Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe
-
Size
2.8MB
-
MD5
0d1d290c899f25fae7c444139f97cf4b
-
SHA1
4fd2340144115095ac32bf6a4908b0ad5d9527e2
-
SHA256
1573b1b0cff64147082ecfa16e524c55217d4c7266bb936d64e7d4248b7902f8
-
SHA512
347e120fd369e0641affe241b2285ec1159c2189b62ccc59b5d411cbc96f9da018309b825a7fd0371e3de265aad96b10458f71a81133d1d3144456110d9ea9dd
-
SSDEEP
49152:ta0/fqk52pHLiqwAeyfvE0Z3R0Tnxn1o2d5xXDvdbVVrT:Eqfn52p4AeKtwnW2T
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 37 6072 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe -
Drops file in Drivers directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe File created C:\Windows\system32\drivers\mbae64.sys MBAMInstallerService.exe File created C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File opened for modification C:\Windows\system32\DRIVERS\MbamElam.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\MbamChameleon.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\farflt.sys MBAMService.exe File opened for modification C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe File created C:\Windows\system32\DRIVERS\mbamswissarmy.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\mwac.sys MBAMService.exe File created C:\Windows\system32\DRIVERS\mbam.sys MBAMService.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
resource yara_rule behavioral1/files/0x000700000002430a-2385.dat patched_upx -
Sets service image path in registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMFarflt\ImagePath = "\\SystemRoot\\System32\\Drivers\\farflt.sys" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMProtection\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbam.sys" MBAMService.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 24 IoCs
pid Process 6072 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 1796 icsys.icn.exe 5896 explorer.exe 3556 spoolsv.exe 4548 svchost.exe 4604 spoolsv.exe 5276 explorer.exe 4344 svchost.exe 5860 MBAMInstallerService.exe 4060 MBVpnTunnelService.exe 5380 MBAMService.exe 6020 MBAMService.exe 1600 ig.exe 220 ig.exe 1888 ig.exe 5628 ig.exe 4480 ig.exe 5088 ig.exe 2564 ig.exe 5780 ig.exe 1592 ig.exe 5788 ig.exe 4296 ig.exe 4448 ig.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService MBAMInstallerService.exe -
Loads dropped DLL 38 IoCs
pid Process 5860 MBAMInstallerService.exe 5860 MBAMInstallerService.exe 5860 MBAMInstallerService.exe 4060 MBVpnTunnelService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 5860 MBAMInstallerService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe 5860 MBAMInstallerService.exe 6020 MBAMService.exe 6020 MBAMService.exe 6020 MBAMService.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: MBAMInstallerService.exe File opened (read-only) \??\X: MBAMInstallerService.exe File opened (read-only) \??\E: MBAMService.exe File opened (read-only) \??\S: MBAMService.exe File opened (read-only) \??\X: MBAMService.exe File opened (read-only) \??\O: MBAMInstallerService.exe File opened (read-only) \??\R: MBAMInstallerService.exe File opened (read-only) \??\S: MBAMInstallerService.exe File opened (read-only) \??\U: MBAMInstallerService.exe File opened (read-only) \??\H: MBAMInstallerService.exe File opened (read-only) \??\K: MBAMService.exe File opened (read-only) \??\R: MBAMService.exe File opened (read-only) \??\T: MBAMService.exe File opened (read-only) \??\V: MBAMService.exe File opened (read-only) \??\I: MBAMInstallerService.exe File opened (read-only) \??\K: MBAMInstallerService.exe File opened (read-only) \??\Y: MBAMInstallerService.exe File opened (read-only) \??\I: MBAMService.exe File opened (read-only) \??\P: MBAMService.exe File opened (read-only) \??\Q: MBAMService.exe File opened (read-only) \??\E: MBAMInstallerService.exe File opened (read-only) \??\J: MBAMInstallerService.exe File opened (read-only) \??\W: MBAMInstallerService.exe File opened (read-only) \??\Z: MBAMInstallerService.exe File opened (read-only) \??\O: MBAMService.exe File opened (read-only) \??\M: MBAMInstallerService.exe File opened (read-only) \??\Q: MBAMInstallerService.exe File opened (read-only) \??\B: MBAMService.exe File opened (read-only) \??\G: MBAMService.exe File opened (read-only) \??\N: MBAMService.exe File opened (read-only) \??\W: MBAMService.exe File opened (read-only) \??\H: MBAMService.exe File opened (read-only) \??\J: MBAMService.exe File opened (read-only) \??\B: MBAMInstallerService.exe File opened (read-only) \??\G: MBAMInstallerService.exe File opened (read-only) \??\L: MBAMInstallerService.exe File opened (read-only) \??\P: MBAMInstallerService.exe File opened (read-only) \??\T: MBAMInstallerService.exe File opened (read-only) \??\A: MBAMService.exe File opened (read-only) \??\U: MBAMService.exe File opened (read-only) \??\A: MBAMInstallerService.exe File opened (read-only) \??\V: MBAMInstallerService.exe File opened (read-only) \??\L: MBAMService.exe File opened (read-only) \??\M: MBAMService.exe File opened (read-only) \??\Y: MBAMService.exe File opened (read-only) \??\Z: MBAMService.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_895623810c19146a\nete1e3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d}\SET2FB8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\netathr10x.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\rtwlanu_oldic.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB MBAMService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E0EA2CD61F757CEB5BB65FC2C758BF4_59B8C30534EA03831AD62B87D9D5F56A MBAMService.exe File created C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mbtun.inf_amd64_add82795013a7c3b\mbtun.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\netvf63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d}\mbtun.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d}\mbtun.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_8de1181bfd1f1628\ndisimplatformmp.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw02.inf_amd64_42e02bae858d0fbd\netwtw02.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\netwtw04.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d}\SET2FB7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\athw8x.PNF MBVpnTunnelService.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9b182aee-0441-7249-aa31-6fdba4b7284d}\SET2FB7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF MBVpnTunnelService.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF MBVpnTunnelService.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exe MBAMService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.CompilerServices.VisualC.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.Serialization.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\es\System.Windows.Input.Manipulations.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework.Aero2.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Serilog.Sinks.File.dll MBAMInstallerService.exe File opened for modification C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Private.Xml.Linq.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.IO.Packaging.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-processenvironment-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.Compression.ZipFile.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.IsolatedStorage.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.Cryptography.Encoding.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\UIAutomationClient.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Extensions.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.Pipes.AccessControl.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\es\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\ko\System.Windows.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MbamUI.Tray.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\System.ServiceProcess.ServiceController.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\bc76801a-39fe-4cd5-87b6-394d7024cabc 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\ru\UIAutomationClientSideProviders.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Net.Requests.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Net.WebHeaderCollection.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.SecureString.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.XmlDocument.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\it\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\ko\PresentationCore.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\System.Windows.Forms.Primitives.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\srvversion.dat MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\mscordbi.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\ReachFramework.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.UI.Theme.Light.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\System.DirectoryServices.AccountManagement.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbam.manifest.json MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\ko\System.Windows.Controls.Ribbon.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\rtp.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\hostfxr.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\Microsoft.NETCore.App.deps.json MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Xml.ReaderWriter.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\cs\PresentationCore.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\de\WindowsBase.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Microsoft.Extensions.Caching.Memory.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.IO.FileSystem.DriveInfo.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Security.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\es\PresentationCore.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\System.Windows.Forms.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.deps.json MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.InteropServices.RuntimeInformation.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Threading.Overlapped.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\ja\PresentationUI.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hant\WindowsFormsIntegration.resources.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.cat MBVpnTunnelService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-heap-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-string-l1-1-0.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\mscorlib.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Net.Http.Json.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.36\System.Text.Encoding.dll MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.36\cs\System.Xaml.resources.dll MBAMInstallerService.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log MBVpnTunnelService.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MBAMService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MBAMService.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMInstallerService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000" MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000" MBAMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000" MBAMService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MBAMService.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Malwarebytes\FirstRun = "false" MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MBAMService.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols\All Applications\malwarebytes:\ MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\malwarebytes: MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0 MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MBAMService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MBAMService.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Policies\Microsoft\Office\16.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c190000000100000010000000a344f71a7a52a76ee49b74b1d8816b15040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e641400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e425c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e MBAMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols MBAMInstallerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common MBAMInstallerService.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security MBAMInstallerService.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8258E71-3A7A-4D9D-85BB-C7999F95B7E4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05510285-C4B6-4AFD-971B-EBE3139F45A3}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9704115C-F54E-4D64-8554-0CAF8BF33B1B} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC2F8F62-D471-4AD5-B346-9F214FE941A7}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E36A44EC-B16B-41DE-AD94-A59E117F67FF}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6655E528-3168-47A4-BF82-A71E9E6AB5F7}\ = "IScanParametersV4" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{118F4330-CAF5-4A54-ABB0-DC936669ED2F}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172ABF99-1426-47CA-895B-092E23728E8A} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E42E77-5F19-4602-A559-3FFA9EE51202}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F2D6C4F-0B95-4A53-BA9D-55526737DC34}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MB.LicenseController\CurVer\ = "MB.LicenseController.1" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8307A4A5-A025-438B-B23B-8EE38A453D54}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83D0C30B-ECF4-40C5-80EC-21BB47F898A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MB.ScanController.1 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3498D9E4-6476-4AC0-B53A-75BC9955EF37}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2154AF09-DC0A-49CD-9D82-22D867C16F67} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6ED2B0A1-984E-4A35-9B04-E0EBAFB2842A}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2846D47E-9B85-4836-B883-6A7B493E2D6A} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{929A5C6C-42D7-4248-9533-03C32165691F}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2154AF09-DC0A-49CD-9D82-22D867C16F67}\ = "IMBAMServiceControllerV13" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B42C782-9650-4EFF-9618-91118DF96061}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{983849D5-BFE9-43E9-A9A0-CBAFBC917F39}\ = "_ICleanControllerEventsV4" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3F70EF-D9BE-485F-A6F5-816DD0EDC757}\ = "IRTPControllerV16" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{964AD404-A1EF-4EDA-B8FA-1D8003B29B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3FCAA7C-EA26-43E6-A312-CDB85491DDD8}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B05F69B-4F9B-4FD3-A491-16153F999E00}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\Version MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DA5636E-CD8F-4F2D-9351-4270985E1EB3}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172ABF99-1426-47CA-895B-092E23728E8A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1691A7E8-B8D1-46D5-BB29-3A4DB2D809C6}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1047E9-9ADC-4F8A-8594-036375F53103}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5250E5C8-A09C-4F87-A0DA-A46A62A0EACF} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EB774AC-23B7-4F52-A9F2-708D194F0C86}\TypeLib\ = "{A23C190D-C714-42C7-BDBB-F4E1DE65AF27}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08927360-710B-483B-BEEC-17E51FF84AF9}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E03FDF96-969E-4700-844D-7F754F1657EF}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCEFCD43-B934-4168-AE51-6FE07D3D0624}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0CEAFA7-4F65-418C-8A61-92B2048115EE}\ProxyStubClsid32 MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F3822FA-CCD5-4934-AB6D-3382B2F91DB9}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{956AEAEB-8EA2-4BE1-AAD0-3BE4C986A1CC}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\TypeLib\Version = "1.0" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34544A67-823A-484D-8E18-371AFEAEC02E}\TypeLib\ = "{FFB94DF8-FC15-411C-B443-E937085E2AC1}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{929A5C6C-42D7-4248-9533-03C32165691F} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1} MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}\1.0\HELPDIR MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1BDE8B0-F598-4334-9991-ECC7442EEAA6}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB81F893-5D01-4DFD-98E1-3A6CB9C3E63E}\TypeLib MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79D77750-02E0-4451-A7BB-524ACD93DD93} MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71B13605-3569-4F4A-B971-08FF179A3A60}\ = "_IScannerEvents" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04F8CDB5-1E26-491C-8602-D2ADE2D8E17A}\ = "IMinimalScanParameters" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81541635-736E-4460-81AA-86118F313CD5}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{309BE0D9-B4CA-4610-B250-26CC9CDE7186}\ = "IRTPControllerV15" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\TypeLib\ = "{49F6AC60-2104-42C6-8F71-B3916D5AA732}" MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8891F9E-90C4-4B3D-B87B-92DEA9221EBB}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC}\ = "IMWACControllerEvents" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}\ProxyStubClsid32 MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02143C0F-1656-4B2E-95E7-EA8178A29E2E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E41AC038-1688-417F-BE23-52D898B93903}\TypeLib MBAMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9704115C-F54E-4D64-8554-0CAF8BF33B1B}\TypeLib\Version = "1.0" MBAMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0F1EE6-E7CA-4BEE-8C08-0959842DA615} MBAMService.exe -
Modifies system certificate store 2 TTPs 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e MBAMService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 MBAMInstallerService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16 MBAMInstallerService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e MBAMService.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 6072 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 6072 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5896 explorer.exe 4548 svchost.exe -
Suspicious behavior: LoadsDriver 11 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe Token: SeDebugPrivilege 5860 MBAMInstallerService.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 6072 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 5896 explorer.exe 5896 explorer.exe 3556 spoolsv.exe 3556 spoolsv.exe 4548 svchost.exe 4548 svchost.exe 4604 spoolsv.exe 4604 spoolsv.exe 5276 explorer.exe 4344 svchost.exe 5276 explorer.exe 4344 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 6072 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 87 PID 3100 wrote to memory of 6072 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 87 PID 3100 wrote to memory of 6072 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 87 PID 3100 wrote to memory of 1796 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 89 PID 3100 wrote to memory of 1796 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 89 PID 3100 wrote to memory of 1796 3100 2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe 89 PID 1796 wrote to memory of 5896 1796 icsys.icn.exe 90 PID 1796 wrote to memory of 5896 1796 icsys.icn.exe 90 PID 1796 wrote to memory of 5896 1796 icsys.icn.exe 90 PID 5896 wrote to memory of 3556 5896 explorer.exe 92 PID 5896 wrote to memory of 3556 5896 explorer.exe 92 PID 5896 wrote to memory of 3556 5896 explorer.exe 92 PID 3556 wrote to memory of 4548 3556 spoolsv.exe 93 PID 3556 wrote to memory of 4548 3556 spoolsv.exe 93 PID 3556 wrote to memory of 4548 3556 spoolsv.exe 93 PID 4548 wrote to memory of 4604 4548 svchost.exe 94 PID 4548 wrote to memory of 4604 4548 svchost.exe 94 PID 4548 wrote to memory of 4604 4548 svchost.exe 94 PID 4768 wrote to memory of 5276 4768 cmd.exe 99 PID 4768 wrote to memory of 5276 4768 cmd.exe 99 PID 4768 wrote to memory of 5276 4768 cmd.exe 99 PID 4748 wrote to memory of 4344 4748 cmd.exe 100 PID 4748 wrote to memory of 4344 4748 cmd.exe 100 PID 4748 wrote to memory of 4344 4748 cmd.exe 100 PID 5860 wrote to memory of 4060 5860 MBAMInstallerService.exe 119 PID 5860 wrote to memory of 4060 5860 MBAMInstallerService.exe 119 PID 452 wrote to memory of 3244 452 svchost.exe 122 PID 452 wrote to memory of 3244 452 svchost.exe 122 PID 5860 wrote to memory of 5380 5860 MBAMInstallerService.exe 123 PID 5860 wrote to memory of 5380 5860 MBAMInstallerService.exe 123 PID 6020 wrote to memory of 1600 6020 MBAMService.exe 128 PID 6020 wrote to memory of 1600 6020 MBAMService.exe 128 PID 6020 wrote to memory of 1600 6020 MBAMService.exe 128 PID 6020 wrote to memory of 220 6020 MBAMService.exe 129 PID 6020 wrote to memory of 220 6020 MBAMService.exe 129 PID 6020 wrote to memory of 220 6020 MBAMService.exe 129 PID 6020 wrote to memory of 1888 6020 MBAMService.exe 130 PID 6020 wrote to memory of 1888 6020 MBAMService.exe 130 PID 6020 wrote to memory of 1888 6020 MBAMService.exe 130 PID 6020 wrote to memory of 5628 6020 MBAMService.exe 131 PID 6020 wrote to memory of 5628 6020 MBAMService.exe 131 PID 6020 wrote to memory of 5628 6020 MBAMService.exe 131 PID 6020 wrote to memory of 4480 6020 MBAMService.exe 132 PID 6020 wrote to memory of 4480 6020 MBAMService.exe 132 PID 6020 wrote to memory of 4480 6020 MBAMService.exe 132 PID 6020 wrote to memory of 5088 6020 MBAMService.exe 133 PID 6020 wrote to memory of 5088 6020 MBAMService.exe 133 PID 6020 wrote to memory of 5088 6020 MBAMService.exe 133 PID 6020 wrote to memory of 2564 6020 MBAMService.exe 134 PID 6020 wrote to memory of 2564 6020 MBAMService.exe 134 PID 6020 wrote to memory of 2564 6020 MBAMService.exe 134 PID 6020 wrote to memory of 5780 6020 MBAMService.exe 135 PID 6020 wrote to memory of 5780 6020 MBAMService.exe 135 PID 6020 wrote to memory of 5780 6020 MBAMService.exe 135 PID 6020 wrote to memory of 1592 6020 MBAMService.exe 136 PID 6020 wrote to memory of 1592 6020 MBAMService.exe 136 PID 6020 wrote to memory of 1592 6020 MBAMService.exe 136 PID 6020 wrote to memory of 5788 6020 MBAMService.exe 137 PID 6020 wrote to memory of 5788 6020 MBAMService.exe 137 PID 6020 wrote to memory of 5788 6020 MBAMService.exe 137 PID 6020 wrote to memory of 4296 6020 MBAMService.exe 138 PID 6020 wrote to memory of 4296 6020 MBAMService.exe 138 PID 6020 wrote to memory of 4296 6020 MBAMService.exe 138 PID 6020 wrote to memory of 4448 6020 MBAMService.exe 139
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\users\admin\appdata\local\temp\2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exec:\users\admin\appdata\local\temp\2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe2⤵
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:6072
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5896 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4604
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5276
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5860 -
C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4060
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies registry class
PID:5380
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000140" "Service-0x0-3e7$\Default" "0000000000000154" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3244
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:6020 -
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:1600
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:220
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:1888
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:5628
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:4480
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:5088
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:2564
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:5780
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:1592
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:5788
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:4296
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
- Executes dropped EXE
PID:4448
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5956b145931bec84ebc422b5d1d333c49
SHA19264cc2ae8c856f84f1d0888f67aea01cdc3e056
SHA256c726b443321a75311e22b53417556d60aa479bbd11deb2308f38b5ad6542d8d3
SHA512fb9632e708cdae81f4b8c0e39fed2309ef810ca3e7e1045cf51e358d7fdb5f77d4888e95bdd627bfa525a8014f4bd6e1fbc74a7d50e6a91a970021bf1491c57c
-
Filesize
5.2MB
MD5fdd046da9d395052a74cba975e58a29c
SHA1359a47e9e8ab682539211025e95dcd49834bcf1e
SHA2568ca449b57df9b70ebac3aba5993d0b7ee4edb2c24f534229a14add96209e9c69
SHA512de02e6d461630c2707f84676a5f707c4e19e6c10c5c9851c8fcfb68b8d21f19c7eb1fe85bc667fab8c996b7d5242fff547f3a552452ca6d545117ae1f4c84290
-
Filesize
4.1MB
MD518641c1028572ac38861472767bbd51c
SHA1a23e7b0403799ab88e83d653e17b98b1a9ad2adc
SHA2562630ff28ce0009638f1af8a8a603946b585e985f64fcf159ede3c81c2eba7d90
SHA512cda2372d9a8e09786b30cf27b480c840bf752a149b5cfe9e1c11160447eb0e9ef3d8e67c253c633b6d36d23102d7ed07b5b1c27f87dc06371f1267e50d643501
-
Filesize
4.3MB
MD54fe0bec13b02be1587dcd00e62b14849
SHA120cce46db5cee5b892e0fd02c44a59b5da2678c3
SHA256154e96500600eee8ec0a011ee95ebb7eaf4b977056a757429c126ad05f8862f3
SHA512e77c63e7f867645d73577b9df6b7442d41160aef5561cf4711e90333bdccc6f08f89d47aa52e43865502b4b8b70d37715eefb0d311a6e14c24d690d21bc71644
-
Filesize
78B
MD5cec8d01f2a0af23c6662a9acab3c7b2f
SHA12561f9a0e7eef1b16274e5ed1f53a01a4d9d0c0f
SHA2568259bc19e0a209c2c01f6db946e2d2612dda2723dd5f768e76fc14c9998b6dc4
SHA5122105c6ec0d13dac03047aa1b92e64c43679cf532d68fb17d450ae8fe04b73dd9c3d6c17162f54d938ce825bb954d3f9a2c1f97227dc1e346a50196df97fc0a0c
-
Filesize
338KB
MD500ed936a1469d0ecf817f963dfafc221
SHA1353e97b8801bb6b311520ab8a3b241b67da4c713
SHA256fdcefcb343e91c6e0b7a605ef9f715665da13324b2499185a42827c2e67e04aa
SHA512259c220296f5cd24e457b3893c1793d530f04ba3865b9c2be1ff039750a0f9e8a790ccd7a5be2ca61cf31ee419c04d394c8c2a17a8643851f818f880b860cedb
-
Filesize
19.5MB
MD514a599aac2474a8d3408b4eadf3eec0f
SHA11c5ed9792dda0b2e5e8713a30bdb6c6e466cf2fd
SHA256cf28e700fec252e1beb39c2f342f9db8d26b3c7d4408ad230bd7d2def3641b2e
SHA512ec51f551d4fd3cb585105049c64fd0cf905698b42531efd423eb3ece0f0a6dfcce2509ffa2cf93664d7ebc7300f5811a35deb02d789793bec827c57739da48d8
-
Filesize
2KB
MD5a9ffdb4a6e4249032d1eca20ca7a174d
SHA1fdf353bd6300444a7190584a0773cbe42e6b18f2
SHA2562197a0fb87f14228f6100c05de73e7940f0694ff87907ff2f91003f388080e02
SHA5128bed00085a9ebec6d529421586008742e891f9476d4e13aaf9f142e361dde40b3a4859451c7c0bb34b568c12ce9a230c069821f0179f586c3e1e34e4762be3eb
-
Filesize
17KB
MD5c5eb28d4d43978f7d267975efa1de2ac
SHA1814088cb932427fc93b93e8ad809ffedb8b30e6a
SHA2563d4586848f8b066b4b8f060af49ccc739763f0f708a7324489f5d2e9b4245a42
SHA512e58f6e785b4bf61f05650143f11a2135482462c12791d559633df93e258794e282e12f282197142d8770be5ff8bd666f67c8c8416b6b9530725fb36c90eb48a2
-
Filesize
924B
MD52983c309e26a7350d7c067a2fc4fbfaf
SHA16b0a29e04d8eabf9b6ff882ec3c4c4ffa1b4bc96
SHA25609748f956d7d104bebb6c50dc1f39e46ff61436ec75e9fe2e103c0cfdfbd1931
SHA512bcfd3cca1dbeb414ea3955fe0d4e4b039f0edaadaed63b1d3b4807778d0d59c60d16ec9f6efc9c42a36d17849883be4ca8ba566d9757a12ecaf30622ced4a840
-
Filesize
39KB
MD510f23e7c8c791b91c86cd966d67b7bc7
SHA13f596093b2bc33f7a2554818f8e41adbbd101961
SHA256008254ca1f4d6415da89d01a4292911de6135b42833156720a841a22685765dc
SHA5122d1b21371ada038323be412945994d030ee8a9007db072484724616c8597c6998a560bc28886ebf89e2c8919fb70d76c98338d88832351823027491c98d48118
-
Filesize
23KB
MD5aef4eca7ee01bb1a146751c4d0510d2d
SHA15cf2273da41147126e5e1eabd3182f19304eea25
SHA2569e87e4c9da3337c63b7f0e6ed0eb71696121c74e18a5da577215e18097715e2f
SHA512d31d21e37b0048050b19600f8904354cff3f3ec8291c5a7a54267e14af9fb88dfb6d11e74a037cc0369ade8a8fb9b753861f3b3fb2219563e8ec359f66c042db
-
Filesize
514B
MD5501e30d43f8648f5f30325e680fe9fb9
SHA1abd5060a1f13d7b81b44b1c5ef136ed940098707
SHA25617b422cd3c0d0b6967a161acc87f25f18263d453ed363ea245847e73e845c61f
SHA512533510c9e718a235e64c4586fdc4fcd97b93a4173a9986fa695fb70b02c3de0e96b28efd1bde0e0cdc2eb497a0bbf7b994459a8a50021ce2974a62418723c1fb
-
Filesize
24B
MD5546d9e30eadad8b22f5b3ffa875144bf
SHA13b323ffef009bfe0662c2bd30bb06af6dfc68e4d
SHA2566089fbf0c0c1413f62e91dc9497bedc6d8a271e9dc761e20adc0dccf6f4a0c1f
SHA5123478f5dcf7af549dd6fe48ad714604200de84a90120b16a32233b6d44fa7240f5f4e5fe803f54b86bbdfd10fa1bfdd88fb85eb6a78e23e426933f98d0a2565ec
-
Filesize
24B
MD52f7423ca7c6a0f1339980f3c8c7de9f8
SHA1102c77faa28885354cfe6725d987bc23bc7108ba
SHA256850a4ea37a0fd6f68bf95422d502b2d1257264eb90cc38c0a3b1b95aa375be55
SHA512e922ac8a7a2cde6d387f8698207cf5efbd45b646986a090e3549d97a7d552dd74179bd7ac20b7d246ca49d340c4c168982c65b4749df760857810b2358e7eb69
-
Filesize
11.3MB
MD5135e8a7cdbbb3ad2f618eb8e0790bace
SHA1eb2073ef975dc16bb5c722d74de8e027259cc4ed
SHA256c515d01109511f89a5fcb1641caa97dc791abab954a6c97045e05006b9d96360
SHA51228e7d687bbd685f710cad4b72aa8656abb5de691eff1d1f20585f4641df631c94bf4b8ae623c96003071ae65074a101e70a019c405cbcbb7b822aaa5ed89b687
-
Filesize
504KB
MD5f82f623a57d2081167b0ef4080e75c95
SHA173998e34ff150988dbf9c9e01737534a59f33db3
SHA2569c010467f93834859acc2c97720dfd1295874688fc7ca8e69df6cd564bb38008
SHA512a0d2fd8588563e02ea96ffbfce58777b511d16c088fd0973cec0a7235799b6a6a8317079c839045ca88c76dd9827b3a1f43b4b5a1d754c80bd35251a1610b52c
-
Filesize
145KB
MD52dce35e0e73afe5c923dac3a8e70ed0a
SHA1338987e4f0c8567a12b341f5ba0ffd451971b8e8
SHA256c87a818b2963577afc3c513357c33da4a49ae63aa63228435961f3abbc72ea43
SHA5128044eb28c01d2cda2744c21e67dcaa543d0ec40b54d721bc0e5655d90ca993d1c20e01b641b339ffae36de4279de2b5ad817339edb95d4f48fb3464a0bddf217
-
Filesize
12.6MB
MD5a8cc3331c745b403aeaf36ba094f7be3
SHA1a004d36cfe62bc2d9bdf3b17cfb6da6d23ee935d
SHA2560bb2b53b30a14e9cf259c42639b3bc5800c21153af4ae320efd66b14f6a76bb2
SHA512ff813d36fe0993a81933d2fcdd557886180da688ecae88c82e74de38b8e00bdfb1726aa626fca3567d3e194345aacbc13db7226fc47c86528b3b5279ccc1d632
-
Filesize
10KB
MD58abff1fbf08d70c1681a9b20384dbbf9
SHA1c9762e121e4f8a7ad931eee58ee60c8e9fc3ecb6
SHA2569ceb410494b95397ec1f8fa505d071672bf61f81cc596b8eccd167a77893c658
SHA51237998e0aee93ff47fe5b1636fce755966debe417a790e1aebd7674c86c1583feef04648a7bc79e4dedaabb731051f4f803932ac49ea0be05776c0f4d218b076f
-
Filesize
107KB
MD583d4fba999eb8b34047c38fabef60243
SHA125731b57e9968282610f337bc6d769aa26af4938
SHA2566903e60784b9fa5d8b417f93f19665c59946a4de099bd1011ab36271b267261c
SHA51247faab5fff3e3e2d2aea0a425444aa2e215f1d5bf97edee2a3bb773468e1092919036bcd5002357594b62519bf3a8980749d8d0f6402de0e73c2125d26e78f1e
-
Filesize
8.8MB
MD5c81029e817a7812ff9de07a9460b1936
SHA1796fe3b557afc10de9dc6a217a39fe151698dcc0
SHA25662d826fc76a6f192ed7666404416a549794cefcacd35e21c864f65409291ccd9
SHA512433277ace204e04497df4536e522a97d371ae741e8c02cb20e25cb9c2f29589c6339458444018f6f779ea22fb062f980283451684b1b8e0d2cb96e6fc203f5f9
-
Filesize
2.7MB
MD5e04e61828c9fffcee59cd90ef155c90f
SHA17a97b65f11d2b3f30d8e2dde4c44bdf16f3d3b24
SHA25605d4d87f43646f7ca2e50520d8850e8808748a508c2761838d5fb92d66d6ce35
SHA51204792b998628cde88bc2601534678e55b2d6fde290496e5af08a2955a992ca3bb767bd025dca4373abc55141de8d270f62f628e51c887de54035bbee10379ce9
-
Filesize
291KB
MD5a80ac5d8cd6fe7a2163a8ea1e02f1a21
SHA1dd514fc8b861e3f58712350759401b53e7f72f31
SHA256d627a2eea7f79567e7d67c32dc07a784f1580702ad4681eaaff00cd22f09fdd6
SHA512c91f1da039e366906764806185b50ec1e1f459cf805892bad1a2482f79bdb339258ee125baf4784bef740af21716955f9dad29c9640a31f55f983f5d3975f093
-
Filesize
621B
MD59c23605f60135e873ab1793e107dd14a
SHA1beb9f5e8bf1223e8c8f87ba5b614f9726e666c7f
SHA25639660c4545cfbff29100e6a2ebe1138260de033091984217b952aaa846c72630
SHA512cdc17b8d22a62e7375014e255ebfc4d90b904f58b95c5ac9b6c904649e33a267915719b2d003c53757d59ac85c3182cc99c7dbb49e3dbd14ca70e9b3ba821d8a
-
Filesize
784B
MD57fdfaab79c0fbe43ac9e27fd5e3e2d97
SHA19d04ce26d1317b1cfa2e2814924a68da639c72a1
SHA256bf3a2a98b0343531f9a34a25c1dc7e923c9714b8983ac22ce364ac3ef50a293e
SHA512fadc61d426ae45fbf7433d029bb2ad9193e2883c9c139668229e5373195cc7c84e49b36bceadd7703f986685bae9f49108efb446312c694522808d68b9957883
-
Filesize
10B
MD5755abb3f76f49f90ee1de815b3b52111
SHA14e6cb5881c6adfcef9f33393a9a0f54b23670db0
SHA256601e29ba551f05ae6e290dd32077030e93e9aa26a9d9c6b0fc08b19e65fba71a
SHA512caa16034c067cc68be0f7b20f31c0e8a1172c71aa780796454acb3f8afabd89eacded830085d3a4314ddd426e88d664b34ff4be747dfe8a6d712a45430c252f6
-
Filesize
2.2MB
MD5b39ba8b6310037ba2384ff6a46c282f1
SHA1d3a136aab0d951f65b579d22334f4dabbebdb4a4
SHA2563ecbcb6c57af4456111f5f104b8fb8a317cdb0f16e98412249f7a2d62bca584d
SHA512a8b98f47c30503029f2dc80398dacd5f8fc07db562d04c56b8c7902bebf11517223350c41850b81aca770ebc9e68fc365921bd6cce34b57b2c945f1c51b538b7
-
Filesize
3.1MB
MD56e3bb32d3350e4438bf47220b65b319e
SHA1a113d724edf80282abb958116cc486574f0d3639
SHA256045548918d1dc7cf58ab3022a30918b8fd40382b193cde5e1e4b360df2a0fbb0
SHA5128eed12b08d11af06334f624435ef817ed031fb9dc854e35f9079960ed7083f372d82b6b8b27fd9164b3038ccf6bd2e7304d77a722341452675e6c7fcf1836659
-
Filesize
2.8MB
MD52bbf63f1dab335f5caf431dbd4f38494
SHA190f1d818ac8a4881bf770c1ff474f35cdaa4fcd0
SHA256f21a980316bd4c57c70e00840ab76d9ad412092d7d2d6a2cff4f1311f7c05364
SHA512ebb9834323329dc01ba2c87e5fad1083a4cb86f5ed761cb63299ac5336a9843a1aadd42fbed706797c2295117af1c00f96806422338352653c8e0255fecc2fd5
-
Filesize
1KB
MD55d1917024b228efbeab3c696e663873e
SHA1cec5e88c2481d323ec366c18024d61a117f01b21
SHA2564a350fc20834a579c5a58352b7a3aa02a454abbbd9eecd3cd6d2a14864a49cd8
SHA51214b345f03284b8c1d97219e3dd1a3910c1e453f93f51753f417e643f50922e55c0e23aab1d437300e6c196c7017d7b7538de4850df74b3599e90f3941b40ab4a
-
Filesize
113KB
MD52ccb84bed084f27ca22bdd1e170a6851
SHA116608b35c136813bb565fe9c916cb7b01f0b20af
SHA256a538caf4ac94708ddb4240d38b1b99914ca3e82283f0d8a2290be28fc05eaccb
SHA5120fd66d241bdebd0052f4972e85b42639e3c5a40affe23170b84bc4068dff8e84446898a77ebf7cc0bef97454abb788faccce508a68bc5e717980ef26d8436986
-
Filesize
11KB
MD5db15fc0cef63a21761699d4005f64e1f
SHA1b647b7dc78ee038e1be11532c0e22557de8b4622
SHA2563f6a2862854fcef6cb23e9757a958e6ecdbab7a7bcd0d29fe90c23518c3262c4
SHA512fcf2447cd276568562060655b9999d63a48593bef0666e4010fce0a0da77d5c92c2a902e9282cfc04f4f01d8543435935b8ac62c64935fe69d6b6e7d2086a417
-
Filesize
2KB
MD58155859a66fabfd034cb1f635ee84654
SHA1b371b79bba7a9d34fd71227bbd4847d0a6939111
SHA256c031327df2e0222fb1820e38786e4826a7fa06ad72b4d2a0e35d6a94c20e9044
SHA512863c4d36e07a972732f8c85351ab15ec40d1d389cb5a846417d4061a3b85841f14584b014fb7239eee7a26de7246f297be21abbcd4d9b307d7ad30e5f8c9511d
-
Filesize
205KB
MD5f09d077c76694c1de6aa0a17fb2547a5
SHA12127fdeae34a8b3581ea5330114ca29ae14c9c85
SHA256b0b6c9062d3281d651e487a95d91c8f94d730609f271f10d0b64f0f70bf40ea9
SHA5129a6f2f117108ef8bd80533524c87f28278c260d819f7c47ddb72201d08f114839be771adb38c478b14f6babaefe59c6aefe8925a41e144589456b35ab84bb7a6
-
Filesize
11KB
MD5a32881b0be849d96da6b6bb6d7be8890
SHA15d10d9005ccdb722fce6c2b8ab29fca0dad60e36
SHA25645db7e4a12a3565dccc019f1337f71d58d1969841354cc6b6e867f43352c2615
SHA51238bb2887a3814ad64a7af6c327fdc37f7e086778f3bb7fdd0fad64914ffec868a7eb21b2af29912f1a711509f6f2f35e49cbb7638b3f48b1054a5684eed7d81b
-
Filesize
3KB
MD55a9717e1385703e8f06b27aa10a69e87
SHA184ee67a9167b5eb6560711b9871de98898ad07a5
SHA25647b7c516bb57c612de19f0ca865590af95b6e32bf873a0fef9e011b2c5b483d4
SHA512dd3c7278c2c11ad15a55fae6d19b96dadd92f85b7f0c8ce934298258af00bb5c052a84a98499b8867b0f43704fb307c67d03692ca69dda4d814c6c17dd73df44
-
Filesize
228KB
MD51258a8e1beab105aa96c93aa34dd9ef8
SHA1a435a462a0976135e2257b46e52b576fabac3d34
SHA256d86b9b20788b6bff70a1a4c4111b2ea33b9ec705cc6b8fe869362fc3899820a3
SHA5128feb56e3d5d67484c97f20348899673d1b8aafad35cd339bd6c459194fa0f0f9e07b0a7063615b010378a2788cd11ef9e3744253a24c8fcd0d960d0cada77546
-
Filesize
9B
MD50f3424c6eaa7c9cdffeee6e889207745
SHA1dfbb6b2a66321a58d42ba80093626eb6b94091a5
SHA2569138e494a5722b302415b9c7c96ff733dbc73de9252eac0630eea445b87bac7f
SHA51229c694945586d4bffa43c49cef3c67d86054825d80ae8a643aa4d0171deba24de6ce097001722e5d24928dc14f24a5d40fb00f31362f15a036ea9b861982a920
-
Filesize
48B
MD513bb9c0f6e9cb8368cd2ac408a6b126f
SHA1944a1a96efd1abcd2ef73926f37912ad4ad3dfec
SHA256b4283c645f3950a1b9ccf53f35c1ec81ce53007c92461ebd2f73caeed0ad5eb3
SHA512a080f3667338dd6a5afc2ffb9a09dea6b45feb27a21d0444bc337fed6e1d86dd8922506816840541b68c261629692dbc0b0621e8a31cde8e3e13d44b21b955c3
-
Filesize
1KB
MD576a62df48f7e997f52f93365da74b239
SHA19ac423de6f74978ab186252d9f667749808fe343
SHA2566cbe53c46e9626dd084b6fe4b7a15d15127c6fb9c606531474a49b0b4b277467
SHA512a8d6a1286c382e0824c8b973541990d10a733d53b0b2568e670c70974046240ab9545f85c04c969305511d8761266463c304c49e6ca1d7771121f312a1d43f66
-
Filesize
47KB
MD582452900d306f8740b867dcff6bfb538
SHA1cffad09a5405635f0b04376091886c43c4404394
SHA256e29d7ea99d6bcd55b9a0a5b1fb3fbcb974fe94f30dab227b168d2ef8ce0b4759
SHA5125fca1860c6cfb1fe2073af59c0ff3c27cf58e66a7f9aeb30e14485a7678e8319d2f511cd21715bcb7a980be70d299b5fe0f8cffaf4162ac0bf12d84854f32e10
-
Filesize
66KB
MD5e347376183e8f1121af87f9b8e9adf68
SHA18bb79d12f12dd1f260074feacab08b4e23b41ec9
SHA256ff798f8cca16fc9da109183f5c299cb140068db9016dadfd4dbe97d97c0db122
SHA512e00266594c91ce4b066017e1ab45bfac914d72cdef07ae179178a53adabeac43c64465080fe3cf73857629c7ed273e80e6a742b27ef0428423eecef227038c32
-
Filesize
66KB
MD5f5eb1f9af739c9d0b9b0dd281f5b3fcf
SHA165dc7d83931d3512c86765ee070b5efa52b13d36
SHA256cad5bae69c7acde064ba795137f5971b0bea12f034aee6c0617327ddf1034550
SHA51226fe5ebd4b79d27aac372d0510f3772b4e8583ad88f6698bf3063e617f6a45daafd1ab0bbdbc0cb5055be8f6fce5f0ed4563f73aaf8ada50a1d0dfa8c191da91
-
Filesize
89KB
MD59b8d837159825b8f0e86d9699230335d
SHA19aefcf84432934b2e3561be1b9e0beb797aece90
SHA256a72ba07ebe020c7f5824d9b77210c2cfc93b39b834011e8f434136262e9cb9a7
SHA512ebbccb29edf118b2b00601617f9a5156307d0758950a109ac4bb6bfd2a72386d534a71946692f82e04b3142306857514868e20f8a58e260559396064670c3fa7
-
Filesize
878B
MD5fed1422c2c936393ca1e02e2bb9cb91f
SHA13b5bf82dc9c02f57f9fb7a19124ae719e97c7aa6
SHA256cac0e9c51ba67ee30d6c194031e8f6c2597ebb601ecd0d75a631b80edf401c87
SHA5122e7de9bff5a3a02ebe5c0d4af063dcb430f6fc05db6a89bd94830e57a5adbe5c8a12f59244ef64f478315bbc7df552bec7f44c6041f692866cb64059e354b9d4
-
Filesize
879B
MD5123be841f10e198703a707494b608e59
SHA11343e30d877da35809d7ec1cf9a2da6aee45b094
SHA25693e4bc7612be71e6e8c22bfdb9b44cc1298afed7744e612cb0799ccde300c64f
SHA512464ff331e5fb3e8a1ac6aa7eb937297f9ba8779dfb3f2a0a8caeda586e6ded863328ce13ddfb415da4e110a1115a77c12dc725f390e06b9cb0f62cb1b8069e1f
-
Filesize
847B
MD5be34dce702551f43a7d8314a5ffb43b4
SHA1fe5e0d299673b2512fe48dc7e195779cf7c1cb02
SHA25643c6434f31ece0f8005c0d313492e1f233da0e38af546440e6b5d5588b3289de
SHA5129294afe589d502cc658bc1cd5601b25b8f790c44087a3278de2eaea91e1e5f16445e285182f635df7978f3ef72e0a0fe7e0a3121c9ebfc7261aef4aab1cb7d2d
-
Filesize
883B
MD5c1ed7f3bdfecadbcc919e3e0a8f37cf1
SHA1e94d468f6f857582039e50efbcfe6d61ac4ea12a
SHA256d20f501cf9ccaacbea751fc5b1ca4b290c31084800e04b15719214bf56bddc27
SHA51299fe74ada15890b8ad15cf38fe959b16da83c07ff8de81e8f56b09e933ec64f9e5777169fa1d9f1a0f8c3909a2ee1bf510fb1aab34bb7f7c64447ab59686da88
-
Filesize
11KB
MD524ed46ab72bfc490297bd0d7efc749b4
SHA1c67371cad61f4f650af4917e2316bf6a4baa189f
SHA256f327868bbf1c331395fe9c76936b7da080ae19f123ce99190d7349bb1555d921
SHA512f8911c82048696ad443758fccd027ed33c434359a375847cc1ef949a1de604547f0918537d91545a60d6b84a5fb2ea212eb07f873d77145f5adf367056bfa502
-
Filesize
12KB
MD549ba08581049a84cc1a5ea0bcde730fd
SHA13cee8224922514f11e3a2b22d4008dc7ee00e637
SHA256ca78b9b3b06542b7191716cc972c79cba76a8850303066ba722e8d20a2cb31f8
SHA512134e6ec995abdbb593aa973f29cb60e06b23309ee9fd6c2cc652e1b85d22bb5679b4ed54e35ed2e8dd50352ae7351080cd9667924ae1a16e9a67a9849261028f
-
Filesize
12KB
MD5d053eb3f03bbdd8a23e0efe93c4bb6a9
SHA1ac18587af91511d3e971384371646acdeb4b7a26
SHA256bf35a35c35b01a3f31c1cedb46493e86c985347fc33e64e5d890f991532b11c6
SHA512126f8ff667afb953655e8ef2a9802ecb04edcfd011247fc41cebc9a85b72a5ec38d3a762c45a2e3562c996ad89540d81ab40fe6d83ea89f41327ecf237c7f19b
-
Filesize
12KB
MD5e7ebb04939abc2f4d8421afcb5c0ba19
SHA1d81a5216f06a633fc4ed494f2ecfd31cb796fc78
SHA256f1e727071acffc91228fcd1849a51a2f914f2631c5b0e1c0ce5eb6dc1cb825e5
SHA512b14c855356df6162b17da602fd84d0101f5c669b77fa48b681d261c03e0185781e91eda0604039a329b3164a497813f1b75ad0287f95722a83d0798054187626
-
Filesize
2KB
MD58757a92af1b99b34664f84cc659dfb57
SHA149b7c655b00f39015a847138d8ffbe8b35cddfa2
SHA256a1f6a65a6b09f894638989192f9698d2d80143f797ff576a1e07c57dffd3c836
SHA5129babcfa1a83f0bba507830e26849005ad75079c675f37974eb50bfdd4f4939c262407137de7554a4f05540448391cbbe2604616c30c1a78b70c75b0896697a04
-
Filesize
2KB
MD5096000c3a7756736abd04d73c24679a9
SHA132cbf5e9f76acb80c3b2b6c4f316c920eaff3aa3
SHA2566cb6e8889c0744a1d98db99e1a51b229dfd221aeb9fd3476911840a156c72f2a
SHA512f8fcf336f1beae588e1f09f6306db1665b5c9ea59c55e056e8ac03a7d7068d00393bcabb8f6c3c3d0be50350f8d5b2f85838a8e0e00cae01f6737f6a70336c8a
-
Filesize
814B
MD5e10d263f654d1e5404ec6375833a67e6
SHA1625eecac3198b11bc24b4cd38af2e8c0e96b9962
SHA2566818d4be6c8e1304184fe6a5b1acfc049aa9b8ddc7c1b434b1137f259920e9cc
SHA5120660750d44673c806109c979477641ec5aaad38ff86eeae97086defa80c807a03384ac50cce99bdf07314512b2d6079597c7b81340899e3c34faaa0f5e6151b9
-
Filesize
1KB
MD59d979d73f6795137abfa1406c634915e
SHA107bc38815c08fe24daafe2b3217f58d7ebc11aea
SHA2567dd7b59492825e2efb92d48a73c7d96221f3e8fbffbe58596272b3d3e4ba6bbc
SHA512d21447fd0e06ee999f1f4128e6dc57d8d389bf80f37341d2a5384dc337d48733c2c98b9f7d23a237420dcdaac678b0f35726eafe1932f233bf057025c3dcd152
-
Filesize
1KB
MD580b3a576b11654fdcf78b59ef65cd649
SHA13f3b5bc08d83f8f1af1a7ecad670698ace715b2f
SHA25643ecf1117183dc21c834f332ce171725e5b91273cf67c24a0e77264206f41e17
SHA512e55fa8018d4a971f2f47f4a13d672bc0c02e468108d3588a32e1ea21819f2c05acba50741dcfbd37e03654cb9639a92844d92a51897736506d9843bb778cb1d7
-
Filesize
2KB
MD5a99ca36f178e02dde3f19318a5c972b6
SHA114132729bc122fe9b28ab7bbc0f938e6982e0b7c
SHA25696c279ac36b7657a7d0bc004d83bdd8ded4be43c6f9008134a5f15a5ce8d76d4
SHA51259e66134038b731031cebcb8b8c57380d220a599752ec886b6d2a8a8dec4664fd4ed8e950c2f431a2f128ae128f0460698513914861234d5880ee00fb6085927
-
Filesize
5KB
MD52ecc09cdd23fe494e793352ab8860b8d
SHA156e1d86474af61aa02edc0034806f1511b6e98b9
SHA256b7629e9e53d2d77b1d80b55961d908a78f6e7e18771615f9c8432911ea2507c8
SHA5129e0c4376e773bc83f76c2ff5cf9c422c9d14bea8e9ae1be3ca2e5af61fec2689d28b8b0f7ef91743b8c79ebc8642b63b3232808264501a490093bb849d3abd3b
-
Filesize
7KB
MD5c9ab64a1572d6ed06209d0c335e01144
SHA1dbfecd732d4222c00073359c07e2d6c98d5e8b64
SHA2568be4e3ea4f40a09c4298636027c46eeee3aaedb8db9220a99c3f2d36932988fd
SHA512ba19e8de6c94e42f1fc68dbfcb59c67e83478c4580da8d627c08a8b8ec402cab382e218774db72e65036eacf1b1a0cefa934df9542fd3537138ade69726ac523
-
Filesize
11KB
MD578839cd7afd36d12b98f3fbc0941bd62
SHA1ec371f36a4556ce6f2e802ec167f9ae9c9f801a7
SHA2561c215e6980454e4333808f183431ccbfe6763e6ff367334ffc400be9ba9a0062
SHA512412afcfb37761213e3e25ccc255458a0d6b8066c0c8e506560c55974078b0d581d2fbe5b428095a4de91c13c5a6d36b83523c0b64e3617e974208f011e232b29
-
Filesize
11KB
MD5b455488ae145b53ad559502f1b35cd98
SHA115ec6da32ca6a2dd5acfb437fa1d8ad84f5e3f16
SHA2562371b8cdda3ce37998f3d707a42dd47247c4937010cec4c02823a4b49528a6ac
SHA5129c702d4d0dd269ac6acc76a704c36152a81feca686b6472af4465afd5ad8a3b3da60c93493f707c253db1a54b54605dfb69d6886678966b14b29ad62b04fd5a4
-
Filesize
1KB
MD5d4e7455f46e7419b116f4b0043395887
SHA1c2dd96662c5c652d2092b33272bd79982be9328b
SHA2566d39ef38464f9058f755b2f522a66e9d2d617e990b8fa1b1371aa5996460c9ec
SHA5121ae138075b362c67a5bd7f2f10441ec8fc612fcab37edd638497ee95b9ca9766a1518e58f1d3add03e3793768c4bffe2c55b54526634e42cf5c79c03fe9a86c6
-
Filesize
1KB
MD53f772c31522cbc7275e19ddcb4ea54d6
SHA1b55575dc5faa0700e28da56d4015c69c8e41cadd
SHA2560b60f4df6be6e836a0fd04b387e4ad0dc541376d05cdfd5a51ab0957b260a8df
SHA5125a2e40da5e2827d350c4355d99dc439bba1a00d935ea56043dfddcf974db958402a7bd2a8f17086fa09a84712a508def282b1cda274d0c4bff926adb44a2d269
-
Filesize
1KB
MD547faf43cc8d05134ba0340075dd53dfa
SHA1f0edcd0a0da923d5855201aa61c39c41c3f1101d
SHA25607e4852cc1857df8a957f02d76cb78850264067dd5bc8951cee4835d17822345
SHA51202082947385666a5ab03097f1b5cea8f90ae577523becdb33164e94154457ac02540f6ed02c65082b51331279b211fd16ea71bf3467616ad24e7f9d8b1c27426
-
Filesize
1KB
MD580a2af998e87ab1f8dae524e243d2c04
SHA101b93130c9d78e1f9d1865882ad5a383d9f3d255
SHA256e6febd33220c0ac2b2736fdb5904c8fa2394c7dbf3278ec5c947a3fc8027d9f2
SHA512a9598f7e69da46ffd33524c7c27b795797a1103cdc9503ed5836252f632779d9b461b77300c3cf3e65beb0d42da277a78acc6c6af0e0c251f385a96df8124c1f
-
Filesize
1KB
MD5436f5c800b23dad51bf3816a32329d37
SHA1033d22caa561e79c5a3a88ea88f75f159318e1fa
SHA2569618f7d21971eb7ff0e34ad6962baf7ae608ec36ea61bff0cddb1538d4e2c0bc
SHA512ede20f4d50090cb364d4018fd5e9ba583e4ff36fb258db5551acad16fba165dd8cd9fec516cad05051d42f69549c39ccfad133ffb0e256b61e2e8201f1941c08
-
Filesize
1KB
MD5344e13e53710d084376aed8405519a07
SHA182220f8c5dd4d18804ef5c69572f39b90e487e41
SHA256ed81a553f49b0c1b8b34d0ad07e2164f8c1a9a80faaf72e5d0ef84a0bdbb4543
SHA512fda65d86f79eef9db03c51eea46bfe7fd27d71673225909f6bc52719aa3a9a471c103ee7ca43154fc9fb64a8d238d42fe86e523f8b76017fa7ed5328b15921e7
-
Filesize
1KB
MD5c626900340cb9531146cd66909a6e989
SHA1d8ca7f85054f20bc47d1829e7c0a46358093b133
SHA256a27dc6a4590b2a1afe774d6e20cb4571bb7c0603a1b75826b4171744006e1841
SHA51254c3149d30dafb9140969e70df9aeea271e8cccab8f0bbf24b3f35e323256729dac4d870571eb001af582d71535332f501a394198e364a512dc2e019c39e9fd2
-
Filesize
1KB
MD50f4b048c3cb7d55d8a2fd1900cb31ea8
SHA1982aa2e37365e9588714e6642aa938699d9a2afd
SHA2560dd4c8b6b1cafc040a3d1c58d1f79839cfa3ae68572e36eacf5a2b2df4e15844
SHA512111ad1eaf2017fa95aa742e26317713b71508bf80c7a44fff8a729a317b38165674ec0719626cfe6babe77331046057338c95af2647bbff27fed3ccb2bfe224f
-
Filesize
1KB
MD511b9136cbca4cf028de98f80304e4102
SHA1bf47140bcaf5e9eddb185b12648cb91e14ce8390
SHA25624374b20e2125b740b2a99729127801ad92788227d47166a43ffa4f5513cdd37
SHA5124cb937d947613566ccf124b10455a17ad0f90b12606b02bd063875f9689e1d9dbcec49f3fe430a9e965c374c5ae3a85b19692b07c9a566cfa42df7bee17c4253
-
Filesize
1KB
MD55016e0371c04c67f2602dac4b083ea91
SHA1f157af54179de13deb30357fdbf28374a1687181
SHA2563f0c5804cbec7757070af9a2b01f7b705a1b900607751f0d0303c9187cc58b45
SHA51216617cea821cd0f8292d20fd4bc5863ceb9a7d607dd42b40f7aeb1afd1363531eb26cbb2b7ca2f30fb9067f20f78c62f4306aba99646fec791c1d62aa02b64b0
-
Filesize
1KB
MD5907663f2da2847fe8b959b3ed3ef7efc
SHA1386e5084844d8e0cb25c195584ec2d46307cfec5
SHA256371dcaf5d8172c8022213f10c3d456efc2e7b0ceb6a542047e3d1f6bd268438d
SHA512b33d12b77d9237546b7e3d80f3253c50701360a217b5b324cf218a9a28de3cb9e97f72a94a45f4a6b4104da78819b0e47594c5fd03ea77670c62ca00a15aae12
-
Filesize
1KB
MD588d2e37a2a9a5d78f0c5d71f92103e4a
SHA1f76c19ba39ee58b4a19bbaaeed23aa033c162617
SHA2565a56d28df9c4ccdca825fcb2f82982b4ce7cda750ce0ba44bc74e72d0e2bf648
SHA512f60be68da3b121dd74cbd629847cb8872ce509a43ef5c5dff5314eb3ea67efcb7096e54aa0ab8e29acf7817a3c7c6a47bf7a283fde620cd29e49c7c782915f8b
-
Filesize
1KB
MD5e5fdd7b48a769f8319102d7c3711e418
SHA165ced76d36ede6ff6bbf4dd9a8bb37cd69a4d7d4
SHA256438aed6d3615e8170c975e37103012b6121cc07d5f194a2a9d030bcd3b32f9b7
SHA512d22c24b242ab17dace14d4d2faa4232aa846e55ea0eb53215a806b2345d56c6547f16cb0aebb2564f2274139e01f635ba763353773a85a5a220c4ea39636b6a3
-
Filesize
1KB
MD5ecc6e5e3f2a656dff2e86849041c8769
SHA1591b77727e304759a63137e2751717896e512b9e
SHA256dfbf3c21b2f70c72e010ba2955fbfeb35538b43d2cff1a509983abb4b711545d
SHA512bfaec740697fb753bf1eba50dbc49e1598c1b23636a3abdaf0239b8c2b92c4b20c802da9819b68a728efee41ebccde802b6890c7e0aac7b91ccec1c687eb2239
-
Filesize
125B
MD5b623b311a72cb7d33f475deea9c6f3a0
SHA1ced4eb019a4e8e36cfe1f5fb6130fdca1bb4024b
SHA256b3b7b01c12633c6a5fb758ce5eea54adf4cd3bed75edd42fa16df0992c62e616
SHA512693ed3c925858d9c54710209a08a45c6c51e10a876165de233f2633dec0716cf0053c867ea9d25b2bada52c882752cf4a1f9c431b2da9242b3164c595946b6fd
-
Filesize
4.5MB
MD5f802ae578c7837e45a8bbdca7e957496
SHA138754970ba2ef287b6fdf79827795b947a9b6b4d
SHA2565582e488d79a39cb9309ae47a5aa5ecc5a1ea0c238b2b2d06c86232d6ce5547b
SHA5129b097abeafe0d59ed9650f18e877b408eda63c7ec7c28741498f142b10000b2ea5d5f393361886ba98359169195f2aceeee45ff752aa3c334d0b0cc8b6811395
-
Filesize
1.8MB
MD5974e7d396ee57c31500a959f87b4c1c7
SHA12bf6f9283053b2ca67890e18750f653a2b6a724d
SHA256672abcf78608ccc77baf6170daa49160903baf15ebdb04cf4bbc8cc916637735
SHA512616ee561576c1bbb0a944fd34ff65232c8acf1b3c6fe41356a9158445994430503b91439b02042810833887eb91b6417fa34d0819f3eb2680f68b9dd210665fb
-
Filesize
524KB
MD560c9b632f13990ff5fb9ddeeae3644a8
SHA14daf3300db713890453d7cf906841dc0e190a92f
SHA2567a603a228fba7494ac05d95a44759936a8c61cf26410700f6c14bcb774bbfee2
SHA512727a6f7283b07f6a0cd51cabff17c4fb0bbd268c6af5a044814c8f1974bd84ab0d06b39bda7bc460d919a189ca9eef314d2e89698c663d7b17ec16419f9ae2c4
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_0d1d290c899f25fae7c444139f97cf4b_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_swisyn.exe
Filesize2.7MB
MD543dc0bee6e91d28d0e2d2a40664dc5ee
SHA1206f2b1b32692e684145a9aac41317ea71fd1220
SHA25609f8b72ebed762dd7c8cee790e339be81ada29db13dd9f46feafd1428c40da98
SHA512e5a37824f8ade100a754f9ff66403ea046c71fdaba34f33ddf9915194c243ff4fb6a1be53691a32d509d86033d373e6b5f4a7b9913f111852998f4386ebfa7a5
-
Filesize
135KB
MD5e89132cad94e9ee8384f77ce3692dbf1
SHA1497e073bf76280da52ad57110d1b0959fe104d7d
SHA256c9a54b4026c2d45db5058ce1318a3ed40398ce60e437521d31ca7edb713576b7
SHA51235c816ac1bbff095058197b19320cac0ea93c64eba1a4f9c78a5b0a1787ee3004a34f73bb4d22935ad70ece941e21303fd2ed6587aeff7f4271879844f7a7b30
-
Filesize
135KB
MD53a9a9d1df35512985fbc6b2c889d024b
SHA13d382450205a0e9ebcb162457d994ca2a2dd837c
SHA256ce682e251a5442e17eda77d7c35d7eafbd00e3a9f68cc16a0e52e65dcecf6f7b
SHA512434c4bd728a8ca33621e7ef20d41da00af01985eafee4278dc3911d9c345be2ee72847724141e5fe320aceccf2f2ca265a35662f63ad16ac993474fa8781ffce
-
Filesize
135KB
MD5ab9ba46a10b9e89b6b771f840956af0b
SHA1ab19473d5ee6f653f13197f04df2e1891d5e3001
SHA256173a6569adcafdbd334ed845699a6396d469a4750c1246cfe85930d376db25ef
SHA512980d912e29298e3d2920250f55ed3039ddd2d16eb763fe262f685b125aecf038a254234b9f7a72a65d86b3a61573aefb0f0c4a43ae5cce1513e9ee8974657855
-
Filesize
135KB
MD57622063cc600a3ef87b6fdf321fd94b9
SHA10062a5869877bac15ec4cbb5a9d1a16a2225ec94
SHA256c632904f6b8423a77ced85588d3440945f412b87bbe00e1fbc2ddea658f9911c
SHA5123d2ceb37c8194846c1fb742e5dbb17778b98178af26b517d5f01787daaef2202adcd4f5f56de41ea11d6b6472dba6858e8f7365b993f3dcbb6c6c227a9074f60
-
Filesize
40KB
MD55082bbd2d0a5f351d760a86eb1a7e4db
SHA196d26ebd87bafe0fe7adbd0625ef92bae2749681
SHA256df87ee16adb1075a1607b520fdd59d1f82f54bbd3f8256b86c194b49ee1224c9
SHA512a5257e5b0e642189b7965489209fd0a6df9a9250dbcf4302a6258ef0615904ab243cee8278ed399287487131a880a268c5446f9af268e2858106048af214364e
-
Filesize
40KB
MD5d3f4844fbebdd9a5fd247110f1fd74c0
SHA16e74a8a699518d03ff94831095fc8a58c59f3632
SHA256e26fa8ee8ead69c98236022fdb8ca14ec299344a2927abb50d73e674aae9c378
SHA512c78c9346e6618ad534131cded109a900a5aac02d36bb7c6a19140822bc79a35aa47db5b9a25d814c7f83bedc5a961d7c9adfa4fdaa9706b856cf9eb890adce54
-
Filesize
237KB
MD59d1296e9af8ad4ce9b8f161bbe2185f9
SHA18f2fa73c857cb53bfe5d35281be06bf11a45efaa
SHA25659232d92bc9488780dd4350e502c652b3c15d7c19ecda5fdc863968518cc0002
SHA51265517117dc05e9469cf4935cb8b8e727074fcc3d72c0a771976c4e8f9f1273df6497e058472872aab31051ec088cb31a9d38307149606c33dd93268e9df3646a
-
Filesize
1.6MB
MD53430e2544637cebf8ba1f509ed5a27b1
SHA17e5bd7af223436081601413fb501b8bd20b67a1e
SHA256bb01c6fbb29590d6d144a9038c2a7736d6925a6dbd31889538af033e03e4f5fa
SHA51291c4eb3d341a8b30594ee4c08a638c3fb7f3a05248b459bcf07ca9f4c2a185959313a68741bdcec1d76014009875fa7cbfa47217fb45d57df3b9b1c580bc889d
-
C:\Windows\Temp\MBInstallTempa083468357ce11f0aeb26a8e820be205\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.json
Filesize372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
Filesize
154KB
MD595515708f41a7e283d6725506f56f6f2
SHA19afc20a19db3d2a75b6915d8d9af602c5218735e
SHA256321058a27d7462e55e39d253ad5d8b19a9acf754666400f82fe0542f33e733c6
SHA512d9230901adeecb13b1f92287abe9317cdac458348885b96ef6500960793a7586c76ae374df053be948a35b44abe934aa853975a6ccd3788f93909903cc718c08
-
Filesize
6.7MB
MD548176305c4c9c09b0cd416dfbe4595e7
SHA1ee3017b3e1a2423cbde0c2ffb72ebcd5a47742a3
SHA256ae48d10f8af483c5c7a1035cca83a815adf5cd24f5ff9f5bf37b178ffbc824b8
SHA51210aeccf58eddc4679aef0939dea010a028176c1310a5593600f887c3fc7d9718a6ad52eff920f96c0797a53f1303d5cd50ac5ff1d1a3ab8babb61d82c8a5246f
-
C:\Windows\Temp\MBInstallTempa083468357ce11f0aeb26a8e820be205\dotnetpkgtmp\shared\Microsoft.NETCore.App\6.0.36\mscordaccore.dll
Filesize1.3MB
MD53050af9152d6bb255c4b6753821bc32c
SHA17a20c030a6473422607661ffa996e34a245b3e2d
SHA25697468531d7009e36c338b47fb19e0c6bf210f013610f413c852a4cc27e84b514
SHA512ad07c4b0bb995e80a1718d74992afdeb6c2c4f217e72f361691e2d04dae9be9cd8e55b50fd7172d73755b02b6105c00a3b67534ba9469d92f9e0fbaab8e8f1a9
-
Filesize
9.1MB
MD5146e3f89bf318664fc556097eec62865
SHA1c2d9a1402c7909de2abfe3e9cc0883f1c9ed7800
SHA256e661413f899c3f5c792198eafd52ff15273c64675ca048b91b0f69e048ac5ea0
SHA5121dc57614e1ec78617630e6ecda188b9c9b979cb251821ba1201a52187bd2d87ffc8c8bb3f7b6edb44ac2f7771abe2d3bdf21bccf3c50cc1332d92c260de69de6
-
Filesize
11KB
MD5bd4ceae54af081d6b1dd91ff584c5d61
SHA15ade462d66e042da58bb1447d1b31f1aad901b68
SHA25664416d564725416c6869ea951878a2734b1f6940b11f7961a897c45f0d8c6625
SHA51237e7abd312f694ee2c8ea54ecf50ed12c16684f1007c61d9a6d1d01cba958be511c5e4e11cd7393a5cd57349fda1c552bebca42962137e0d11695c195761ebb0
-
Filesize
2KB
MD55d8c05cc4f9b4304d57ea10b87f2dcf0
SHA12cabe3d39aa5ec16c54c7818284a2ee235d2ddbd
SHA256e26c2d3347e5f077da92713c9df3cd3eae438fb7e29810bd5c3afe567d2d3125
SHA51255bff23fee9852f229246b71721b3659c916079787935d400a97641449dfda752fc8fbf36f9ea3dc4028f05daeb9006a99660284a61aa5d5a466af0ee966c738
-
Filesize
21KB
MD58da81aa1f6b89ce1d2e216e3ea351c59
SHA14baf79cbade9a5584630a540e6368d547579fb12
SHA256ded569e249e590314d095f740c6b8934a5a797e4f3edbe0f78eac9d333f12a2a
SHA5126d611bbd9d480ef2defd745fd06c4ab86e181267cf689d9d0e124edbaf22fd30fbe2310879cc7bb6dde5bae72c4feea1d329cdecfbf101d95634f85dd0769119