762f123b6f80047375976eab8439cc2705aae3d148d66e29ad44ad8af3aa03ce465f668d80b4edfbf0398b7d66574c93a895bf7083e36cf10410524b86b46f

C:\ProgramData\Malwarebytes\MBAMService\config\ArwControllerConfig.json

MD5 cb4e372ab584b4be7b55978e422e5a10
SHA1 12069b7760dcbc425fdc9f39bb58124141e720ff
SHA256 d667dc7245a25dbb48bef3e3af8def97232fb133539be4dfdbdc6d3b476d5fbb
SHA512 69f78adfa34d712395ff38a3ec2595637c87fa1221e55b045d1f7f67d5ff03023c6f2203260955d834e667388405912d347f0b20f88e91749c1c33d3cd776646

C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

MD5 c4878e5b54b30c43c494d0ebcfc2875d
SHA1 55a265142cd7df776d2698387b3dfd5b27993d26
SHA256 d55c21abd9676655a9790497e083a59412f57b99cb5455e264fa712ca4084698
SHA512 f1e7aea1eea84d12aeeb6d58e0d2b465a5e7788cf2551f292cf3e76c0e00352e26db9331bb0a17663998d97c7a641f6161bdc646f3eab079d577439a8c2c9b16

C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

MD5 16c6471ab62bec6102973a9dfa41a0d0
SHA1 ec0fcb839529396f528dff53512cddeebb52a2be
SHA256 4dae04fb9557cffd45b6c7e4c4a8f14ea4c3010e5115af6ba3e66eafb90e94c9
SHA512 fa1c9e74c01c732733234690189fd676c8655f29af922e213cbc350d81bb81f28c237b653ae01e26ed71b6772d44ee813c31ab521c5adb202f423d55bd5633b0

C:\ProgramData\Malwarebytes\MBAMService\config\AeConfig.json

MD5 fd9476772ca7ad2ccbfbb27b33083eb2
SHA1 2d5ddfe31e8bbe9e9f601447ef14a6347237b4d2
SHA256 35bf13a8f01302bf521fe2cfaf1786bae5c44f8909140ff64a527559449db421
SHA512 6510610fed52939f3d2525c7a90e024918a87482073ac9acb1aeff3580151c39c109ae90eeefb95d41ec3f0201df882af1e541c5da3d851c0f923c946ccb0030

C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json.bak

MD5 11e6a5d3b44cfcbcc472ef94dbd29c82
SHA1 ffccd159ac59d2847960d18dd514c46f5804caa6
SHA256 7db0a213c1ad9d036527ada6bacb74c182db1dec4b110d2c7c7ae4bd2d44cbf7
SHA512 552c2b46ffcd741597e02e24d17bf179e2b1f7e833649a4e705854b196c0d7b30c0094992d611c0abc57a3b94e78885fa680264443c9cd16055fc13a0110a4e6

C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

MD5 db490b7358f997b59b4780a9b0acf77e
SHA1 24d86a892e647817710d9a705dd71bc4939fb193
SHA256 ee1f3f35388edad2a4ef061413706e9ad424de4f78bf75b4bf4dd78462b5f6f1
SHA512 43d799a9a3f8d59bd484197ab3ba1ca8310ce3ea65503f01f45e9581a9e58862703a7a0997f8992c0a722283f6e5c5159ae95db4a84e86787480dff97e9dc15f

C:\ProgramData\Malwarebytes\MBAMService\config\VPNServerListConfig.json

MD5 8bd92ae7673306c405348c76c9f87169
SHA1 27a42cbd093f5759ebdc4449d86ed7937ae691b6
SHA256 56c49a2b2d578bd09f9d59cff5f1dbd12aeac8892da610f81ddd90e948cba235
SHA512 b55900e104d57f5374ba484d6b9342253f9db62a359561d37f2a03665a68492418b88146500efb91903cab4e9262d54fe250aac00e17dffb66670656b51339fd

C:\ProgramData\Malwarebytes\MBAMService\config\TelemCtrlConfig.json

MD5 634f4353f1943ad5e226cb52067fe206
SHA1 40a16741cc445b91540ff0c3b2a0a1224e51347f
SHA256 2fdf4ca9a1e69aeb706e8d2aae88efe5f014cc9a9f74c628e331183ed4c3c6b8
SHA512 4954bb3505839ffe475cba157da43ad8cd7fb5b72f75fea0588434aa35e243cac15e967fb7aa0793d0a1be4f6987f7ee017e2e6213e8cb948c8c4e0b9e5dd0fe

C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json

MD5 9e064f5bdefbbfa2f7e6a6df44b61ca2
SHA1 9c4246593c76d3bf3338042114f0b58a58f167f4
SHA256 80736521498a7b2fa447c5e53024ad67d35e51528d6a67e640fd297d7018700f
SHA512 bb288471b304d38c9779187c2bc3bdd3e9df89ee7a84b8c11e66a305006050bff9b5fb49a158c1f7fc0b06d6fed06bae1881e2e7ba85d78b6aa028794f2aadf1

C:\ProgramData\Malwarebytes\MBAMService\config\VPNControllerConfig.json

MD5 80fe648f8d0426c0e1092aae27669a61
SHA1 022a7e7048099bbe3e92b36698e317639c174a14
SHA256 e1c43c0f947a0c36878153df5b73f979762a7919bbed7aa479b34024b6a5b561
SHA512 d5364eb2de26389ef6a5cac2ee3c17efaf5e09629d9a03241faf42960901d6d9914c91fa6f5d5df6d16c68deb2c9fe374427858160b43520f4c7afec0dcb4b39

memory/3840-3204-0x000001F85C6D0000-0x000001F85C942000-memory.dmp

C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json

MD5 480ddf63df80a714a9d5b1f194e53237
SHA1 0bff440b4b71b155e23dbaf2f14c5498ba5439ca
SHA256 d9e09e7597a05b92e168ce519d867371ded3bb79eac1180d600ce38d5b87eb6d
SHA512 940cc9985049ed49d999b2b4519c13bbb0b0134c95e029aa37832308e9b703559e608d4e82b5971cec5fa54c3ab5e5024658f86f2f27c0368f4c4a6c31a1d0cc

C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

MD5 7779526c6da36db4dfaa7e171fea0097
SHA1 02ca5e5c8dfd1e20477c26e5ee1b79e4da7c1bd6
SHA256 2a3289bbf89033a0a860a8728b79308e1052a997647d332210e21ad26f3444b5
SHA512 ef80ed485221adec6009f793c9313e26be8477b8a7dbad294e46166ecee653c6e44a7f34d85a1410ea608adeb1d5764a55e8ed2b05f6c38eb54423f90a1358ab

C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json

MD5 7468516a73907477fc728ae748e0313f
SHA1 302ea0f66b04aa18960aa79099271581518c48f0
SHA256 3db96d284905bdb8c61e87a6e38d9cb89f9224807ec7fdfdfcdefaad392b8c99
SHA512 ea1e1ef1ca9121ccfcdd0f5e34240110d1ec06e7dbe596ee29c810d4de87d17b8b1c09dea9fd1e3eada83d600b4d91eaaffaa24fceb3da5f6e14786e4d5e868c

C:\Program Files\Malwarebytes\Anti-Malware\mb5uns.exe

MD5 b39ba8b6310037ba2384ff6a46c282f1
SHA1 d3a136aab0d951f65b579d22334f4dabbebdb4a4
SHA256 3ecbcb6c57af4456111f5f104b8fb8a317cdb0f16e98412249f7a2d62bca584d
SHA512 a8b98f47c30503029f2dc80398dacd5f8fc07db562d04c56b8c7902bebf11517223350c41850b81aca770ebc9e68fc365921bd6cce34b57b2c945f1c51b538b7

memory/3840-3903-0x000001F85C6D0000-0x000001F85C942000-memory.dmp